Malicious skills targeting the ClawHub marketplace have exposed a dangerous new frontier in cybersecurity: the AI agent ecosystem. Researchers at Tencent’s Zhuque Lab, who scanned nearly 50,000 skills on the platform, found that attackers have already embedded working remote control backdoors, credential stealers, and data exfiltration tools inside skills that passed official security reviews. The findings reveal systemic risks that have already cost users millions of dollars — and the threat is evolving faster than defenses can keep up.
What Is ClawHub?
ClawHub is the official skill marketplace for OpenClaw, described as the fastest-growing open-source AI agent platform of 2026. The platform went from fewer than 2,000 skills in January 2026 to over 50,000 by April — a jump of more than 25x in under 90 days. Skills installed from ClawHub run with full permissions inside a user’s environment, able to read and write files, open network connections, and execute shell commands after a single click of “Install.” That level of trust, combined with explosive growth and minimal vetting, created the conditions for large-scale abuse.
The ClawHavoc Campaign: $2.3 Million Stolen
The most damaging attack documented by researchers was the ClawHavoc campaign in late January 2026. Attackers flooded ClawHub with 1,184 malicious skills using 12 compromised developer accounts, impersonating popular tools with names like “Google Assistant Pro” and “YouTube Summarize Pro.” By the time the campaign was contained, there were 247,000 confirmed installations and $2.3 million in stolen cryptocurrency.
The malicious skills contained embedded shell scripts that deployed Atomic Stealer (AMOS), a credential and data theft trojan targeting browsers, crypto wallets, and SSH keys. ClawHub added detection mechanisms after the campaign was exposed, but researchers found that the threat simply evolved into something harder to catch — abandoning obvious malware drops in favor of more sophisticated multi-stage attack chains.
The Hidden Backdoor That Passed All Security Checks
One of the most alarming discoveries in the Tencent scan was a skill that passed all of ClawHub’s official security checks while hiding a working remote control backdoor. The skill presented itself as a “distributed state recovery tool,” complete with professional documentation and reasonable permission requests.
Once executed, it connected to a remote command-and-control server and retrieved an encoded payload layered in Base64, ROT13, and hex formats. The skill decoded these step by step, then processed the output using Python’s pickle module — allowing arbitrary code to run on the victim’s machine. Tencent’s AIG analysis platform flagged it as high-risk by identifying that remote fetching, chained encoding, and deserialization together formed a complete remote code execution chain — but automated security scanners had missed the threat entirely.
Ranking Manipulation: AI Agents Installing Malware Autonomously
A separate attack from March 2026 exploited a fundamental vulnerability in how AI agents select tools. Researchers at Silverfort found that anyone could send an unauthenticated request to ClawHub’s backend to artificially inflate a skill’s download count. They pushed a fake skill disguised as “Outlook Graph Integration” — embedded with a data-theft payload — to the top of the rankings by manipulating download statistics.
The critical consequence: because AI agents prioritize high-download skills when selecting tools autonomously (without human confirmation), the malicious skill began installing itself on user systems without any user interaction. This represents a qualitatively new attack vector — not phishing a human, but poisoning the decision-making inputs of an autonomous AI agent.
Systemic Risk Across the Ecosystem
The Tencent scan of nearly 50,000 skills revealed risks that stretch well beyond individual malicious packages:
- 74.6% of skills declared network request permissions, meaning three out of every four will connect to the internet during normal use — making malicious traffic trivially concealable within routine connections.
- File access combined with network permissions creates a direct path for data theft, with hundreds of skill files referencing private keys and credentials.
- Over 90% of highly downloaded skills failed rigorous security audits, according to research by Shanghai Jiao Tong University’s SkillProbe team — contradicting the assumption that popular skills are safer to install.
- One developer account posted 955 skills in three months, consistent with automated batch generation at scale — making it trivial to flood the marketplace with malicious packages disguised among legitimate tools.
How to Protect Yourself
Tencent recommends a structured review process for anyone using AI agent platforms with third-party skill marketplaces:
- Before installing: check the author’s publishing history, confirm permissions match the stated purpose, and investigate unfamiliar domain names referenced in documentation.
- After installation: audit active skills for excessive permissions — particularly combinations of file access and network permissions — and prioritize removing high-privilege skills from unknown or unofficial sources.
- For organizations: treat AI agent skill installation with the same security scrutiny applied to software supply chain dependencies. Require internal review before deploying any third-party skill in a production environment with access to sensitive data or systems.
The ClawHub findings represent a warning for the entire AI agent ecosystem. As these platforms scale — and as AI agents gain broader autonomy to install and invoke tools without human confirmation — the attack surface for supply chain compromise grows exponentially. Security teams that dismiss these risks as niche or experimental are likely to be caught unprepared as the attack patterns mature and proliferate across competing platforms.