AI Agent Marketplace Hit by Malicious Code
A malicious skill was discovered in the OpenClaw Skill Marketplace, a hub for AI agent tools. Disguised as a research tool, the skill contained obfuscated code for arbitrary command execution and data exfiltration. The incident highlights the growing security risks in burgeoning AI agent and plugin ecosystems.
A recent audit of ClawHub, the third-party skill repository for the OpenClaw AI agent, uncovered a large-scale malware distribution operation. Security researchers from Koi Security identified 341 malicious skills out of 2,857 analyzed, with 335 of them attributed to a single coordinated campaign dubbed "ClawHavoc". The attack targeted both macOS and Windows systems, with a particular focus on always-on machines like Mac minis often used for hosting AI agents. The malicious skills impersonated popular tools for cryptocurrency trading, YouTube utilities, and Google Workspace integrations to lure users. Many employed typosquatting, using names very similar to legitimate packages. The attack relied on social engineering, with the skill's documentation instructing users to execute commands that downloaded and ran malware from external sources. On macOS, a base64-encoded script would fetch a second-stage payload, identified as the Atomic macOS Stealer (AMOS). This commodity infostealer, sold as a service, is designed to harvest credentials, browser passwords, and cryptocurrency wallet keys. The Windows payload was similarly delivered via a password-protected archive to evade automated antivirus scans. This incident is part of a growing trend of AI supply chain attacks, where threat actors target the ecosystems that provide tools and extensions for AI platforms. The very nature of AI skills, which blend executable logic with data, creates an ambiguous environment that is difficult for traditional security tools to defend against injection attacks. This ambiguity can turn the AI agent into a "confused deputy," using its own privileges to execute malicious commands on behalf of an attacker. The OpenClaw platform itself has recently patched several other high-severity vulnerabilities. These include "ClawJacked," a flaw allowing a malicious website to hijack a local AI agent via WebSocket connections, and a log poisoning vulnerability that could lead to indirect prompt injections. For developers, this underscores the necessity of treating AI marketplaces as untrusted sources and implementing a "defense-in-depth" architecture. Security best practices include applying least-privilege principles to skills, validating against adversarial scenarios, sandboxing execution environments, and implementing comprehensive monitoring and logging for all agent activities.
