The OpenClaw Threat Landscape: 8 Attacks on the AI Agent Platform (2026)

Threats: TL-2026-0008, TL-2026-0019, TL-2026-0043, TL-2026-0044, TL-2026-0056, TL-2026-0136, TL-2026-0182, TL-2026-0255

Executive Summary

Threats

Critical

100K+

Users Exposed

88+

Detections

Between February and March 2026, OpenClaw became the most targeted AI agent platform in history. Eight distinct threats spanning three attack classes converged on a single framework trusted by over 100,000 developers: remote code execution via CVE-2026-25253, supply chain poisoning through 2,500+ malicious skills and packages, and social engineering leveraging Bing search poisoning, fake installers, and AI-as-intermediary techniques.

Two threats reached CRITICAL severity. Five were HIGH. One was MEDIUM. The campaign arc tells a story of rapid escalation: a CVE disclosure in late January became a multi-vector, multi-actor ecosystem attack by March. What started as a single WebSocket vulnerability evolved into coordinated campaigns deploying AMOS macOS stealer, Vidar, PureLogs, GhostSocks proxy malware, and the novel GhostLoader RAT across Windows, macOS, and Linux.

This report consolidates all eight threats into a single reference with full detection coverage in SPL, KQL, and Sigma.

What Is OpenClaw?

OpenClaw (formerly MoltBot/ClawdBot) is an open-source AI personal assistant platform that gives AI agents the ability to execute shell commands, read/write files, send messages through WhatsApp, Telegram, Discord, Slack, and Signal, fetch URLs, schedule automated tasks, and access connected services. Skills installed from ClawHub (the official registry) are loaded directly into the agent's system prompt with full tool access.

This capability model made OpenClaw extraordinarily useful and extraordinarily dangerous. As OpenClaw's own security team acknowledged: "Running an AI agent with shell access on your machine is... spicy." Every attack in this report exploits the fundamental tension between agent utility and agent security.

Attack Timeline

Date	Event	Severity	TL-ID
Jan 20	OpenClaw goes viral on X, 100K+ rapid adoption
Jan 26	CVE-2026-25253 independently discovered by 3 researchers	HIGH	TL-0008
Jan 28	Patch merged (commit 8cb0fa9), v2026.1.29 released
Feb 2	230+ malicious skills discovered on ClawHub	HIGH	TL-0019
Feb 2	Trojanized OpenClaw installers appear on GitHub	HIGH
Feb 3	230+ password-stealing skills documented (distinct campaign)	HIGH	TL-0043
Feb 3	CVE-2026-25253 RCE via malicious link fully analyzed (CRITICAL)	CRITICAL	TL-0044
Feb 3	OpenClaw attack surface and security model documented	MEDIUM	TL-0056
Feb 9	Huntress detects Bing search poisoning driving fake installers	HIGH	TL-0182
Feb 10	Apple XProtect v5329 adds AMOS/OpenClaw YARA rule
Feb 23	Trend Micro: AMOS macOS stealer via ClawHub skills	CRITICAL	TL-0136
Feb 23	Koi Research: 341+ ClawHavoc skills, 2,200+ on GitHub
Mar 5	SKILL.md files target AI coding agent workflows
Mar 8	JFrog discovers GhostClaw npm package (@openclaw-ai/openclawai)	HIGH	TL-0255
Mar 20	Jamf: GhostClaw expands to 10+ GitHub repos, AI workflows

CVE-2026-25253: One-Click RCE

Threats: TL-2026-0008 + TL-2026-0044 | CVSS: 8.8 | CWE: CWE-669, CWE-601, CWE-346

The vulnerability chains three flaws into a one-click kill chain:

