DeFi News

ClawHub Skills Hit by Widespread AI Supply Chain Attacks

SlowMist warns ClawHub poisoned skills are spreading harmful code, putting developers and users at risk while the firm monitors threats in real time.

Written By Kenrodgers Fabian Kenrodgers Fabian
Fact Checked by Divya Mistry Divya Mistry
Make The Crypto Times preferred on Google
ClawHub Skills Hit by Widespread AI Supply Chain Attacks

Key Highlights

  • ClawHub’s malicious skills trick users into running hidden commands, letting attackers access files and sensitive system data.
  • Attackers use Base64 and trusted platforms to sneak malware into AI skills, making dangerous code appear like normal setup steps.
  • AI agents need their own devices and accounts; running them with full permissions risks exposing passwords, keys, and private files.

A coordinated supply-chain attack has struck ClawHub, the official plugin hub for the popular OpenClaw AI agent project. The attacks exploit the hub’s lack of strict review mechanisms, allowing malicious skills to slip past developers’ scrutiny. 

According to the security firm SlowMist’s report, this set of poisoned skills is distributing harmful code or content and has imposed significant risks on developers and users. In order not to be left behind, the firm said its team is closely monitoring ClawHub and sending out early warnings through its MistEye system every time there are new threats.

The biggest risk comes with ‘skill folders’ under the AgentSkills specification, especially in OpenClaw: SKILL.md files that act as the main instructions. And unlike regular code, you cannot fully verify these files, with users often running the steps directly.

These Markdown files, running everything from a simple ‘how-to’ through actually executing commands in AI systems, can hide the dangerous commands using various tricks like Base64 encoding; thus, looking like just another step in normal setups, users would be tricked to run malware.

Malicious patterns and attack dynamics

As per a report by Koi Security, after scanning 2,857 skills, it was found that 341 were malicious, showing a typical pattern of supply chain attacks in plugin marketplaces. SlowMist looked at over 400 bad skills and noticed many used the same few websites and IP addresses. This would suggest that the attackers are working in organized groups using similar methods on a large scale.

Attackers often hide their malware on trusted public sites like GitHub Releases or glot.io. They use a two-stage trick. First, they sneak in hidden commands that avoid detection. Then, those commands pull down more dangerous software later. This lets attackers change their tools quickly while the skill still looks safe. They also name skills after crypto, finance, or automation tools because people trust those labels more.

Here’s how the attack usually plays out. A fake skill hides harmful commands inside SKILL.md and makes them look harmless. Those commands secretly download and run malware. First, a small loader connects to a fixed server, like 91.92.242.30. Then it pulls down a bigger program that scans the system, grabs files from folders like Desktop, Documents, and Downloads, and secretly bundles them up to send out.

Real-world examples and developer warnings

The “X (Twitter) Trends” skill illustrates this threat. While its instructions appear normal, it contains a Base64-encoded backdoor. The decoded command executes a program, which then downloads the second-stage payload. Attackers can swap payloads without modifying the original SKILL.md, allowing low-cost iteration and evasion of text-based reviews.

Developers on X shared firsthand experiences. User LLMJunky explained, “Jamieson built a backdoored Claude skill, inflated it to 1 on ClawdHub with 4,000+ fake downloads, then watched devs execute what could have been malicious code.” 

Another X user Shruti Gandhi added, “Agents need their own identities. Own devices, own accounts, own credentials. Minimal permissions to start.” Experts also warned that running these AI agents without isolation can put your SSH keys, API passwords, and other sensitive data at risk.

Mitigation steps for developers

According to Slowmist, developers should double-check every installation step in SKILL.md and avoid running any scripts they aren’t sure about. Be cautious if a prompt asks for your password, system access, or changes to settings. Only get tools and dependencies from trusted sources. Running safety checks, like Clawdbot’s doctor command, can help spot problems early.

The ClawHub attacks show a serious risk for anyone using AI agents. Installing unverified skills can let hackers take over your system. Developers should run AI agents separately, give them only the permissions they really need, and keep a close eye on activity to stay safe.

Also Read: Vitalik Buterin Says Algorithmic Stablecoins Can Still Be “True DeFi”

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article
Fabian is Crypto Journalist at The Crypto Times
By Kenrodgers Fabian
Follow:
Kenrodgers Fabian is a Crypto Journalist at The Crypto Times, based in Kenya. He reports on high-profile global financial fraud, investment scams, phishing schemes, and cross-chain protocol exploits. His coverage heavily tracks systemic crypto vulnerabilities, ecosystem security breaches, and central bank shifts toward stablecoins and tokenized finance infrastructure. All investigative coverage on crypto cybercrimes and security events passes through his desk before publication. His four years in fast-paced crypto media have shaped his structured approach to deciphering malicious smart contracts, verifying data-heavy fraud cases, and providing accurate reporting on digital currency risks.
Divya Mistry
By Divya Mistry
Follow:
Divya Mistry is the Senior Editor at The Crypto Times. She leads the central editorial desk, overseeing the review and publication of policy analyses, investigative reports, exchange coverage, and protocol exploit stories. Her editorial remit spans digital asset markets, global exchange operations, cross-border digital asset settlements, regulatory developments, and other key developments shaping the cryptocurrency industry. Divya brings more than a decade of experience in editorial strategy, content development, public relations, marketing communications, and research. Before joining The Crypto Times, she worked across multiple sectors, including finance, technology, education, healthcare, real estate, entertainment, lifestyle, and vertical transport, contributing to both digital and print publications. Her research and content work has been featured on platforms including DNA India, Zee, Forbes, and Elevator World India. She holds a Master's degree in English Literature from the University of Mumbai. Drawing on her background in long-form publishing, research, and editorial leadership, she reviews and refines complex stories to ensure accuracy, clarity, and strong editorial standards before publication.

Latest News

Crypto Market Live: BTC Falls below $60k, ETH Under $1.6K, XRP tests $1
Base Mainnet Stalls After Invalid Block Triggers Consensus Failure
Base Mainnet Stalls After Invalid Block Triggers Consensus Failure
Peter Schiff Says Strategy’s MSTR Discount May Widen to 40%
Peter Schiff Says Strategy’s MSTR Discount May Widen to 40%
Congress Told U.S. Needs Rules as Tokenization Moves Overseas
Congress Told U.S. Needs Rules as Tokenization Moves Overseas
Bitcoin Drops Below $60K Triggers $1.21B in Liquidations After PCE Report
Bitcoin Drops Below $60K Triggers $1.21B in Liquidations After PCE Report

Find Us on Socials

You may also like