Executive Summary
In June 2026, security researchers identified five malicious skills on ClawHub, OpenClaw's dedicated marketplace, that could steal credentials, bypass security scans, and perform other malicious activities for financial gain. These skills, appearing legitimate, demonstrated that such platforms are emerging as significant AI supply chain attack surfaces. ClawHub sells these skills to add functionality to the open-source AI agent, which has seen rapid adoption among developers and businesses since its launch last November. The malicious skills included infostealers targeting macOS, evasion techniques using inflated file sizes to bypass detection, and agentic threats like affiliate injection and front-running, all posing significant risks to organizations using OpenClaw. (darkreading.com)
This incident underscores the growing threat of supply chain attacks within AI ecosystems, highlighting the need for rigorous verification frameworks and continuous monitoring of third-party extensions to prevent unauthorized access and data exfiltration.
Why This Matters Now
The discovery of these malicious skills on ClawHub highlights the urgent need for enhanced security measures in AI agent marketplaces to prevent supply chain attacks that can compromise sensitive data and system integrity.
Attack Path Analysis
Attackers uploaded malicious skills to ClawHub, leading to the installation of these skills by users. These skills executed unauthorized commands to escalate privileges, enabling access to sensitive data. The attackers then moved laterally within the system to access additional resources. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated to external servers. Finally, the attackers caused significant operational disruption by manipulating agent behavior.
Kill Chain Progression
Initial Compromise
Description
Attackers uploaded malicious skills to ClawHub, which users installed, leading to the execution of unauthorized code.
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Application Layer Protocol: Web Protocols
Obfuscated Files or Information
Phishing: Spearphishing Attachment
Command and Scripting Interpreter: PowerShell
System Information Discovery
OS Credential Dumping: LSASS Memory
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Security
Control ID: Pillar 3: Data
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
OpenClaw AI supply chain attacks targeting developer environments through malicious skills bypass security scans, enabling credential theft and unauthorized system access.
Information Technology/IT
IT infrastructure faces elevated risks from agentic AI threats exploiting ClawHub marketplace vulnerabilities, compromising enterprise security through skill-based attack vectors.
Financial Services
Financial manipulation schemes through AI agent affiliate injection and pump-dump attacks threaten trading systems, requiring enhanced egress security and anomaly detection.
Computer/Network Security
Security vendors must address novel AI supply chain threats as traditional detection methods fail against sophisticated skill-based evasion techniques and agentic attacks.
Sources
- More Malicious OpenClaw Skills Threaten AI Supply Chainhttps://www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chainVerified
- ClawHavoc: The OpenClaw Supply Chain Attack and Malicious Skillshttps://openclawconsult.com/lab/openclaw-clawhavoc-supply-chainVerified
- Malicious OpenClaw ‘skill’ targets crypto users on ClawHubhttps://www.tomshardware.com/tech-industry/cyber-security/malicious-moltbot-skill-targets-crypto-users-on-clawhubVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely limit the execution of unauthorized code by enforcing strict identity-based access controls, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely constrain unauthorized privilege escalation by enforcing least-privilege access, reducing the attacker's ability to access sensitive data.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely limit lateral movement by inspecting and controlling workload-to-workload communications, reducing the attacker's ability to access additional resources.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely constrain command and control activities by providing centralized monitoring and control over network traffic, reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit data exfiltration by enforcing strict outbound traffic policies, reducing the attacker's ability to transmit sensitive data externally.
While CNSF controls would likely limit the attacker's ability to manipulate agent behavior, some operational disruption may still occur due to initial compromise.
Impact at a Glance
Affected Business Functions
- AI Agent Operations
- Software Development
- Data Security
- Supply Chain Management
Estimated downtime: 14 days
Estimated loss: $500,000
Potential exposure of sensitive data including credentials, API keys, and local files due to malicious skills.
Recommended Actions
Key Takeaways & Next Steps
- • Implement rigorous supply chain verification frameworks to validate the integrity of skills before deployment.
- • Enforce zero trust segmentation to limit the access and permissions of installed skills.
- • Utilize egress security and policy enforcement to monitor and control outbound traffic from agents.
- • Deploy threat detection and anomaly response systems to identify and respond to unauthorized activities.
- • Regularly audit and monitor agent behavior to detect and mitigate potential security threats.