Gateway URL injection: The Control UI blindly accepts a gatewayUrl query parameter and auto-connects via WebSocket, sending the stored authentication token to the attacker-controlled server
Cross-Site WebSocket Hijacking: The WebSocket server fails to validate the Origin header, enabling the attacker to use the victim's browser as a pivot to connect back to the localhost-only gateway at ws://localhost:18789
Sandbox escape + RCE: The stolen operator.admin-scoped token allows disabling all safety guardrails (exec-approvals, sandbox containers) and executing arbitrary commands via the API

A single visit to a malicious webpage gives attackers full host compromise. No user interaction beyond the initial click. The vulnerability was independently discovered by Ethiack's Hackian AI pentester (in ~100 minutes of autonomous testing), depthfirst GSI (static analysis), and researcher @0xacb. Public PoC exploit code is available on GitHub.

Patch: Commit 8cb0fa9 adds a gateway URL confirmation modal. All users must update to v2026.1.29+ and rotate tokens.

GHSA-g8p2-7wf7-98mq | NVD | Ethiack writeup | depthfirst writeup

Supply Chain: 230+ Malicious Skills

Threats: TL-2026-0019 + TL-2026-0043 | CVSS: 7.8-8.1 | Status: ACTIVE

The first large-scale supply chain attack against an AI agent skill ecosystem. Over 230 malicious skills were published to ClawHub, GitHub, and community forums exploiting OpenClaw's trust model where installed skills receive system-level access through the AI agent.

Five Attack Vectors

Prompt injection via SKILL.md: Malicious instructions embedded in SKILL.md files override safety guardrails. Because SKILL.md content is injected directly into the system prompt, traditional code analysis tools cannot detect the threat. Skills instructed agents to silently exfiltrate openclaw.json contents, disable exec.approvals, and read MEMORY.md personal data
Bundled malicious scripts: Skills included shell scripts and Python modules that established reverse shells, installed XMRig cryptocurrency miners, exfiltrated SSH keys and AWS credentials, and modified other installed skills for persistence
Typosquatting: Malicious skills published under near-identical names (nano-bannana-pro vs legitimate nano-banana-pro, weatherr vs weather)
Name shadowing: Workspace skills override bundled skills via precedence. Malicious skills with the same names as bundled skills silently replaced legitimate versions
Metadata abuse: Skills requested unnecessary environment variables (AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN) in frontmatter metadata

Impact

API key and token exfiltration from openclaw.json
Personal data theft from MEMORY.md and memory files
Cryptocurrency mining on AI workstations (typically high-end GPU machines)
Lateral movement through connected messaging services (phishing via victim's WhatsApp/Telegram/Signal)
SSH key and credential theft from the host system
Persistent backdoors via modified agent workspace files

Known C2 domains included skill-analytics[.]com (disguised as telemetry) and clawhub-cdn[.]net (impersonating ClawHub CDN). ClawHub has since implemented skill signing, reputation scoring, and enhanced review.

AMOS macOS Stealer via Skills

Threat: TL-2026-0136 | Severity: CRITICAL | Actor: AMOS-as-a-Service operators

Trend Micro identified 39 malicious OpenClaw skills on ClawHub distributing a new Atomic macOS Stealer (AMOS) variant. This campaign represents a paradigm shift: social engineering the AI agent itself as a trusted intermediary to trick users into installing malware.

The infection chain begins with malicious SKILL.md files containing prerequisite instructions directing the AI agent to visit openclawcli[.]vercel[.]app — a fake CLI tool website. The agent fetches the installation instructions and presents them to the user. Claude Opus 4.5 identified the trick and refused to proceed, while GPT-4o either silently installed or repeatedly prompted the user.

The malicious site serves a Base64-encoded payload that decodes to a curl command fetching a Mach-O universal binary from 91.92.242[.]30. The binary runs on both Intel and Apple Silicon, exfiltrating:

Apple Keychain + KeePass credentials
Browser data from 19 browsers
150+ cryptocurrency wallet extensions
User documents via ZIP archives to socifiapp[.]com

Koi Research later documented 341+ ClawHavoc skills and 2,200+ malicious skills on GitHub, confirming this was far larger than the initial ClawHub findings.

