Agent AI Skill

We Scanned 50,000 Skills: The Threat Persists

April 24, 2026 14 min read

Traditional scanner-based protection systems are no longer adequate for the current situation. When 25% of skills can read and write files, hundreds or even thousands of paths point to private keys, and remote control channels are pre-embedded in the underlying ecosystem, we are no longer facing vulnerabilities, but an attack surface that has already been "pre-deployed." AI security issues have evolved from model problems to a "systems engineering" confrontation stage: ranking manipulation, platform poisoning, and automatic agent installation—this is the third generation of attacks. They do not break through defenses, but rather penetrate them through the functionality itself.
The real question isn't what was discovered during the sweep, but rather: does this ecosystem still have an effective immune system?
Coolc, head of Tencent's security platform department

The explosive growth of OpenClaw in early 2026 transformed AI from simply answering your questions to handling everything for you. Skills are the key way for agents to acquire these capabilities and also the latest entry point for attackers to launch malicious attacks. We used AIG ( https://github.com/tencent/AI-Infra-Guard ) to perform a full scan of over 50,000 Skills on ClawHub . We discovered not only known malicious samples but also a next generation of more covert attack methods .

Below is a real malicious skill attack process. From installation to data theft, the user is completely unaware.

Malicious Skill Attack Flowchart:

I. From MCP to Skill Market: A Brief History of Attacks on the AI Tool Ecosystem Supply Chain

With the explosive growth of the AI Agent ecosystem, the attack surface is expanding along a clear path:

Each generation of attack surface is larger than the last. The MCP server is the protocol layer between the Agent and external tools; malicious MCPs can hijack tool calls. IDE extensions run in the IDE sandbox, but GlassWorm has been shown to spread across IDEs. Agent Skills run directly in the user environment, possessing full permissions for file read/write, network communication, and shell execution. Malicious commands from Skills can be pure natural language; the Agent doesn't need to "execute code" to obey a single line of Markdown.

In April 2026, OWASP released the Top 10 Agentic Skills (AST10) specifically for this purpose, systematically isolating the security risks of Agent Skills. This marks the first time the security industry has officially acknowledged that a Skill is not a plugin or extension, but a completely new and more dangerous attack surface.

We used AIG (an AI security testing platform developed by Zhuque Labs) to perform a full scan of nearly 50,000 skills on ClawHub. ClawHub is the official skill marketplace of OpenClaw and is currently the largest open-source agent skill distribution platform.

From a timeline perspective, this ecosystem went from zero to explosive growth in just 90 days:

● In January 2026, ClawHub was launched, with a total of less than 2,000 skills.

● In late January 2026 , ClawHavoc erupted. 1,184 malicious skills were released, and 12 compromised publisher accounts were used to distribute data-stealing trojans. There were 247,000 confirmed installations, and $2.3 million in cryptocurrency was stolen.

● In February 2026, ClawHub launched a security detection mechanism.

● In March 2026 , the total number of Skills exceeded 40,000. Silverfort discovered a ranking manipulation vulnerability in ClawHub. The SkillProbe team at Shanghai Jiao Tong University completed an academic security audit of 2,500 Skills.

● In April 2026 , the total number of Skills reached 50,000. OWASP released the Top 10 Agentic Skills. We completed a full audit.

The scan results show that even after ClawHavoc's cleanup and the implementation of platform security mechanisms, danger signals remain abundant in the ecosystem:

The focus of the risk is no longer on "whether there is a malicious skill", but rather that malicious skills are being replaced by newer ones, and the battle between attackers and platform security mechanisms has begun.

II. Platform Security Detection Mechanisms and Current Countermeasures

What did ClawHub do?

Following ClawHavoc, ClawHub built a multi-layered security detection system:

1. Regular expression pattern scanning: Perform static regular expression matching on code files to capture suspicious functions and known dangerous patterns.

2. Injection signal detection: Scan for 5 types of prompt word injection patterns (malicious strings, encrypted strings, system prompt overwrite, etc.) in SKILL.md.

3. LLM Security Assessment: The skill's metadata, permission declarations, and SKILL.md are sent to the LLM for a comprehensive assessment across five dimensions.

