Cosine warns of 1,184 malicious packages on ClawHub stealing SSH keys, crypto wallets, and passwords, urging AI tool use in secure isolated environments.
SlowMist founder Cosine reported finding 1,184 malicious AI-generated skills on OpenClaw’s ClawHub, aimed at stealing SSH keys, cryptocurrency wallet data, and browser passwords. One attacker was behind 677 of the packages, with the most downloaded skill containing nine vulnerabilities and thousands of downloads. Cosine urged users to run AI software in isolated environments to mitigate security risks.