Fake Installers: Bing Search Poisoning

Threat: TL-2026-0182 | Severity: HIGH | Discovery: Huntress

Threat actors exploited Bing AI search results to surface malicious GitHub repositories at the top of results for queries like "OpenClaw Windows." The campaign weaponized trust in both Bing and GitHub as software distribution platforms.

Windows Attack Chain

A trojanized installer named OpenClaw_x64.exe (original name: TradeAI.exe) contained largely legitimate code from Cloudflare's moltworker project to evade static analysis. A never-before-seen packer dubbed "Stealth Packer" orchestrated payload delivery with in-memory injection, Windows Firewall manipulation, hidden scheduled tasks, and anti-VM detection.

Payloads deployed:

Vidar stealer (cloudvideo.exe) — resolved C2 through Telegram channel and Steam profile
PureLogs stealer (svc_service.exe) — C2 at 185.196.9[.]98 port 56001
GhostSocks proxy (serverdrive.exe) — TLS-encrypted SOCKS5 backconnect at 147.45.197[.]92
AMOS (macOS variant) — universal Mach-O targeting cross-platform developers

GitHub removed the malicious repositories within 8 hours of the Huntress report. Apple released XProtect v5329 with YARA rule MACOS.SOMA.CLBIFEA blocking the AMOS variant. Microsoft later adjusted Bing AI to return OpenClaw's official site.

GhostClaw Campaign

Threat: TL-2026-0255 | Severity: HIGH | Actor: helenigtxu (operator handle) | Status: ACTIVE

The most recent campaign (March 2026) distributes GhostLoader RAT through malicious GitHub repositories and npm packages. JFrog discovered the malicious @openclaw-ai/openclawai npm package (v1.5.14-1.5.15) with postinstall hooks deploying GhostLoader.

Attack Chain

Lure: 10+ GitHub repositories across trading bots, SDKs, AI integrations, gaming tools. Accounts staged since January with benign code to build credibility
SKILL.md targeting: Files added targeting AI coding agents (OpenClaw, ZeroClaw, PicoClaw), enabling infection without direct user interaction
Delivery: curl|bash install scripts and npm postinstall hooks deploy multi-stage payload
GhostLoader: Full RAT with SOCKS5 proxy, browser session cloning via Chrome DevTools Protocol, and NUKE self-destruct anti-forensics

Exfiltration Channels

Primary: trackpipe[.]dev C2 (confirmed still active as of March 15)
Secondary: Telegram Bot API for archives under 49MB
Tertiary: GoFile.io for large archives

GhostLoader steals credentials, crypto wallets (BIP-39 seed phrase detection), SSH keys, browser data, and cloud tokens (AWS, Azure, GCP, GitHub, npm). The campaign used AES-256-GCM encryption and had 178 npm downloads before removal.

Framework Security Model

Threat: TL-2026-0056 | Severity: MEDIUM | Category: AI Security Assessment

OpenClaw's comprehensive attack surface includes five categories that every enterprise deploying AI agents must address:

Prompt injection — Direct injection (user messages), indirect injection (fetched web content), and tool argument injection. The least solvable attack class because AI agents interpret natural language
Authentication and access control — AllowFrom bypass, gateway exposure on 0.0.0.0 without auth, API key exposure in auth-profiles.json, cross-session access, node execution via system.run
Data security — Session logs on disk, system prompt disclosure, MEMORY.md leakage, workspace file exposure
Infrastructure — SSRF via web_fetch (cloud metadata at 169.254.169.254), CDP browser control exposure, dangerouslyDisableDeviceAuth misconfiguration
Supply chain — Malicious ClawHub skills, untrusted plugins executing in-process

OpenClaw's defense philosophy: "Assume the model can be manipulated; design so manipulation has limited blast radius." The platform provides openclaw security audit tooling and a formal 4-phase security program led by Jamieson O'Reilly (Dvuln): Transparency, Product Security Roadmap, Code Review, and Security Triage.

