Executive Summary
In June 2026, Trail of Bits published an analysis revealing significant vulnerabilities in public AI skill marketplaces, where malicious skills were found to steal credentials, exfiltrate data, and hijack agents. The study demonstrated that existing skill scanners, including those from ClawHub, Cisco, and skills.sh, were ineffective in detecting these threats. The researchers successfully bypassed these scanners using straightforward techniques, highlighting the inadequacy of current defenses against supply chain attacks in AI ecosystems.
This incident underscores the urgent need for robust security measures in AI skill distribution channels. As AI agents become integral to various workflows, the proliferation of unvetted skills poses a substantial risk. Organizations must implement stringent governance frameworks, including version control, digital signing, zero-trust access, and centralized repositories, to mitigate these emerging threats.
Why This Matters Now
The rapid adoption of AI agents in enterprise environments has led to an explosion of third-party skills, many of which are distributed through public marketplaces without adequate security vetting. This creates a significant supply chain risk, as malicious skills can compromise entire systems. Immediate action is required to establish comprehensive governance and security protocols to protect against these evolving threats.
Attack Path Analysis
Attackers introduced malicious skills into public marketplaces, leading to the compromise of agent systems. They escalated privileges by exploiting vulnerabilities in skill scanners, allowing deeper access. Lateral movement occurred as attackers spread across interconnected systems via compromised agents. Command and control were established through covert channels embedded in the malicious skills. Data exfiltration was achieved by instructing agents to send sensitive information to attacker-controlled servers. The impact included unauthorized access to sensitive data and potential disruption of services.
Kill Chain Progression
Initial Compromise
Description
Attackers introduced malicious skills into public marketplaces, leading to the compromise of agent systems.
MITRE ATT&CK® Techniques
Compromise Software Dependencies and Development Tools
Compromise Software Supply Chain
System Binary Proxy Execution
Compiled HTML File
Control Panel
CMSTP
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement supply chain risk management practices
Control ID: Supply Chain Risk Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI agent skills supply chain attacks expose development environments to credential theft, data exfiltration, and malicious code injection through compromised skill marketplaces and scanners.
Information Technology/IT
Enterprise IT infrastructure vulnerable to east-west traffic compromise and privilege escalation through malicious AI skills bypassing zero trust segmentation and detection controls.
Financial Services
Banking systems face regulatory compliance violations and data exfiltration risks from AI agent skills compromising PCI DSS controls and encrypted traffic monitoring capabilities.
Health Care / Life Sciences
Healthcare organizations risk HIPAA violations and patient data exposure through AI skills exploiting egress security gaps and multicloud visibility control weaknesses.
Sources
- The sorry state of skill distributionhttps://blog.trailofbits.com/2026/06/03/the-sorry-state-of-skill-distribution/Verified
- Malicious OpenClaw ‘skill’ targets crypto users on ClawHubhttps://www.tomshardware.com/tech-industry/cyber-security/malicious-moltbot-skill-targets-crypto-users-on-clawhubVerified
- Malicious ClawHub Skillshttps://www.broadcom.com/support/security-center/protection-bulletin/malicious-clawhub-skillsVerified
- 824 Malicious Skills Found on ClawHub. Here's What They Stole.https://www.clawctl.com/blog/openclaw-clawhub-malicious-skills-2026Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, likely reducing the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely limit the attacker's ability to exploit compromised agents by enforcing strict workload isolation.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely restrict the attacker's ability to escalate privileges by enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely constrain the attacker's lateral movement by monitoring and controlling internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely detect and limit covert command and control channels by providing comprehensive monitoring.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely restrict unauthorized data exfiltration by controlling outbound traffic.
The overall impact would likely be reduced due to constrained attacker movement and limited data access.
Impact at a Glance
Affected Business Functions
- Software Development
- IT Security
- Data Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user credentials, API keys, and personal data due to malicious skills installed from ClawHub.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict agent communication and limit lateral movement.
- • Enhance Threat Detection & Anomaly Response to identify and respond to malicious skill activities.
- • Apply Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Utilize Multicloud Visibility & Control to monitor and manage agent interactions across platforms.
- • Deploy Inline IPS (Suricata) to detect and block known exploit patterns within skill traffic.
