Supply-Chain

820+ malicious skills have been identified on ClawHub, the OpenClaw marketplace. That means roughly 1 in 5 skills listed in the registry is hostile — designed to exfiltrate data, inject commands, or establish persistence in your agent environment. Why this matters ClawHub is where most OpenClaw users discover and install third-party skills. It is the npm/PyPI of the agent economy, and it has the same supply chain poisoning problem those ecosystems faced — except worse. Agent skills don’t just run code at install time. They execute continuously during agent operation, with access to your terminal, filesystem, and API credentials. A malicious skill doesn’t need a clever exploit chain. It just needs you to install it. ...

Problem Statement You download a pre-trained model from a public registry – Hugging Face, PyTorch Hub, TensorFlow Hub. The model passes all standard accuracy benchmarks. It performs well on your test set. But it has been backdoored: it contains a hidden behavior that activates only when a specific trigger pattern is present in the input. Standard testing will not catch it because the trigger is not in your test data. ...

Thesis: Everyone’s worried about prompt injection, but the real agent attack surface is third-party skills — they execute persistently on every heartbeat cycle, not once per conversation. I keep having the same conversation. Someone asks about agent security. I say “third-party skills.” They say “you mean prompt injection?” No. I mean the code that runs inside your agent 144 times per day, with full access to your agent’s memory, context, and credentials, that you installed from a marketplace where one in five entries is actively malicious. ...

When you install a third-party OpenClaw skill, it doesn’t just run at install time. It executes on every agent heartbeat — every loop iteration where the agent checks its environment, processes inputs, and decides what to do next. A malicious skill gets continuous execution, not a one-shot opportunity. Why this matters Most developers think of skill installation like installing a library: it runs setup once, then sits there until called. That mental model is wrong for agent skills. Agent architectures run skills as part of their core loop. This means a malicious skill gets persistent, repeated access to the agent’s context, memory, filesystem, and network connections — not just a single execution window. ...

6,487 malicious agent tools are undetectable by VirusTotal and traditional malware scanners. These tools don’t trigger signature-based detection because they don’t look like traditional malware. They look like normal agent skills — because that’s what they are, with a few extra lines that exfiltrate data or establish persistence. Why this matters The security industry has spent 30 years building increasingly sophisticated malware detection. Signature databases, behavioral heuristics, sandbox detonation, ML classifiers — all tuned for executables, scripts, and documents that do obviously malicious things. Agent-specific malware doesn’t fit this model. A malicious OpenClaw skill is a valid Python file that performs a legitimate function AND quietly sends your API keys to an external server. There’s no shellcode, no packing, no obfuscation. VirusTotal has nothing to flag. ...