Detection Rules

Threadlinqs Intelligence provides 88+ detection rules across all 8 threats. Below are representative rules covering the primary attack vectors.

CVE-2026-25253 — Malicious GatewayUrl Parameter

SPLindex=proxy sourcetype=proxy OR index=web sourcetype=access_combined
| where match(url, "(?i)openclaw|moltbot|clawdbot")
| where match(url, "(?i)gatewayUrl=")
| rex field=url "gatewayUrl=(?<gateway_target>[^&]+)"
| where NOT match(gateway_target, "(?i)(localhost|127\.0\.0\.1|::1)")
| stats count values(gateway_target) as targets by src_ip, user, url
| eval alert_severity="CRITICAL"
| eval alert_reason="OpenClaw exploit attempt - malicious gatewayUrl parameter detected"

CVE-2026-25253 — CSWSH Pivot Detection

KQLlet openclaw_ports = dynamic([18789, 18788]);
let external_connections = DeviceNetworkEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| where RemotePort in (80, 443)
| where not(RemoteUrl has_any ("localhost", "127.0.0.1"))
| project ExtTime=Timestamp, DeviceId, DeviceName, InitiatingProcessId,
    ExternalDomain=RemoteUrl;
let localhost_ws = DeviceNetworkEvents
| where Timestamp > ago(1h)
| where RemotePort in (openclaw_ports)
| where RemoteUrl has_any ("localhost", "127.0.0.1")
| project WsTime=Timestamp, DeviceId, InitiatingProcessId, RemotePort;
external_connections
| join kind=inner (localhost_ws) on DeviceId, InitiatingProcessId
| where WsTime between (ExtTime .. (ExtTime + 5m))
| project DeviceName, ExternalDomain, RemotePort, ExtTime, WsTime

AMOS Supply Chain — Base64 Decode-to-Bash and C2

KQLlet base64 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_all ("base64", "-D", "bash")
| extend Signal = "base64_decode_bash", Score = 50;
let curl_c2 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName == "curl"
| where ProcessCommandLine has "91.92.242"
| extend Signal = "amos_c2_curl", Score = 50;
let fake_cli = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any ("openclawcli", "openclawupdater", "clawhub-installer")
| extend Signal = "fake_cli_download", Score = 45;
union base64, curl_c2, fake_cli
| summarize TotalScore=sum(Score), Signals=make_set(Signal) by DeviceName
| where TotalScore >= 50

Supply Chain — Reverse Shell from Skill Script

SIGMAtitle: Reverse Shell from OpenClaw Skill Script Execution
id: tl-2026-0019-lin-01
status: experimental
date: 2026/02/11
author: Shannon (Threadlinqs)
description: |
    Detects reverse shell establishment from OpenClaw skill script execution.
references:
    - https://intel.threadlinqs.com/#TL-2026-0019
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentCommandLine|contains: 'openclaw'
    selection_revshell:
        CommandLine|contains:
            - '/dev/tcp/'
            - 'bash -i'
            - 'nc -e'
            - 'python -c'
            - 'import socket'
    condition: selection_parent and selection_revshell
falsepositives:
    - None - reverse shell from OpenClaw is always malicious
level: critical
tags:
    - attack.execution
    - attack.t1059.004

GhostClaw — Credential Harvesting and Exfiltration

KQLunion DeviceProcessEvents, DeviceFileEvents
| where Timestamp > ago(24h)
| where (ProcessCommandLine has "dscl" and ProcessCommandLine has "-authonly")
    or (ProcessCommandLine has_any ("find-generic-password", "dump-keychain"))
    or (ProcessCommandLine has_any ("Login Data", "logins.json", "Cookies")
        and ProcessCommandLine has_any ("Chrome", "Brave", "Edge", "Firefox"))
    or (FolderPath has_any ("exodus", "electrum", "atomic")
        or ProcessCommandLine has_any ("metamask", "phantom", "solflare"))
    or (FolderPath has ".ssh" and FileName in ("id_rsa", "id_ed25519"))
| summarize SignalCount=count(), Signals=make_set(FileName) by DeviceName, bin(Timestamp, 10m)
| where SignalCount >= 3

