Hugging Face: 575+ poisoned AI skills

AI model hubs and agent marketplaces are starting to look like the next app store security mess — but with a twist. The problem is not just a bad file hiding in a repo. It’s that attackers can package instructions, prompts, and setup steps that get an AI agent or a human operator to do the dirty work for them. That’s the core of the new campaign Acronis described on April 30, 2026: malware delivery through Hugging Face repositories and ClawHub skills, with more than 575 malicious OpenClaw skills tied to 13 publisher accounts. (acronis.com) ### What was actually found? Acronis said the OpenClaw side was the biggest visible cluster — 575+ malicious skills spread across 13 developer accounts. Those skills were dressed up as normal tools, but they pushed payloads including trojans, cryptominers, and AMOS stealer, a macOS-focused infostealer. Hugging (acronis.com)timate AI artifacts. (acronis.com) ### Why are “skills” such a good hiding place? Because a skill is not always a neat little executable. In these agent ecosystems, a skill can be mostly documentation — a `SKILL.md` file, setup instructions, shell commands, links, and workflow steps. That means the harmful part may not be a binary sitting in the(acronis.com)e malware is often the workflow itself. (socket.dev) ### How did the attack work? The recurring tricks were simple and nasty. Some skills told users to paste base64-encoded commands into a terminal. Others pulled password-protected archives, fetched binaries from external hosts, or installed hidden dependencies outside the marketplace itself. Acronis also said attackers used obfuscation, e(socket.dev)ction harder after the first step. (acronis.com) ### Where does Hugging Face fit in? Hugging Face was not described as the skill marketplace here — ClawHub was. But Hugging Face mattered because attackers used repositories there to host payloads and support multistep infection chains. That makes sense mechanically. If a repo looks like a normal open model or dataset project, it inherits some of the trust people already place in open AI infrastructure. (acronis.com) ### Doesn’t Hugging Face scan for malware? It does scan repository files on each commit and warns when a file is flagged unsafe. But that control is aimed at malicious files, not every social-engineering path wrapped around them. The catch is that a skill can stay “light” on obviously malicious code while still(acronis.com)workflows — is exactly why this story matters. (huggingface.co) ### Why is this different from normal supply-chain attacks? Traditional package attacks usually aim for one direct compromise path — install the thing, run the thing, get popped. Agent ecosystems are looser. They blur the line between code, instructions, and delegated action. Acronis said that can extend the blast radius because the agent may execute tasks on a use(huggingface.co)acker. Basically, the social engineering gets embedded into the product format itself. (acronis.com) ### What should developers take from this? Treat community AI artifacts more like untrusted software than like harmless content. Verify who published the repo or skill. Be suspicious of terminal paste steps, external downloads, password-protected archives, and any install flow that jumps outside the platform. S(acronis.com)e instructions, not just the file. (acronis.com) ### Bottom line This is really a warning about where AI tooling is headed. Once models, datasets, and agent skills become normal building blocks, attackers stop hiding only in code and start hiding in behavior. That’s a harder problem — and it’s arriving fast. (acronis.com)