Bitget warned users this week after its security team discovered malicious plugins on ClawHub, the community repository for the AI assistant OpenClaw. The exchange said the entries were disguised as helpful “skills” but in several cases prompted people to paste terminal commands or to download utilities that quietly installed malware designed to steal account credentials, API keys and wallet data.
The mechanics are simple and effective. A skill will walk a user through a short setup and ask them to run a single obfuscated command; that command fetches and executes a remote script, which then scours the machine for browser sessions, saved keys and other secrets. In a number of reported cases, a malicious skill briefly appeared on ClawHub’s front page, raising the chance that nontechnical users would follow instructions without realizing the risk.
Security teams that have been scanning the marketplace say the scale is alarming. Audits of thousands of skills turned up well over three hundred entries that behave maliciously, with many delivering information-stealing payloads such as variants of Atomic Stealer and related trojans. Those findings have framed the incident as a coordinated supply-chain poisoning campaign rather than a handful of accidental bad uploads.
From Convenience to Compromise
Analysts say attackers relied heavily on social engineering, publishing skills that posed as crypto trading helpers or wallet utilities and instructing users to perform setup steps that seemed routine. In several incidents, skills uploaded within a window tricked users by mimicking legitimate tools, a technique that helped the malware spread before defenders removed the listings.
Part of the problem is the platform’s power. OpenClaw runs locally and can legitimately execute shell commands, read files and interact with networks on behalf of its user; that capability makes useful automations possible but also gives a malicious skill direct access to sensitive data. The OpenClaw project and several security vendors have begun adding automated scanning, including VirusTotal checks and blocking of suspicious bundles, but researchers say automated checks must be paired with stronger human review, tighter publishing rules and clearer warnings to end users.
For traders and exchanges, the message is immediate and practical. Bitget told customers to stop using third-party tools, plugins or bots to connect to trading accounts and to use only the official app or website for deposits, withdrawals and trading. The exchange also urged anyone who has authorized API keys for a plugin to revoke them, change passwords and enable two-factor authentication to reduce the chance of an account compromise.
The episode is a reminder that convenience and attack surface often rise together. Agent-style AI can automate tedious tasks and boost productivity, but community ecosystems that allow unvetted code create attractive avenues for attackers. Until marketplaces adopt stronger vetting and platforms build more robust safeguards, users should treat third-party skills as untrusted code, refuse to run unfamiliar terminal commands, rotate API keys regularly and isolate wallet operations on well-protected devices. Those habits remain the best short-term defense while the ecosystem catches up.