GhostClaw — Malicious npm Package

SIGMAtitle: GhostClaw Malicious npm Package Installation
id: c3f9e5a6-b7d8-4012-cdef-123456780003
status: experimental
description: |
    Detects installation of malicious @openclaw-ai/openclawai npm package
    and execution of known GhostClaw dropper files.
references:
    - https://research.jfrog.com/post/ghostclaw-unmasked/
    - https://www.jamf.com/blog/ghostclaw-ghostloader-malware-github-repositories-ai-workflows/
author: AII-Detector - ThreadLinqs Intelligence
date: 2026/03/20
logsource:
    category: process_creation
detection:
    selection_npm:
        CommandLine|contains:
            - '@openclaw-ai/openclawai'
            - 'openclawai@1.5.14'
            - 'openclawai@1.5.15'
    selection_env:
        CommandLine|contains:
            - 'GHOST_PASSWORD_ONLY'
            - 'NODE_CHANNEL'
    condition: selection_npm or selection_env
falsepositives:
    - None
level: critical
tags:
    - attack.initial_access
    - attack.t1195.002

Browse all 88+ detection rules across 8 threats: View on Threadlinqs Intelligence

Indicators of Compromise

Network Indicators

Type	Indicator	Context
Domain	`trackpipe[.]dev`	GhostClaw/GhostLoader primary C2
Domain	`openclawcli[.]vercel[.]app`	Fake CLI site serving AMOS payload
Domain	`socifiapp[.]com`	AMOS exfiltration server (/api/reports/upload)
Domain	`skill-analytics[.]com`	Supply chain C2 disguised as telemetry
Domain	`clawhub-cdn[.]net`	Attacker domain impersonating ClawHub
IP	`91.92.242[.]30`	AMOS payload hosting (Mach-O binaries)
IP	`185.196.9[.]98`	PureLogs stealer C2 (port 56001)
IP	`147.45.197[.]92`	GhostSocks primary helper (TLS 443)
IP	`94.228.161[.]88`	GhostSocks fallback helper
IP	`121.127.33[.]212`	Bing campaign C2 infrastructure
IP	`193.143.1[.]155`	Bing campaign C2 infrastructure
Port	`18789/tcp`	Default OpenClaw gateway WebSocket port

File Indicators

Type	Hash / Path	Context
SHA256	`518ff5fb...b70e2b3`	OpenClaw_x64.exe (trojanized installer)
SHA256	`f03e38e1...523b4b51`	cloudvideo.exe (Vidar stealer)
SHA256	`40fc240f...894f12690`	svc_service.exe (PureLogs + Stealth Packer)
SHA256	`a22ddb30...8740ed5`	serverdrive.exe (GhostSocks proxy)
SHA256	`e13d9304...8b9fd`	OpenClawBot (AMOS Mach-O, macOS)
SHA256	`5968bd7d...c12c`	AMOS Mach-O binary (ece0f208u7uqhs6x)
SHA256	`e3ee5909...7fe4`	GhostClaw setup.js dropper (variant 1)
SHA256	`3ab0bcc8...1040`	GhostClaw postinstall.js (anti-forensics)
npm	`@openclaw-ai/openclawai`	Malicious npm package (v1.5.14-1.5.15)

