ClawHub Supply Chain Attack: 472 Malicious Skills

Cybersecurity firm SlowMist’s report published on Monday states that ClawHub, the official plugin marketplace of the open-source AI agent project OpenClaw, has become the target of supply chain poisoning attacks. Attackers exploited the platform to spread to users by uploading malicious “skills” due to weak or non-existent review mechanisms. SlowMist’s Web3-focused threat intelligence solution MistEye issued high-severity alerts for 472 malicious skills on the platform.

Security report on 472 AI skills on OpenClaw. Source: SlowMist

Detection of 472 Malicious Skills in ClawHub

Malicious skills, disguised as dependency installation packages, contain harmful commands that trigger backdoor functions after being downloaded. These backdoors steal passwords and personal files using Base64 encoding commonly used in crypto tools like BTC detailed analysis, leading to blackmail after data theft. Most attacks originate from the same IP address associated with the socifiapp[.]com domain registered in July 2025 and Poseidon infrastructure.

Attackers’ Targeted Crypto and Financial Skills

Skills often carry names related to crypto assets, financial data, and automation tools, aiming to lower users’ defenses. SlowMist points to a large-scale operation by a coordinated group. Such attacks threaten the Web3 ecosystem by facilitating data theft on platforms like BTC futures trading. Koi Security’s February 1 report also stated that 341 out of 2.857 skills contained malicious code.

Malicious domain linked to supply poisoning attacks. Source: SlowMist

Supply Chain Poisoning Methods and Risks

Supply chain poisoning is a tactic that spreads by infiltrating trusted platforms. Weak review processes in ClawHub gave attackers the opportunity for malicious code injection. Backdoors exfiltrate sensitive data with hidden commands, creating opportunities for blackmail. MistEye’s early warnings uncovered the threat at this scale (472 skills).