ClawHub Skills Expose AI Agents to Remote Control Backdoors and Data Theft
Malicious skills targeting the ClawHub marketplace for OpenClaw AI agents have led to remote code execution, data theft, and significant financial losses, highlighting the growing security risks in the AI agent ecosystem.
The rapid expansion of AI-powered agents, capable of performing actions, managing files, and executing code, has inadvertently created a new and significant attack surface. Malicious actors have begun exploiting vulnerabilities within the ClawHub marketplace, the official skill repository for the open-source AI agent platform OpenClaw. This has exposed the inherent security risks associated with the burgeoning AI agent ecosystem, where rapid growth has outpaced robust security measures.
Analysts from Tencent's Zhuque Lab identified a substantial threat within ClawHub, scanning nearly 50,000 skills and discovering that the platform's attack surface was already compromised. This aligns with real-world incidents, such as the "ClawHavoc" campaign launched in late January 2026. This campaign involved 1,184 malicious skills deployed through 12 compromised accounts, leading to an estimated 247,000 installations and the theft of approximately $2.3 million in cryptocurrency. While ClawHub has since implemented detection mechanisms, the threat has evolved, becoming more sophisticated and harder to detect.
Skills within the OpenClaw ecosystem operate with extensive permissions, including the ability to read and write files, establish network connections, and execute shell commands. This high level of access, coupled with the platform's rapid scaling, makes it an attractive target for attackers. One particularly alarming discovery was a skill that successfully passed all of ClawHub's official security checks yet contained a functional remote control backdoor. This skill, disguised as a "distributed state recovery tool," used layered encoding techniques (Base64, ROT13, hex) and Python's pickle module for deserialization, enabling arbitrary code execution on victim machines.
Further complicating security is the potential for manipulation within the marketplace itself. A separate attack identified in March 2026 by Silverfort demonstrated how attackers could exploit ranking algorithms. By sending unauthenticated requests to ClawHub's backend, attackers could artificially inflate a skill's download count. This allowed them to promote malicious skills, such as a fake "Outlook Graph Integration" with a hidden data-theft payload, to the top of the rankings, leading to autonomous installations by AI agents that prioritize popular tools.
The security issues extend beyond individual malicious skills. Tencent's analysis revealed that a significant majority of skills (74.6%) declared network request permissions, meaning a large volume of routine network traffic could easily mask malicious activity. The combination of network and file access permissions creates a direct pathway for data exfiltration, with researchers noting references to sensitive private keys and credentials within the analyzed skills.
Compounding these concerns, a study by the SkillProbe team at Shanghai Jiao Tong University found that over 90% of highly downloaded skills failed rigorous security audits. This contradicts the common assumption that popular skills are inherently safer. The sheer volume of skills published by top developers, with some accounts posting hundreds in a short period, suggests the potential for automated generation and distribution of malicious or disguised samples at scale.
To mitigate these risks, Tencent recommends a multi-step review process. Before installation, users should verify the author's publishing history, ensure requested permissions align with the skill's stated purpose, and investigate any unfamiliar domain names mentioned in documentation. After installation, users should audit active skills for excessive permissions and prioritize the removal of high-privilege skills from untrusted sources.
The vulnerabilities exposed in ClawHub highlight a critical need for enhanced security practices within the rapidly evolving AI agent landscape. As these agents become more integrated into daily workflows and gain broader access to sensitive data and systems, the potential for widespread compromise increases dramatically, necessitating continuous vigilance and robust security auditing.