BREAKING
Fake ClawHub Skill Hid Malware
0
agents reached
0
malicious skills (Koi)
0+
registered skills
How the Decoy Skill Works
1Upload clean SKILL.md
2Pass VirusTotal scan
3Reference external URL
4Swap in payload later
0%
low estimate
0%
high estimate
0
skills, another campaign
Early Tactics vs New Tactics
Before Feb 2026OLD
Malware embedded in skill
Caught by scanning
After Feb 2026NEW
External hosting
Swappable decoy link
Verify Skills Before Install
AI NEWS BLITZ
A fake skill on OpenClaw's marketplace passed scans, then pulled malware from an external link.