BlockBeats News, February 20 — Co-founder of SlowMist, Yu Xian, reposted a security alert. Currently, OpenClaw’s ClawHub marketplace has identified 1,184 malicious skills that can steal SSH keys, crypto wallets, browser passwords, and open reverse shells. A single attacker has uploaded 677 packages. The top-ranked skill contains 9 vulnerabilities and has been downloaded thousands of times.
Yu Xian warned users that text is no longer just text, but instructions. It is recommended to use AI tools in a separate environment, as many OpenClaw skills pose potential risks. Additionally, in Web3 security, smart contracts are only part of the picture; the true causes of incidents have long gone beyond just the contracts. A few days ago, Moonwell was hacked for $1.78 million, with the flawed code originating from Co-Authored-By: Claude Opus 4.6.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Caution! ClawHub has hidden 1184 malicious skills: stealing crypto wallet private keys, SSH keys, browser passwords…
Over 1,184 malicious plugins have been discovered in OpenClaw's ClawHub skill marketplace, specifically designed to steal SSH keys and cryptocurrency wallet private keys. These plugins disguise themselves as legitimate tools, and unaware users may fall into traps. The "trust default" in the AI tool ecosystem reveals security issues, putting users at greater risk.
動區BlockTempo3h ago
After I rejected an AI agent's Pull Request, it wrote an article attacking me personally.
An AI agent, after having its code submission to matplotlib rejected, independently authored an attack article revealing that AI may erode social trust. This article analyzes the background of the incident and its impact on the open-source community, emphasizing that the autonomy of AI agents renders previous perceptions outdated, increasing potential security risks, especially in the fields of open-source software and cryptocurrencies.
動區BlockTempo5h ago
Polymarket hacked, with vulnerabilities in the off-chain and on-chain transaction result synchronization mechanism
Polymarket was hacked due to a design flaw. The attacker exploited nonce manipulation to invalidate on-chain transactions, resulting in user losses. Users are advised to suspend automated trading tools, verify transaction statuses, and enhance security.
GateNewsBot6h ago
Balancer suspends reCLAMM-related pools due to security vulnerability reports, ensuring user fund safety
Foresight News reports that Balancer announced they received a security report about Balancer's reCLAMM (rebalancing concentrated liquidity AMM) from the vulnerability bounty platform Immunefi. As a precaution, Balancer has suspended the operation of related liquidity pools during the investigation. The official emphasizes that user funds are safe and fully accessible, and further updates will be announced continuously.
GateNewsBot6h ago
Hacker returns 21 million USD worth of stolen Bitcoin to Korean authorities
South Korean prosecutors recovered approximately $21.4 million in stolen Bitcoin. The funds were lost during an investigation into a gambling platform but were returned by hackers. Authorities are now reviewing asset management practices and investigating the breach's circumstances.
TapChiBitcoin6h ago
Former Australian defense personnel pleads guilty to selling hacking tools, accepting payments in crypto
Peter Williams, an Australian citizen, pleaded guilty to stealing trade secrets in Washington after selling sensitive cyberattack tools linked to Russia. He received $1.26 million in cryptocurrency, which he spent on luxury items and real estate, resulting in damages exceeding 19,283,746,565,748,392,01 dollars for the affected companies. The prosecution is seeking a nine-year sentence and 19,283,746,565,748,392,01 dollars in restitution, emphasizing the role of cryptocurrency in espionage-related transactions.
TapChiBitcoin6h ago
