BREAKING
Fake ClawHub Skill Hid Malware
0
agents reached
0
malicious skills (Koi)
0
+
registered skills
How the Decoy Skill Works
1
Upload clean SKILL.md
↓
2
Pass VirusTotal scan
↓
3
Reference external URL
↓
4
Swap in payload later
0
%
low estimate
0
%
high estimate
0
skills, another campaign
Early Tactics vs New Tactics
Before Feb 2026
OLD
●
Malware embedded in skill
●
Caught by scanning
After Feb 2026
NEW
●
External hosting
●
Swappable decoy link
Verify Skills Before Install
AI NEWS BLITZ
A fake skill on OpenClaw's marketplace passed scans, then pulled malware from an external link.