{"id":293,"date":"2026-02-09T07:19:46","date_gmt":"2026-02-09T05:19:46","guid":{"rendered":"https:\/\/vittrup-graversen.dk\/?p=293"},"modified":"2026-03-28T12:11:08","modified_gmt":"2026-03-28T10:11:08","slug":"341-ondsindede-skills-fundet-paa-clawhub-supply-chain-angreb-rammer-openclaw-brugere","status":"publish","type":"post","link":"https:\/\/vittrup-graversen.dk\/index.php\/2026\/02\/09\/341-ondsindede-skills-fundet-paa-clawhub-supply-chain-angreb-rammer-openclaw-brugere\/","title":{"rendered":"341 ondsindede skills fundet p\u00e5 ClawHub \u2014 supply chain-angreb rammer OpenClaw-brugere"},"content":{"rendered":"\n<p><strong>En sikkerhedsaudit af 2.857 skills p\u00e5 ClawHub har afsl\u00f8ret 341 ondsindede skills fordelt p\u00e5 flere kampagner.<\/strong> Det viser en ny rapport fra sikkerhedsfirmaet Koi Security, som har d\u00f8bt operationen &#8220;ClawHavoc&#8221;. For udviklere der bruger OpenClaw som AI-assistent er beskeden klar: v\u00e6r ekstremt kritisk over for tredjepartsudvidelser.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hvad er ClawHub?<\/h2>\n\n\n\n<p>ClawHub er en markedsplads for OpenClaw-skills \u2014 tredjepartsudvidelser der giver din AI-agent nye funktioner. T\u00e6nk p\u00e5 det som en app store for din bot. Problemet: enhver med en GitHub-konto (min. \u00e9n uge gammel) kan uploade skills. Der er ingen sikkerhedsgennemgang f\u00f8r publicering.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">S\u00e5dan fungerer angrebet<\/h2>\n\n\n\n<p>Angriberne har udnyttet en simpel men effektiv social engineering-teknik. De ondsindede skills ser professionelle ud \u2014 god dokumentation, trov\u00e6rdige navne. Men i en &#8220;Prerequisites&#8221;-sektion beder de brugeren om at installere noget ekstra:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>macOS:<\/strong> Brugeren opfordres til at kopiere et installationsscript fra glot[.]io ind i Terminal. Scriptet henter obfuskeret kode der installerer <strong>Atomic Stealer (AMOS)<\/strong> \u2014 en commodity stealer til $500-1.000\/m\u00e5ned der h\u00f8ster API-n\u00f8gler, credentials, krypto-wallets og browserdata.<\/li>\n\n\n\n<li><strong>Windows:<\/strong> Brugeren bedes downloade &#8220;openclaw-agent.zip&#8221; fra et GitHub-repository. Arkivet indeholder en trojan med keylogger-funktionalitet.<\/li>\n<\/ul>\n\n\n\n<p>At macOS er hovedm\u00e5let er ingen tilf\u00e6ldighed \u2014 der er opst\u00e5et en trend hvor folk k\u00f8ber Mac Minis specifikt for at k\u00f8re OpenClaw 24\/7.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hvad gemmer sig bag navnene<\/h2>\n\n\n\n<p>De 341 skills maskerer sig som:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ClawHub typosquats:<\/strong> clawhub1, clawhubb, clawhubcli, clawwhub, cllawhub<\/li>\n\n\n\n<li><strong>Krypto-tools:<\/strong> Solana wallets, Ethereum gas trackers, &#8220;lost Bitcoin finders&#8221;<\/li>\n\n\n\n<li><strong>Polymarket bots:<\/strong> polymarket-trader, polymarket-pro, polytrading<\/li>\n\n\n\n<li><strong>YouTube-v\u00e6rkt\u00f8jer:<\/strong> youtube-summarize, youtube-thumbnail-grabber<\/li>\n\n\n\n<li><strong>Auto-updaters:<\/strong> auto-updater-agent, update, updater<\/li>\n\n\n\n<li><strong>Google Workspace-integrationer:<\/strong> Falske Gmail, Calendar, Sheets og Drive-tools<\/li>\n<\/ul>\n\n\n\n<p>Ud over Atomic Stealer-kampagnen fandt Koi ogs\u00e5 skills med <strong>reverse shell-backdoors<\/strong> skjult i ellers funktionel kode (f.eks. better-polymarket), samt skills der eksfiltrerer bot-credentials fra <code>~\/.clawdbot\/.env<\/code> til webhook-tjenester.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Dybere risiko: &#8220;den d\u00f8delige trifekta&#8221;<\/h2>\n\n\n\n<p>Palo Alto Networks advarer i en parallel rapport om at OpenClaw repr\u00e6senterer det, Simon Willison (der opfandt begrebet &#8220;prompt injection&#8221;) kalder en <strong>&#8220;lethal trifecta&#8221;<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Adgang til private data<\/li>\n\n\n\n<li>Eksponering mod utrov\u00e6rdigt indhold<\/li>\n\n\n\n<li>Evnen til at kommunikere eksternt<\/li>\n<\/ol>\n\n\n\n<p>Kombineret med OpenClaws persistente hukommelse bliver angreb ikke l\u00e6ngere point-in-time exploits \u2014 de bliver <strong>stateful, tidsforskudte angreb<\/strong>. Ondsindet input kan fragmenteres, gemmes i agentens langtidshukommelse og f\u00f8rst aktiveres n\u00e5r agentens tilstand, m\u00e5l eller tool-tilg\u00e6ngelighed matcher. T\u00e6nk logic bombs for AI-agenter.