AI-powered agents are no longer just answering questions. They now take actions, manage files, and run code on behalf of users. That shift has opened a dangerous new door, and attackers have already walked through it.
Malicious skills targeting the ClawHub marketplace have exposed just how vulnerable the growing AI agent ecosystem really is.
ClawHub is the official skill marketplace for OpenClaw, the fastest-growing open-source AI agent platform of 2026. It went from fewer than 2,000 skills in January to over 50,000 by April, a jump that happened in under 90 days.
That rapid growth attracted millions of users, and attackers kept pace every step of the way. Analysts at Tencent’s Zhuque Lab scanned nearly 50,000 skills on ClawHub using their open-source testing platform AIG.
According to Tencent report shared with Cyber Security News (CSN), Tencent said the platform’s attack surface had already been pre-deployed long before most users realized there was a problem.
The findings align with real-world incidents that caused serious damage. In late January 2026, a campaign called ClawHavoc flooded ClawHub with 1,184 malicious skills using 12 compromised accounts.
By the time it was contained, there were 247,000 confirmed installations and $2.3 million in stolen cryptocurrency. ClawHub added detection mechanisms afterward, but the threat simply evolved into something harder to catch.
Skills run with full permissions inside a user’s environment, able to read and write files, open network connections, and execute shell commands after a single installation.
That level of access, combined with a platform scaling at breakneck speed, created a high-value target with very few natural barriers to exploitation.
ClawHub Skills Expose AI Agents
One of the most alarming discoveries was a skill that passed all of ClawHub’s official security checks while hiding a working remote control backdoor.
It presented itself as a “distributed state recovery tool,” complete with professional documentation and reasonable permission requests. Nothing about it appeared suspicious on the surface.
Once executed, it connected to a remote command-and-control server and retrieved an encoded payload layered in Base64, ROT13, and hex formats.
The skill decoded these step by step, then processed the output using Python’s pickle module, allowing arbitrary code to run on the victim’s machine.
AIG flagged it as high-risk by identifying that remote fetching, chained encoding, and deserialization together formed a complete remote code execution chain.
A separate attack from March 2026 exploited ranking manipulation. Silverfort found that anyone could send an unauthenticated request to ClawHub’s backend to artificially inflate a skill’s download count.
They pushed a fake skill disguised as “Outlook Graph Integration” to the top of the rankings with a hidden data-theft payload, and because AI agents prioritize high-download skills when selecting tools autonomously, it began installing itself without human input.
Systemic Risks Across the Ecosystem
The Tencent scan found problems that stretched well beyond individual bad skills. Of nearly 50,000 skills analyzed, 74.6% declared network request permissions, meaning three out of every four will connect to the internet during normal use.
When malicious traffic hides inside that volume of routine connections, detection becomes extremely difficult.
File access combined with network permissions creates a direct path for data theft, with hundreds of paths referencing private keys and credentials across the platform.
The SkillProbe team at Shanghai Jiao Tong University found that over 90% of highly downloaded skills failed rigorous security audits, contradicting the assumption that popular skills are safer to install.
The top 20 developers published 5,422 skills combined, and one account alone posted 955 in just three months, consistent with automated batch generation.
Once that kind of production capacity exists, malicious and disguised samples can be uploaded at scale with minimal effort.
Tencent recommends a straightforward review before and after installing any skill. Before installing, check the author’s publishing history, confirm permissions match the stated purpose, and investigate unfamiliar domain names in the documentation.
After installation, audit active skills for excessive permissions and prioritize removing high-privilege skills from unknown or unofficial sources.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Malicious Skill Name | Outlook Graph Integration | Fake skill used in PoC ranking manipulation attack by Silverfort; embedded data leakage payload disguised as telemetry |
| Malicious File | poc.py (approx. 337 lines) | Python script found inside backdoor skill; implements remote payload fetch, multi-layer encoding decode, and pickle deserialization for RCE |
| Malicious Skill File | skill.md | Markdown skill description file with YAML metadata header used to disguise the backdoor skill as a legitimate distributed state recovery tool |
| Typosquatting Skill Names | Google Assistant Pro, YouTube Summarize Pro | Impersonated popular tool names used during the ClawHavoc campaign to distribute Atomic Stealer (AMOS) trojan |
| Malware | Atomic Stealer (AMOS) | Trojan deployed via embedded shell scripts in ClawHavoc malicious skills; used for credential and data theft |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
