Security researchers have discovered five malicious third-party skills within the OpenClaw marketplace, ClawHub, revealing significant weaknesses in the AI agent supply chain. The findings, published by Palo Alto Networks Unit 42, show that these seemingly legitimate add-ons were capable of stealing credentials, evading detection systems, and executing unauthorized actions on user systems.
The skills were distributed through ClawHub, the marketplace for OpenClaw extensions, which allows developers to install modular “skills” that can access local files, APIs, credentials, and other sensitive resources. Researchers categorized the malicious skills into three main threat types: infostealers that exfiltrate data to command-and-control servers, evasion tools designed to bypass security scanners by manipulating file size or structure, and agentic threats that manipulate AI behavior for financial gain.
Two of the skills were designed specifically to harvest sensitive information from macOS systems, while others used techniques such as oversized payloads and hidden instructions embedded in markdown files to slip past automated defenses like ClawScan and VirusTotal. More advanced examples included “agentic” manipulation tools that could reroute financial recommendations through affiliate links or even orchestrate crypto token pump-and-dump schemes via autonomous agent behavior.
Although ClawHub has since removed the malicious packages and banned associated accounts, researchers warn the incident underscores a growing AI supply chain problem. Because OpenClaw skills operate with broad system-level permissions and are written in plain-language instructions interpreted by AI agents, traditional static analysis and scanning tools struggle to reliably detect malicious intent before execution.