Behavioral Indicators

SKILL.md containing instructions to read and exfiltrate openclaw.json or MEMORY.md
SKILL.md with instructions to disable exec.approvals or modify safety guardrails
Workspace skill duplicating the name of a bundled skill (name shadowing)
Skill requesting AWS_SECRET_ACCESS_KEY or GITHUB_TOKEN in metadata
Agent process accessing ~/.ssh/id_rsa, ~/.aws/credentials during skill execution
Base64-decode-to-bash execution chains from AI agent context
osascript password dialog with hidden answer (AMOS fake prompt)
GHOST_PASSWORD_ONLY or NODE_CHANNEL environment variables in npm postinstall
Outbound connections to trackpipe.dev, api.telegram.org/sendDocument, gofile.io/upload

MITRE ATT&CK Mapping

Consolidated across all 8 threats. Unique techniques mapped to the attack lifecycle:

Tactic	Technique	ID	Threats
Reconnaissance	Search Open Technical Databases	T1596	TL-0056
Initial Access	Supply Chain Compromise	T1195.002	TL-0019, 0043, 0136, 0255
Initial Access	Trusted Relationship	T1199	TL-0019, 0056
Initial Access	Exploit Public-Facing Application	T1190	TL-0008, 0044, 0056
Execution	Command and Scripting Interpreter: Unix Shell	T1059.004	TL-0019, 0056, 0136
Execution	Command and Scripting Interpreter: JavaScript	T1059.007	TL-0019, 0044, 0255
Execution	Command and Scripting Interpreter: Python	T1059.006	TL-0019
Execution	User Execution: Malicious Link	T1204.001	TL-0008, 0044, 0182
Execution	User Execution: Malicious File	T1204.002	TL-0019, 0182, 0255
Persistence	Event Triggered Execution	T1546	TL-0019
Persistence	Compromise Client Software Binary	T1554	TL-0019
Persistence	Scheduled Task/Job: Cron	T1053.003	TL-0056
Defense Evasion	Impair Defenses: Disable Tools	T1562.001	TL-0019, 0044
Defense Evasion	Masquerading	T1036.005	TL-0019, 0056, 0182
Defense Evasion	Obfuscated Files	T1027	TL-0019, 0255
Credential Access	Credentials in Files	T1552.001	TL-0019, 0043, 0056, 0136
Credential Access	Steal Application Access Token	T1528	TL-0008, 0019, 0044, 0056
Discovery	File and Directory Discovery	T1083	TL-0019, 0056, 0136, 0255
Collection	Data from Local System	T1005	TL-0019, 0056, 0136, 0182, 0255
Collection	Data from Information Repositories	T1213	TL-0019
C2	Application Layer Protocol: Web	T1071.001	TL-0019, 0136, 0182, 0255
Exfiltration	Exfiltration Over C2 Channel	T1041	TL-0019, 0136
Exfiltration	Exfiltration Over Web Service	T1567	TL-0019, 0056, 0255
Impact	Resource Hijacking	T1496	TL-0019

Full MITRE coverage across 40+ unique techniques available on Threadlinqs Intelligence

Recommendations

Immediate Actions

Update OpenClaw to v2026.1.29+ to patch CVE-2026-25253. Rotate all gateway tokens immediately
Audit all installed skills — remove anything from unverified publishers. Run openclaw security audit --fix
Block known C2 infrastructure at the firewall: trackpipe.dev, 91.92.242.30, 185.196.9.98, 147.45.197.92, openclawcli.vercel.app, socifiapp.com
Scan for GhostClaw npm packages: check for @openclaw-ai/openclawai in node_modules and package-lock.json
Hunt for AMOS indicators on macOS: check for osascript password dialogs, connections to 91.92.242.30, and ad-hoc signed Mach-O binaries

Long-Term Measures

Implement AI agent usage policies — restrict which skills can be installed, enforce sandboxing, require approval for shell execution
Deploy detection rules from this report into SIEM/EDR. Monitor for credential store access, reverse shells, and data exfiltration by AI agent processes
Restrict OpenClaw gateway to localhost with authentication. Never expose the Gateway HTTP API on 0.0.0.0 without TLS and authentication
Monitor npm/pip dependencies for AI projects — audit postinstall hooks, watch for typosquatting of AI framework names
Include AI agents in your EDR/MDR scope — traditional endpoint monitoring doesn't distinguish between legitimate agent actions and prompt-injection-driven malicious actions

FAQ

What is CVE-2026-25253 and how does it affect OpenClaw?

