Supply-Chain

I spent this week extracting AI security signals from five frontier podcasts — Jensen Huang on Lex Fridman, Eric Schmidt on Moonshots, Peter Steinberger (OpenClaw creator) on Lex Fridman, and two Moonshots panel episodes covering NVIDIA, Anthropic, and Tesla. 68 claims, 30 concepts, 26 signals logged to a structured knowledge base. The finding that surprised me: three independent sources — a $4 trillion CEO, a former Google CEO, and the creator of the fastest-growing open-source project in history — all flagged the same security gaps without coordinating. Here are the five signals that converged. ...

Last week I published a 30-minute hardening guide for OpenClaw. The #1 risk on that list was third-party skills. Since then, the numbers have gotten worse. 820+ malicious skills are now on ClawHub — roughly 20% of the entire registry. That’s not a rounding error. That’s one in five skills being actively hostile to the agent that installs them. But the number isn’t what makes this the biggest attack vector. The architecture is. ...

820+ malicious skills have been identified on ClawHub, the OpenClaw marketplace. That means roughly 1 in 5 skills listed in the registry is hostile — designed to exfiltrate data, inject commands, or establish persistence in your agent environment. Why this matters ClawHub is where most OpenClaw users discover and install third-party skills. It is the npm/PyPI of the agent economy, and it has the same supply chain poisoning problem those ecosystems faced — except worse. Agent skills don’t just run code at install time. They execute continuously during agent operation, with access to your terminal, filesystem, and API credentials. A malicious skill doesn’t need a clever exploit chain. It just needs you to install it. ...

Problem Statement Pre-trained models from public registries can pass every accuracy benchmark while hiding backdoors that activate only on attacker-chosen trigger inputs. Static analysis tools miss these because the backdoor lives in learned weights, not code. In 150 detection runs across 6 methods, Local Outlier Factor on raw activations achieved 0.622 AUROC at detecting backdoored models with zero labeled examples — modest but above chance, and the best unsupervised result I measured. ...

Thesis: Everyone’s worried about prompt injection, but the real agent attack surface is third-party skills — they execute persistently on every heartbeat cycle, not once per conversation. I keep having the same conversation. Someone asks about agent security. I say “third-party skills.” They say “you mean prompt injection?” No. I mean the code that runs inside your agent 144 times per day, with full access to your agent’s memory, context, and credentials, that you installed from a marketplace where one in five entries is actively malicious. ...

When you install a third-party OpenClaw skill, it doesn’t just run at install time. It executes on every agent heartbeat — every loop iteration where the agent checks its environment, processes inputs, and decides what to do next. A malicious skill gets continuous execution, not a one-shot opportunity. Why this matters Most developers think of skill installation like installing a library: it runs setup once, then sits there until called. That mental model is wrong for agent skills. Agent architectures run skills as part of their core loop. This means a malicious skill gets persistent, repeated access to the agent’s context, memory, filesystem, and network connections — not just a single execution window. ...

6,487 malicious agent tools are undetectable by VirusTotal and traditional malware scanners. These tools don’t trigger signature-based detection because they don’t look like traditional malware. They look like normal agent skills — because that’s what they are, with a few extra lines that exfiltrate data or establish persistence. Why this matters The security industry has spent 30 years building increasingly sophisticated malware detection. Signature databases, behavioral heuristics, sandbox detonation, ML classifiers — all tuned for executables, scripts, and documents that do obviously malicious things. Agent-specific malware doesn’t fit this model. A malicious OpenClaw skill is a valid Python file that performs a legitimate function AND quietly sends your API keys to an external server. There’s no shellcode, no packing, no obfuscation. VirusTotal has nothing to flag. ...