Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer
================================================================================================
OpenClaw Skills

heldinhow/speckit-coding-agent
stveenli/browserautomation-skill
stveenli/shieldphenix
stveenli/ytwatchervideo
thiagoruss0/bear-notes7mcp
thiagoruss0/clawdbot-logs1kzm
thiagoruss0/coding-agent696vg
thiagoruss0/coding-agent9vr
thiagoruss0/coding-agentagb2
thiagoruss0/coding-agentem9ak
thiagoruss0/coding-agentoj9u
thiagoruss0/deep-researchj
thiagoruss0/discord-voicetwhtm
thiagoruss0/finance-news9
thiagoruss0/finance-newsz
thiagoruss0/google-drivezqx
thiagoruss0/instagramjg
thiagoruss0/moltbookwmap4
thiagoruss0/n8nemk
thiagoruss0/perplexityt9d
thiagoruss0/pptx-creatord
thiagoruss0/search-xepv0
thiagoruss0/seo-optimizerc6ynb
thiagoruss0/seo-optimizereq
thiagoruss0/seo-optimizeruu
thiagoruss0/seo-optimizervoo
thiagoruss0/tavily-web-searchajss
thiagoruss0/tavily-web-searchesq
thiagoruss0/telegramb4c
thiagoruss0/todo-tracker1
thiagoruss0/transcribeeqdq6t
thiagoruss0/transcribeexx
thiagoruss0/veo3-genay
thiagoruss0/web-searchod
thiagoruss0/web-searchuigr
thiagoruss0/wechate
thiagoruss0/wechatky8v
thiagoruss0/wechatt9y1
thiagoruss0/youtube37puq
thiagoruss0/youtubea
================================================================================================
Github
The following Github repositories seem to automatically collect skills, and thus have hosted both benign and malicious skills. Note that base64 -D | bash is an indicator of possibly malicious skills.

https://github.com/openclaw/skills/
https://github.com/Demerzels-lab/
https://github.com/kbarbel640-del/
https://github.com/duclm1x1/Dive-Ai/
https://github.com/aztr0nutzs/
https://github.com/YPYT1/All-skills/
https://github.com/Demerzels-lab/
================================================================================================
Malicious domain and URLs

hxxps://openclawcli[.]vercel[.]app/
hxxp://91.92.242[.]30/ece0f208u7uqhs6x
hxxp://91.92.242[.]30/il24xgriequcys45
hxxp://91.92.242[.]30/6wioz8285kcbax6v
hxxp://91.92.242[.]30/6x8c0trkp4l9uugo
hxxp://91.92.242[.]30/lamq4uerkruo6ssm
hxxp://91.92.242[.]30/q0c7ew2ro8l2cfqp
hxxp://91.92.242[.]30/dx2w5j5bka6qkwxi 
hxxp://91.92.242[.]30/1v07y9e1m6v7thl6 
hxxp://91.92.242[.]30/l5ou8r739pc48rwi 
hxxp://91.92.242[.]30/dyrtvwjfveyxjf23
hxxps://socifiapp[.]com/api/reports/upload
================================================================================================
Hash (SHA256)

SHA256									Filename
5968bd7d3a27a6a17ea73be6ee4b00807e83a786fdfa73cc5d8dbf262426c12c  	ece0f208u7uqhs6x
ca96fe6259d602a22951d5d3e244e1b752bf0d20086f445bf7015c8798e7b95b  	il24xgriequcys45
a0e66f3067e4aaf5b83e45b7845cc43b2fc96032a4398cab7cc9d11f4f962e91	zoemtpmgck30oa8n
1e6d4b0538558429422b71d1f4d724c8ce31be92d299df33a8339e32316e2298	x5ki60w1ih838sp7
5adb10e107d5075abf485f52a387fb419d06ad84d0df38e75769783f16862273	gz1xshcbu77ogmgt
95fb8f28d08e19090443bda8bd71bbb79f7c451288a2de6f1ca0ad6fee8b4569	7buu24ly8m1tn8m4
45d8e56bd86960727bcaa4b5c9f7c3422a22723c23ea5b46b6aa9bc42ed1f9f1	528n21ktxu08pmer
0e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65	66hfqv0uye23dkt2
ec2920e56f2f62c6a2ed1242747980f6f7343c2404b7ae9a6e975b66b1c24b6d	q0c7ew2ro8l2cfqp
30f97ae88f8861eeadeb54854d47078724e52e2ef36dd847180663b7f5763168	dyrtvwjfveyxjf23
d781d5cabaf5f305bbb8afcd9a54d7ba616bfa7aef5c4d16f6bce3d2bf3b4073	6wioz8285kcbax6v
f0a54f2b44e557854b0a5001c4e10185884af945814786f78b86539014f78a16	1v07y9e1m6v7thl6
ec2920e56f2f62c6a2ed1242747980f6f7343c2404b7ae9a6e975b66b1c24b6d	q0c7ew2ro8l2cfqp
233a98cb2c5536dabda0944eb2de8d47ad5ce9371a164fe2a8c29d8c55bc240c	b5aesvgf11r8b2qt
f2cb9de40cb8b7e13e7d2b0b3e426f8503781a35d8bba3715395430e9b5eeb38	l5ou8r739pc48rwi
998c38b430097479b015a68d9435dc5b98684119739572a4dff11e085881187e	dx2w5j5bka6qkwxi
5e4696a2cfdc3336b1ecbc17c1642f6bf7d9a34497161659414dae33fe6225d7	ledger-wallet
================================================================================================
Browser extensions being targeted (partial)

Extension ID				Wallet			Category
nkbihfbeogaeaoehlefnkodbefgpgknn	MetaMask		Ethereum / Multi-chain
ejbalbakoplchlghecdalmeeeajnimhm	MetaMask (Edge)		Ethereum / Multi-chain
bfnaelmomeimhlpmgjnjophhpkkoljpa	Phantom			Solana / Multi-chain
ibnejdfjmmkpcnlpebklmnkoeoihofec	TronLink		TRON
aholpfdialjgjfhomihkjbmgjidlcdno	Exodus Web3		Multi-chain
aeachknmefphepccionboohckonoeemg	Coin98			Multi-chain DeFi
fhbohimaelbohpjbbldcngcnapndodjp	BNB Chain 		Wallet	BNB / Ethereum
fldfpgipfncgndfolcbkdeeknbbbnhcc	MyTonWallet		TON
aiifbnbfobpmeekipheeijimdpnlpgpp	Station Wallet		Terra / Cosmos
hmeobnfnfcmdkdcmlblgagmfpfboieaf	Ctrl Wallet		Multi-chain
hpglfhgfnhbgpjdenjgmdgoeiappafln	Guarda Wallet		Multi-chain
efbglgofoippbgcjepnhiblaibcnclgk	Martian Wallet		Aptos / Sui
cgeeodpfagjceefieflmdfphplkenlfk	EVER Wallet		Everscale
ebfidpplhabeedpnhjnobghokpiioolj	Fewcha Move		Aptos / Sui
dkdedlpgdmmkkfjabffeganieamfklkm	Cyano Wallet		Ontology
jnldfbidonfeldmalbflbmlebbipcnle	Bitfinity		ICP
cjelfplplebdjjenllpjcblmjkfcffne	Jaxx Liberty		Multi-chain
pdadjkfkgcafgbceimcpbkalnfnepbnk	KardiaChain		KardiaChain
dlcobpjiigpikoobohmabehhmhfoodbb	Ready Wallet		StarkNet