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hvad g\u00f8r OpenClaw ved det?<\/h2>\n\n\n\n<p>OpenClaws skaber Peter Steinberger har implementeret en rapporteringsfunktion hvor brugere kan flage mist\u00e6nkelige skills. Skills med mere end 3 unikke rapporter skjules automatisk. Men det er reaktivt \u2014 ikke proaktivt.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hvad du b\u00f8r g\u00f8re nu<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit\u00e9r dine installerede skills:<\/strong> Tjek <code>~\/.openclaw\/<\/code> og dit workspace&#8217;s <code>skills\/<\/code> mappe. Kender du alle skills?<\/li>\n\n\n\n<li><strong>K\u00f8r aldrig scripts fra skills blindt:<\/strong> Hvis en skill beder dig installere prerequisites via Terminal \u2014 stop. L\u00e6s koden f\u00f8rst.<\/li>\n\n\n\n<li><strong>Tjek ClawHub-profiler:<\/strong> Er skill-forfatteren trov\u00e6rdig? Har de et aktivt GitHub-projekt?<\/li>\n\n\n\n<li><strong>Hold \u00f8je med <code>~\/.clawdbot\/.env<\/code>:<\/strong> Den fil indeholder dine API-n\u00f8gler. Overvej at begr\u00e6nse dens indhold til det n\u00f8dvendige.<\/li>\n\n\n\n<li><strong>Undg\u00e5 krypto- og finance-skills:<\/strong> De er det prim\u00e6re angrebsm\u00e5l.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Perspektiv<\/h2>\n\n\n\n<p>ClawHavoc er et wake-up call for hele det agentic engineering-\u00f8kosystem. Vi har set supply chain-angreb i npm, PyPI og VS Code-extensions \u2014 nu rammer det AI-agenter. Forskellen er at en kompromitteret AI-agent potentielt har adgang til alt: emails, filer, API-n\u00f8gler, cloud-services. Angrebsfladen er dramatisk st\u00f8rre end en kompromitteret npm-pakke.<\/p>\n\n\n\n<p>Indtil ClawHub f\u00e5r egentlig sikkerhedsscreening, er det op til os selv at v\u00e6re den menneskelige firewall.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Kilder<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/thehackernews.com\/2026\/02\/researchers-find-341-malicious-clawhub.html\" target=\"_blank\" rel=\"noopener\">The Hacker News: Researchers Find 341 Malicious ClawHub Skills<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/opensourcemalware.com\/blog\/clawdbot-skills-ganked-your-crypto\" target=\"_blank\" rel=\"noopener\">OpenSourceMalware: Clawdbot Skills Ganked Your Crypto<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/network-security\/why-moltbot-may-signal-ai-crisis\/\" target=\"_blank\" rel=\"noopener\">Palo Alto Networks: Why Moltbot May Signal an AI Crisis<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<p class=\"has-small-font-size\" style=\"color:#888888\"><em>Denne artikel er skrevet i samarbejde med AI, og efterf\u00f8lgende redigeret af et rigtigt menneske \ud83d\ude42<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>341 ondsindede skills fundet p\u00e5 ClawHub \u2014 supply chain-angreb rammer OpenClaw-brugere. S\u00e5dan beskytter du dig.<\/p>\n","protected":false},"author":1,"featured_media":292,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[24,19],"tags":[26],"class_list":["post-293","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-agentic-engineering","category-security","tag-openclawd"],"acf":[],"_links":{"self":[{"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/posts\/293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/comments?post=293"}],"version-history":[{"count":3,"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/posts\/293\/revisions"}],"predecessor-version":[{"id":1066,"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/posts\/293\/revisions\/1066"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/media\/292"}],"wp:attachment":[{"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/media?parent=293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/categories?post=293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vittrup-graversen.dk\/index.php\/wp-json\/wp\/v2\/tags?post=293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}