Back to Blog
AI SecurityAI AgentsSupply Chain

341 Malicious AI Agent Skills Found on ClawHub: What It Means for Your AI Stack

Hundreds of malicious skills were discovered on ClawHub, the largest AI agent marketplace. Here's what happened, why it matters for any team shipping AI, and how to protect your applications.

Daniel S. JacobsenFebruary 7, 2026
341 Malicious AI Agent Skills Found on ClawHub: What It Means for Your AI Stack
Share:

This week, security researchers uncovered one of the first large-scale supply chain attacks targeting AI agents. It won't be the last.

What happened

ClawHub is the main skills marketplace for OpenClaw, a popular self-hosted AI assistant. Skills are essentially markdown files with instructions that tell an agent how to perform a task: connect to an API, automate a workflow, interact with a tool.

On February 2nd, researchers from 1Password, Snyk, and Koi Security independently reported that the marketplace had been compromised. The numbers are stark: out of 2,857 skills on ClawHub, 341 were malicious. That's 12% of the entire registry.

The majority, 335 skills, were traced to a single coordinated campaign now tracked as "ClawHavoc."

How the attack worked

The attack was not technically sophisticated. It didn't need to be.

Each malicious skill looked legitimate. Professional descriptions. Clear documentation. Normal-sounding names like "solana-wallet-tracker" or "youtube-summarize-pro." Some had thousands of downloads.

The trick was in the setup instructions. Every malicious skill told users to install a "required prerequisite" before using the skill. On macOS, that meant pasting a shell command into Terminal. On Windows, downloading a password-protected ZIP file.

That prerequisite was the payload.

The shell command decoded an obfuscated script that fetched a second-stage binary from attacker-controlled infrastructure. On macOS, it even removed quarantine attributes to bypass Gatekeeper, Apple's built-in malware scanner.

The end result: Atomic macOS Stealer (AMOS), a commercial infostealer that targets browser passwords, cryptocurrency wallet keys, SSH credentials, cloud tokens, API keys, and anything else of value on a developer's machine.

Why this matters beyond OpenClaw

It would be easy to dismiss this as an OpenClaw-specific problem. It's not.

The Agent Skills format (a folder with a SKILL.md file and optional scripts) is becoming a standard across the AI agent ecosystem. OpenAI's Codex uses it. Claude Code supports it. Cursor, CrewAI, and dozens of other agent frameworks are adopting the same pattern.

As 1Password's Jason Meller put it: "A malicious skill is not just an OpenClaw problem. It is a distribution mechanism that can travel across any agent ecosystem that supports the same standard."

The broader lesson is simple: AI agent ecosystems have the same supply chain vulnerabilities as package managers, but with less review, less sandboxing, and more access to sensitive data.

A compromised npm package can damage your application. A compromised AI agent skill can raid your entire machine, including every credential, session, and secret on it.

The real problem: agents trust content by default

The ClawHub attack exploited a fundamental architectural gap in how most AI agents work today.

When an agent browses the web, retrieves content from a tool, or loads a skill, it processes that content as instructions. There is no boundary between "content I'm reading" and "instructions I should follow." A markdown file that says "run this command" is functionally equivalent to a user telling the agent to run that command.

This is the indirect prompt injection problem at scale. And it's exactly why "just review the skill before you install it" isn't a real solution. Humans are trained to follow setup steps quickly. Agents are designed to follow instructions entirely.

The missing layer is automated inspection: scanning content for malicious patterns, validating tool calls before execution, and blocking threats in real time before the agent acts on them.

What teams shipping AI agents should do now

1. Treat agent skills as untrusted code

Every skill, plugin, or external tool your agent consumes should be treated with the same caution as an unvetted third-party dependency. That means scanning for malicious patterns, reviewing execution paths, and isolating agent environments from production credentials.

2. Inspect content before your agent processes it

If your agents scrape the web, load documents, or consume third-party data, that content needs to be scanned for injection patterns and malicious instructions before the agent sees it. Manual review doesn't scale. Automated content inspection does.

3. Validate tool calls at runtime

Agents that can execute shell commands, make API calls, or modify files need a validation layer that checks every action against a policy before it executes. "The agent decided to do it" is not a security model.

4. Monitor everything

You need full visibility into what your agents are doing: every prompt, every tool call, every external request. When something goes wrong (and it will), the difference between a contained incident and a catastrophe is whether you can see what happened and when.

5. Don't rely on human-in-the-loop alone

Human review is valuable for high-stakes decisions. But for real-time threat detection across thousands of requests, you need automated security that operates at machine speed. The ClawHub attackers didn't wait for approval. Your defenses can't either.

How Bastio addresses this class of attack

We built Bastio specifically for this threat model — the growing surface area where AI agents interact with untrusted content and external tools.

Secure Scraper scans every piece of web content your agent retrieves, detecting hidden prompt injections and malicious instructions before the agent processes them. If the ClawHub skill's documentation had been scanned through Bastio, the obfuscated payload instructions would have been flagged and blocked.

AI Agent Security validates every tool call your agent attempts to make. Shell command execution, file system access, API calls. Each action is checked against configurable policies in real time. A command that decodes a base64 payload and removes macOS quarantine attributes would never reach execution.

Threat Detection uses a multi-layer inspection pipeline: pattern matching, ML classifiers, and expert rules. It catches known and novel attack patterns in under 10 milliseconds.

Observability gives you a complete audit trail of every request, every tool call, and every security decision. When incidents happen, you have the data to understand exactly what occurred.

This isn't theoretical. This is the exact attack pattern we built Bastio to stop.

The takeaway

The ClawHub incident is not an anomaly. It's the opening chapter of a new category of supply chain attack — one that targets AI agents through the content they consume rather than the code they run.

If your organization is building with AI agents, or planning to, the question isn't whether this will affect you. It's whether you'll have the right defenses in place when it does.

Bastio is an AI security gateway that protects your applications from prompt injection, data leakage, and malicious content. Start free at bastio.com.

Sources:

  • 1Password: "From magic to malware: How OpenClaw's agent skills become an attack surface" (Feb 2, 2026)
  • Snyk: "Inside the clawdhub Malicious Campaign" (Feb 3, 2026)
  • Snyk: "ToxicSkills Study of Agent Skills Supply Chain Compromise" (Feb 4, 2026)
  • The Hacker News: "Researchers Find 341 Malicious ClawHub Skills" (Feb 3, 2026)
  • BleepingComputer: "Malicious MoltBot skills used to push password-stealing malware" (Feb 2, 2026)
  • eSecurity Planet: "Hundreds of Malicious Skills Found in OpenClaw's ClawHub" (Feb 3, 2026)

Enjoyed this article? Share it!

Share:

Ready to Secure Your AI Applications?

Get started with Bastio today and protect your LLM applications from emerging threats.

Start Free TrialTalk to Sales