ClawHub may be hosting supply chain attacks through new AI agent skills. Some of the skills contain malware to steal credentials and potentially affect accounts and crypto wallets.
ClawHub, the marketplace for OpenClaw AI agent skills, is hosting multiple malicious skills. The supply chain attack may be stealing credentials, potentially affecting crypto wallets.
Security researchers from SlowMist reviewed over 400 potential compromised skills, revealing organized attacks targeting specific domains. Skills like X Trends hide a backdoor download, which can then send credentials to the threat actor.
The SlowMist research builds on a previous discovery by KOI Security, discovering 341 malicious skills among a total of 2,857 bot skills in the marketplace. Later analysis by SlowMist discovered up to 472 malicious skills, though the number can still vary.
ClawHub conceals stealers in hundreds of skills
Earlier, Koi Research conducted AI-assisted research using an OpenClaw bot named Alex. The bot found 335 skills that were used to push the Atomic Stealer on macOS.
“You install what looks like a legitimate skill – maybe solana-wallet-tracker or youtube-summarize-pro,” Koi researcher Oren Yomtov said.
“The skill’s documentation looks professional. But there’s a ‘Prerequisites’ section that says you need to install something first.”
A Windows exploit is also active, calling users to download additional files from a GitHub repository. The supply chain attack also includes a keylogger, which can steal multiple credentials, including potentially uncovering crypto wallets.
As Cryptopolitan reported earlier, OpenClaw agents are still in their early stages and are displaying unexpected behavior. Adoption is growing daily, posing new risks in cybersecurity and agent behaviors.
SlowMist continues tracking ClawHub skills for new threats
The recent supply chain attack may not be a one-off event. ClawHub is a relatively new space, attracting a large number of developers. SlowMist will be tracking the space as a source of supply chain attacks. The platform still lacks formal review mechanisms, allowing widely used skills to be infiltrated.
There are still no clear reports of crypto theft through ClawHub. Previously, the public skills repo has contained malicious prompts linked to attempted crypto stealing. In the future, SlowMist will issue real-time alerts via its MistEye service to detect new malicious skills on ClawHub.
SlowMist has also identified an IP address that is reused in the malicious attacks. According to theat records, the IP 91.92.242.30 is historically linked to the Poseidon hacker group, known for extortion and data theft.
For end users, researchers advise against trusting the installation steps in new skills and to audit any commands that require copying and pasting. A common-sense preview of prompts is also a good check, looking for prompts asking for system passwords or other secure access. Users may wait for official channels and avoid installations from unknown sources.
Source: https://www.cryptopolitan.com/clawhub-supply-chain-attacks-ai-agent-skills/
