ClawHub Skills Expose AI Agents to Remote Control Backdoors and Data Theft Attacks
6 min. read 
Published on
Security researchers have warned that malicious ClawHub skills can turn AI agents into a path for remote control, credential theft and data exfiltration. A new Tencent Zhuque Lab report says the risk remains active even after earlier cleanups and added marketplace checks.
The issue matters because AI agents no longer just respond to prompts. They can use tools, read files, connect to the internet and run commands. When a third-party skill receives those capabilities, a malicious or poorly reviewed skill can act much like a supply-chain implant.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
ClawHub is the public skill registry for OpenClaw, where developers can publish, version and search text-based agent skills. The official ClawHub repository describes it as a registry for SKILL.md files and supporting content, with CLI-friendly APIs, moderation hooks and vector search.
Why ClawHub Became a High-Value Target
Tencent said ClawHub grew from fewer than 2,000 skills in January 2026 to about 50,000 by April. That pace created a large software marketplace around agents before mature review, permission and trust systems could fully catch up.
The January ClawHavoc campaign showed how quickly attackers could abuse that trust. Tencent reported 1,184 malicious skills, 12 compromised publisher accounts, 247,000-plus confirmed installations and $2.3 million in stolen cryptocurrency.
Attackers used names that looked familiar to users, including tools that imitated popular assistants, video utilities and crypto-related skills. The payloads included credential-stealing behavior and Atomic Stealer, also known as AMOS, which targets sensitive data on macOS systems.
| Risk area | What researchers found | Why it matters |
|---|---|---|
| Remote control | A skill fetched an encoded payload from a command server | Attackers could run code after installation |
| Data theft | File access and network permissions often appeared together | Private keys, tokens and credentials can move out of the device |
| Ranking abuse | A download counter flaw could push a skill to the top | Users and agents may trust popular-looking skills |
| Batch publishing | Some accounts published hundreds of skills in short periods | Attackers can hide harmful skills inside high-volume output |
A Backdoor Passed Official Checks
One of Tencent’s strongest findings involved a skill that looked like a normal distributed state recovery tool. Its documentation appeared professional, and its requested permissions looked reasonable for the stated purpose.
Behind that surface, the skill fetched a remote payload and decoded it through several layers, including Base64, ROT13 and hex. It then used Python pickle deserialization, a dangerous pattern that can allow arbitrary code execution when attacker-controlled data gets processed.
Tencent said its AI-Infra-Guard scanner flagged the sample as high risk because it analyzed the full behavior chain, not just isolated keywords. Remote fetching, chained encoding and unsafe deserialization looked more dangerous together than they did as separate pieces.
Ranking Manipulation Made Trust Signals Unsafe
ClawHub also faced a separate ranking issue. Silverfort researchers found that a backend flaw allowed an attacker to inflate a skill’s download count without proper authentication, rate limits or deduplication.
Silverfort built a proof-of-concept skill called Outlook Graph Integration. It looked like a tool for email and calendar work, but it contained a hidden data-exfiltration payload disguised as telemetry.
The researchers said their proof of concept reached the top download position in its category and recorded 3,900 executions within six days. The flaw was responsibly disclosed to the ClawHub team on March 16, 2026, and Silverfort said it has since been mitigated.
- Download counts can influence user trust.
- Autonomous agents may also prefer highly ranked skills.
- A malicious skill does not need to look suspicious if the marketplace makes it look popular.
- Security teams should treat marketplace ranking as a weak signal, not proof of safety.
The Problem Is Bigger Than One Marketplace
The security model for AI skills differs from normal browser extensions or simple plugins. Skills can mix natural-language instructions, metadata, scripts and permissions, which makes them harder for traditional scanners to understand.
The official OWASP Agentic Skills Top 10 frames agent skills as the execution layer that gives agents real-world impact. It warns about malicious skills, supply-chain compromise, over-privileged access, unsafe deserialization and weak isolation.
Academic work has reached similar conclusions. The SkillSieve paper analyzed 49,592 ClawHub skills and argued that regex scanners and formal static analyzers miss important threats because malicious behavior can hide inside both code and SKILL.md instructions.
| Signal to review | What to check |
|---|---|
| Publisher history | Look for new accounts, bulk uploads and copycat naming patterns |
| Permissions | Check whether file, shell and network access match the skill’s purpose |
| External domains | Search SKILL.md and scripts for unfamiliar domains, webhooks and paste services |
| Code execution | Review shell commands, Python deserialization, encoded payloads and installers |
| Update behavior | Pin trusted versions where possible and avoid silent auto-updates |
How Developers and Companies Should Respond
The official OpenClaw ClawHub project supports moderation and curation features, but organizations should not rely on registry controls alone. Skills can execute inside sensitive local environments, so installation needs the same review discipline used for software packages and IDE extensions.
Before installing a skill, users should check the author, permissions, domain references and installation steps. After installation, they should review active skills regularly and remove high-privilege tools from unknown or unofficial publishers.
Tools such as AIG can help automate part of this review, but no single scanner can catch every agent-skill threat. The SkillSieve research also supports a layered approach that combines metadata checks, code analysis and deeper review for suspicious skills.
The safest path is to treat agent skills as executable supply-chain components. The OWASP AST10 project recommends verified publishers, scanning before installation, permission review and version pinning, which match the risks now playing out across ClawHub.
Silverfort’s ClawHub vulnerability research also shows why marketplaces need stronger backend controls. Popularity metrics, weak permission boundaries and autonomous installation flows can combine into a serious attack chain if attackers find a way to manipulate trust.
FAQ
ClawHub is the public marketplace and registry for OpenClaw skills. It lets developers publish, search, install and update skills that extend what OpenClaw AI agents can do.
Malicious ClawHub skills are dangerous because AI agents can give them access to files, network connections and command execution. A harmful skill can use those permissions to steal data, fetch remote payloads or run attacker-controlled code.
Tencent Zhuque Lab scanned nearly 50,000 ClawHub skills and found ongoing risk signals, including covert backdoor techniques, widespread network permissions, risky permission combinations and large-scale publishing patterns.
Silverfort found that a ClawHub backend flaw could let an attacker inflate a skill’s download count and push it higher in marketplace rankings. Silverfort disclosed the issue, and said it has since been mitigated.
Users should review the publisher, permissions, external domains and installation commands before adding a skill. They should also remove unused skills, avoid high-privilege tools from unknown authors and use security scanners where available.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages