- Trending
- Comments
- Latest
Security researchers have identified more than 400 malicious automation tools on ClawHub, an open marketplace for AI agent skills, designed to steal user credentials and crypto wallet data in what cybersecurity firms are calling a significant supply-chain attack targeting the AI tooling ecosystem.
The malware-laden tools, disguised as legitimate productivity and analytics skills, exploited ClawHub’s lack of formal security review processes to distribute credential-harvesting malware including Atomic Stealer, according to findings published this week by blockchain security firm SlowMist and earlier research from KOI Security.
“When automation tools gain this level of trust, attackers no longer need phishing emails,” a SlowMist researcher said in a published analysis. “They simply wait for users to install what looks like a useful skill.”
ClawHub operates as an open marketplace where developers can publish reusable AI agent skills for OpenClaw agents, allowing users to quickly extend automation workflows. While this model accelerates innovation, security experts say it also creates ideal conditions for supply-chain attacks.
SlowMist’s findings build on earlier research from KOI Security, which first raised alarms after identifying 341 malicious tools among roughly 2,857 skills available at the time. A deeper follow-up analysis by SlowMist pushed the total number of suspicious AI agent skills as high as 472, although researchers caution the figure may fluctuate as new tools are uploaded or removed.
“These attacks are not random,” said KOI Security researcher Oren Yomtov. “They are structured, deliberate, and tailored to specific user behaviors.”
One of the most concerning aspects of the campaign is how carefully the malicious tools are disguised. According to researchers, compromised AI agent skills often include professional documentation, clean interfaces, and convincing use cases.
“You install what looks like a legitimate skill—maybe a wallet tracker or a productivity enhancer,” Yomtov explained. “The documentation looks normal, but then there’s a ‘Prerequisites’ section that asks you to install something externally. That’s where the compromise happens.”
On macOS systems, researchers found that several AI agent skills were being used to distribute Atomic Stealer malware, a known credential-harvesting tool capable of extracting browser data, saved passwords, and crypto wallet information. On Windows, users were prompted to download files from GitHub repositories that executed additional payloads, including keyloggers.
Once installed, the malware can silently transmit credentials to attacker-controlled servers, potentially giving threat actors access to email accounts, developer credentials, and digital asset wallets.
The findings underscore the security risks facing AI agents, which remain a relatively new technology. As Cryptopolitan previously reported, OpenClaw agents are still in early development stages and have already shown unpredictable behaviors under real-world conditions.
The rapid adoption of AI agent skills compounds the issue. As developers rush to automate workflows, many users skip code audits or blindly follow installation instructions, inadvertently exposing themselves to compromise.
“AI agents are becoming trusted intermediaries,” SlowMist noted. “Once that trust is abused, the impact can scale very quickly.”
Unlike traditional app stores, ClawHub currently lacks a formal, centralized review process for vetting AI agent skills before publication. Security researchers say this absence of gatekeeping allows malicious tools to spread widely before detection.
SlowMist believes the recent discovery may represent only the early stages of a broader problem. The firm confirmed it is continuing to monitor ClawHub as an emerging supply-chain threat vector, warning that attackers are likely to iterate on their techniques.
“There’s no indication this was a one-off incident,” the firm said. “As long as review mechanisms remain limited, the platform will continue to attract abuse.”
In a further troubling development, SlowMist identified a recurring IP address associated with several malicious campaigns. The address—91.92.242.30—has historical links to the Poseidon hacker group, which is known for extortion, credential theft, and data breaches.
While researchers stopped short of directly attributing the attacks to Poseidon, they noted that infrastructure reuse is a common tactic among organized cybercriminal groups.
“This level of coordination suggests experienced operators,” a SlowMist analyst said.
Despite the severity of the findings, researchers say there are currently no confirmed reports of direct crypto theft resulting from ClawHub’s compromised AI agent skills. However, SlowMist warned that credential theft often precedes financial exploitation, meaning the damage may only become visible later.
Previously, public repositories linked to AI tooling have already been caught hosting malicious prompts aimed at stealing crypto credentials, indicating that attackers are actively probing the ecosystem.
To mitigate future risk, SlowMist announced plans to issue real-time alerts through its MistEye monitoring service whenever new malicious AI agent skills are detected.
Security experts are urging users to adopt a defensive posture when installing new AI agent skills. Recommended precautions include avoiding tools that require external downloads, carefully reviewing setup instructions, and refusing to run commands that request system-level permissions or passwords.
“A simple rule applies,” said Yomtov. “If a skill asks you to paste commands you don’t understand, don’t run it.”
Until stronger safeguards are implemented, researchers advise waiting for verified releases and avoiding installations from unknown developers.
As AI agents become more embedded in daily workflows, the ClawHub incident serves as a stark reminder: innovation without security can quickly turn powerful tools into dangerous attack surfaces.