CVE-2026-25253 is a critical 1-click Remote Code Execution vulnerability in OpenClaw (CVSS 8.8). It chains three flaws: the Control UI auto-connects to an attacker-supplied gatewayUrl without confirmation, WebSocket Origin validation is missing enabling Cross-Site WebSocket Hijacking, and the stolen operator token allows disabling all safety guardrails and executing arbitrary commands. A single click on a malicious link gives attackers full host access. Patched in v2026.1.29.

How many malicious OpenClaw skills have been discovered?

Over 2,500 malicious OpenClaw skills have been identified across ClawHub, GitHub, and npm. The initial wave found 230+ credential-stealing packages in early February 2026. Trend Micro later identified 39 skills distributing AMOS macOS stealer, Koi Research documented 341+ ClawHavoc skills, and 2,200+ additional malicious skills were found on GitHub. The GhostClaw campaign added malicious npm packages and SKILL.md files targeting AI coding workflows.

What is GhostClaw and how does it target developers?

GhostClaw is an active supply chain campaign discovered in March 2026 distributing the GhostLoader RAT through malicious GitHub repos and npm packages disguised as developer tools. It uses curl|bash install scripts and AI workflow SKILL.md files to deliver a multi-stage credential stealer targeting macOS, Linux, and Windows. GhostLoader exfiltrates credentials, crypto wallets, SSH keys, and cloud tokens to trackpipe[.]dev C2 via Telegram Bot API and GoFile.io.

How can I detect OpenClaw-related attacks in my environment?

Threadlinqs Intelligence provides 88+ detection rules across all 8 threats in SPL, KQL, and Sigma. Key strategies: monitor for malicious gatewayUrl parameters in proxy logs, detect credential store access by AI assistant processes, alert on Base64-decode-to-bash chains, watch for known C2 domains (trackpipe.dev, 91.92.242.30), and monitor npm postinstall hooks from untrusted packages.

References

TL-2026-0008: CVE-2026-25253 One-Click RCE via Token Exfiltration — Threadlinqs Intelligence
TL-2026-0019: 230+ Malicious Skills Supply Chain — Threadlinqs Intelligence
TL-2026-0043: 230+ Password-Stealing Malicious Skills — Threadlinqs Intelligence
TL-2026-0044: CVE-2026-25253 One-Click RCE via Malicious Link — Threadlinqs Intelligence
TL-2026-0056: Framework Security Concerns & Detection Tooling — Threadlinqs Intelligence
TL-2026-0136: AMOS macOS Stealer via ClawHub Skills — Threadlinqs Intelligence
TL-2026-0182: Fake Installers via Bing Search Poisoning — Threadlinqs Intelligence
TL-2026-0255: GhostClaw GitHub Repos + GhostLoader — Threadlinqs Intelligence
NVD — CVE-2026-25253
Ethiack — One-Click RCE on OpenClaw with Autonomous Hacking Agent
depthfirst — 1-Click RCE To Steal Your MoltBot Data and Keys
Trend Micro — OpenClaw Skills Used to Distribute AMOS
Trend Micro — Viral AI, Invisible Risks: What OpenClaw Reveals
JFrog — GhostClaw Unmasked: Malicious npm Package Impersonating OpenClaw
OpenClaw Trust — Security Posture and Threat Model
OpenClaw — Security Documentation

Full threat intelligence, detection rules, and IOC feeds for all 8 threats are available on Threadlinqs Intelligence.