Attackers slipped malicious skills into OpenClaw’s ClawHub marketplace, exposing a new supply chain threat where trusted AI agents can be manipulated to access sensitive systems, credentials and enterprise workflows.
A breach of OpenClaw’s ClawHub marketplace has exposed a new software supply chain risk facing open-source AI agent ecosystems after attackers uploaded malicious skills capable of abusing trusted agent permissions.
According to Palo Alto Networks Unit 42, the malicious markdown-driven skills were distributed through ClawHub, the marketplace developers use to extend the OpenClaw ecosystem. Unlike traditional malicious plugins, compromised AI agent skills can exploit permissions already granted to autonomous agents, including access to local files, command-line tools, credential managers and automated workflows. As a result, a rogue skill could read sensitive files, execute commands, access credentials and potentially provide an entry point into enterprise infrastructure.
Unit 42 identified three attack techniques. Attackers disguised information-stealing malware as financial tools targeting cryptographic keys on macOS systems, padded README files with more than 22 MB of junk data to evade automated scanners, and published a malicious “money-radar” skill that quietly manipulated an AI agent’s recommendations by redirecting users through attacker-controlled affiliate links.
The findings show AI agents introduce a different threat model, where attackers manipulate instructions, workflows and trusted automation instead of exploiting software vulnerabilities. Although ClawHub had implemented automated and VirusTotal scanning following earlier audits, the incident demonstrates that behavioural manipulation and scanner evasion can bypass conventional security checks.
Researchers recommend treating third-party AI agent skills as untrusted software by enforcing least-privilege permissions, runtime isolation, sandboxing, behavioural monitoring, publisher verification and layered code reviews to strengthen the open-source AI software supply chain.















































































