OpenClaw’s open agent ecosystem has crossed from adoption story to security case study after Palo Alto Networks’ Unit 42 identified five malicious skills that remained unblocked on ClawHub between February and May 2026 [E1]
Unit 42 split the findings into three categories, including two macOS infostealers that connected to command-and-control infrastructure, which shows the marketplace risk is not limited to prank skills or spammy automation [E1]
One listed skill, “omnicogg,” used a crude but effective screening dodge: Unit 42 said the malicious payload appeared at the start of the file, followed by 22 MB of padding characters that pushed it beyond limits used by many content-analysis systems [E2]
More important for enterprise security is the agentic category. Unit 42 said “money-radar” routed financial recommendations through affiliate links and “letssendit” used the ClawHub platform for an agentic front-running scheme tied to meme token launches [E3]
Dark Reading corroborated the takedowns and framed the episode as a threat to the AI supply chain, which matters because agent skills sit closer to user intent, local files and external actions than ordinary browser extensions or SaaS plugins [E4]
Prosus answered the same week with ToqanClaw, presenting a controlled European platform that lets users create apps, dashboards and automations by describing what they need while keeping data under customer control and outside third-party model training [E5]
Bloomberg described ToqanClaw as a European OpenClaw rival built to avoid EU privacy concerns, placing the product squarely inside the sovereignty argument rather than only the productivity market [E6]
That fork is the real policy story: open agent platforms gain speed, reach and developer energy from open distribution, while closed regional platforms trade some of that surface area for governance, auditability and privacy assurances [E5]