Malware Campaign Targets ClawHub Repository Through Malicious Comments

A new malware delivery campaign has targeted ClawHub, the official online repository for "skills" that extend the OpenClaw AI agent. The attack involves threat actors posting malicious troubleshooting comments on legitimate, popular skills published by other users. Unlike prior campaigns, this method does not rely on tricking users into downloading fake skills but instead exploits deceptive comments to distribute an infostealer. The campaign was identified on February 23, 2026, with no specific technical details or infection vectors disclosed. The primary impact is the potential compromise of user credentials and sensitive data via the infostealer payload.