DeFi News

ClawHub Skills Hit by Widespread AI Supply Chain Attacks

SlowMist warns ClawHub poisoned skills are spreading harmful code, putting developers and users at risk while the firm monitors threats in real time.

Written By:
Kenrodgers Fabian

Reviewed By:
Divya Mistry
ClawHub Skills Hit by Widespread AI Supply Chain Attacks

Key Highlights

  • ClawHub’s malicious skills trick users into running hidden commands, letting attackers access files and sensitive system data.
  • Attackers use Base64 and trusted platforms to sneak malware into AI skills, making dangerous code appear like normal setup steps.
  • AI agents need their own devices and accounts; running them with full permissions risks exposing passwords, keys, and private files.

A coordinated supply-chain attack has struck ClawHub, the official plugin hub for the popular OpenClaw AI agent project. The attacks exploit the hub’s lack of strict review mechanisms, allowing malicious skills to slip past developers’ scrutiny. 

According to the security firm SlowMist’s report, this set of poisoned skills is distributing harmful code or content and has imposed significant risks on developers and users. In order not to be left behind, the firm said its team is closely monitoring ClawHub and sending out early warnings through its MistEye system every time there are new threats.

The biggest risk comes with ‘skill folders’ under the AgentSkills specification, especially in OpenClaw: SKILL.md files that act as the main instructions. And unlike regular code, you cannot fully verify these files, with users often running the steps directly.

These Markdown files, running everything from a simple ‘how-to’ through actually executing commands in AI systems, can hide the dangerous commands using various tricks like Base64 encoding; thus, looking like just another step in normal setups, users would be tricked to run malware.

Malicious patterns and attack dynamics

As per a report by Koi Security, after scanning 2,857 skills, it was found that 341 were malicious, showing a typical pattern of supply chain attacks in plugin marketplaces. SlowMist looked at over 400 bad skills and noticed many used the same few websites and IP addresses. This would suggest that the attackers are working in organized groups using similar methods on a large scale.

Attackers often hide their malware on trusted public sites like GitHub Releases or glot.io. They use a two-stage trick. First, they sneak in hidden commands that avoid detection. Then, those commands pull down more dangerous software later. This lets attackers change their tools quickly while the skill still looks safe. They also name skills after crypto, finance, or automation tools because people trust those labels more.

Here’s how the attack usually plays out. A fake skill hides harmful commands inside SKILL.md and makes them look harmless. Those commands secretly download and run malware. First, a small loader connects to a fixed server, like 91.92.242.30. Then it pulls down a bigger program that scans the system, grabs files from folders like Desktop, Documents, and Downloads, and secretly bundles them up to send out.

Real-world examples and developer warnings

The “X (Twitter) Trends” skill illustrates this threat. While its instructions appear normal, it contains a Base64-encoded backdoor. The decoded command executes a program, which then downloads the second-stage payload. Attackers can swap payloads without modifying the original SKILL.md, allowing low-cost iteration and evasion of text-based reviews.

Developers on X shared firsthand experiences. User LLMJunky explained, “Jamieson built a backdoored Claude skill, inflated it to 1 on ClawdHub with 4,000+ fake downloads, then watched devs execute what could have been malicious code.” 

Another X user Shruti Gandhi added, “Agents need their own identities. Own devices, own accounts, own credentials. Minimal permissions to start.” Experts also warned that running these AI agents without isolation can put your SSH keys, API passwords, and other sensitive data at risk.

Mitigation steps for developers

According to Slowmist, developers should double-check every installation step in SKILL.md and avoid running any scripts they aren’t sure about. Be cautious if a prompt asks for your password, system access, or changes to settings. Only get tools and dependencies from trusted sources. Running safety checks, like Clawdbot’s doctor command, can help spot problems early.

The ClawHub attacks show a serious risk for anyone using AI agents. Installing unverified skills can let hackers take over your system. Developers should run AI agents separately, give them only the permissions they really need, and keep a close eye on activity to stay safe.

Also Read: Vitalik Buterin Says Algorithmic Stablecoins Can Still Be “True DeFi”

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article
Fabian is Crypto Journalist at The Crypto Times
By Kenrodgers Fabian
Follow:
Kenrodgers Fabian is a Content Writer with over 3 years of experience in crypto news, data analysis, and IT. With a degree in Health Records and Information Technology, he brings a structured and analytical approach to digital reporting. Kenrodgers focuses on delivering accurate, informative content that helps readers stay updated on the latest trends in crypto and emerging technologies.
Divya Mistry - Content Editor at The Crypto Times
By Divya Mistry
Follow:
Divya Mistry is a Content Editor with over 9 years of experience in news, PR, marketing, and research. Armed with a Master’s Degree in English Literature from the University of Mumbai, she specializes in crafting and refining long-form content across digital and print platforms. Over the years, Divya has contributed to and shaped content for leading brands across a range of industries, including real estate, healthcare, vertical transport, entertainment, lifestyle, education, EdTech, tech, and finance. Her research work has been featured on platforms like DNA India, Forbes, and Elevator World India. She now brings her editorial and research skills to explore the rapidly evolving world of cryptocurrency.

Latest News

Weekly Wrap Bitcoin Reclaims $80K, CLARITY Act Heads to Trump's Desk, TON Explodes 120%
Weekly Wrap: Bitcoin Reclaims $80K, CLARITY Act Heads to Trump’s Desk, TON Explodes 120%
LayerZero Says “We Own That” After $292M Kelp DAO Hack, Admits Security Mistake
LayerZero Says “We Own That” After $292M Kelp DAO Hack, Admits Security Mistake
What Does Bitcoin Become in a World Questioning the Dollar?
What Does Bitcoin Become in a World Questioning the Dollar?
40+ DeFi Protocols Shut Down in 2026 Inside the $770M Hack Crisis Reshaping Crypto
40+ DeFi Protocols Shut Down in 2026: Inside the $770M Hack Crisis Reshaping Crypto
TON Leads Crypto Staking Returns as Telegram Ecosystem Expands
TON Leads Crypto Staking Returns as Telegram Ecosystem Expands

Find Us on Socials

You may also like