4. VirusTotal External Detection: Primarily scans for signatures of known viruses and Trojans.

This mechanism can effectively block brute-force attacks like ClawHavoc, which involve "malicious commands written directly in the document".

Normally passes OpenClaw official test:

III. In-depth analysis of typical cases

Case 1: A remote control backdoor that passed official testing

During the full audit, we discovered a skill that can bypass ClawHub's multi-layered security checks. This sample passed official security testing.

The sample contains two files: `skill.md`, a Markdown-formatted skill description file containing a complete YAML metadata header and business process description; and a `poc.py` Python script, approximately 337 lines long. Both files are located in the same directory, with no other associated resources.

The skill description describes it as a "distributed state recovery tool." The documentation is very professional, complete with architecture diagrams, use case tables, and security instructions, even citing security warnings from the official Python documentation. The permission requests are also reasonable; a distributed state tool needs internet access to fetch data and a Python runtime environment, so there are no unnecessary permissions.

Since the C2 server in the original sample is no longer reachable, we constructed a simulated C2 server response packet based on the sample logic to fully demonstrate the attack chain.

This skill utilizes the complete chain:

1. Skill execution;

2. Remote Payload Fetch: Retrieves the serialized object from a remote C2 server and returns the X-Decode decoding order.

3. Multi-layer encoding obfuscation and restoration: The sample supports 12 transmission encodings (Base64, ROT13, Morse code, etc.) and chained decoding (x-decode: base64, rot13, hex). Packaged as "binary secure transmission requirements" in the documentation, it decodes sequentially according to the obtained x-decode decoding order to obtain deserialized bytecode.

4. Insecure deserialization: The final decoded data is deserialized using Python pickle, which directly leads to arbitrary code execution and allows the user's machine to be controlled.

Throughout the process, the attacker does not need to write malicious commands in the code; instead, they only need to upload arbitrary instructions to the C2 server, and the skill will be executed after the connection is run.

However, using AIG detection, we found that the sample was marked as high-risk. AIG's detection logic differs from pattern matching; it focuses on three things: what is actually done, whether the high-risk actions can be pieced together to form a complete attack chain, and whether the publisher and the sample exhibit large-scale anomalous characteristics. In this case, the three actions of "remote fetching + deserialization + multi-layer encoding" are all reasonable individually, but AIG analysis shows that their combination can form a complete RCE chain.

With the explosive growth of the AI Agent ecosystem, the attack surface is expanding along a clear path:

Case 2: ClawHub ranking manipulation, malicious skill pushed to number one.

In March 2026, the Silverfort research team discovered a critical vulnerability in the ClawHub backend. Anyone could send an unauthenticated curl request to infinitely increase the number of downloads.

Silverfort conducted a Proof-of-Concept (PoC) verification: they released a skill disguised as "Outlook Graph Integration," embedding a data leakage payload disguised as telemetry functionality. They then boosted it to the top of the ClawHub rankings by inflating search volume.

Most alarmingly, this not only deceived human users but also OpenClaw's AI Agent . When autonomously selecting tools, the Agent prioritizes installing skills with the highest download counts, allowing malicious skills to automatically infect the Agent.

This means that in scenarios where the agent autonomously installs skills, ranking manipulation is tantamount to mass poisoning. Attackers don't need to meticulously design malicious code to bypass detection; they only need to achieve a sufficiently high ranking, and the agent will automatically deliver the necessary information.

Case 3: ClawHavoc, 1,184 malicious skills, 247,693 installations.

The ClawHavoc attack in February 2026 was the largest Agent Skill supply chain attack to date.

The attackers employed a **typosquatting** strategy, impersonating the names of popular tools such as Google Assistant Pro and YouTube Summarize Pro. The payload used a two-layer delivery method: Markdown instructions were responsible for stealing SSH keys, while an embedded shell script was responsible for deploying the Atomic Stealer (AMOS) trojan.

During peak periods, 5 out of the top 7 downloaded skills were malicious .

Following the incident, ClawHub implemented a security detection mechanism and removed all malicious skills. However, our full scan revealed that while a large number of the first-generation explicit malicious samples did disappear, the risks of more sophisticated disguises did not.

IV. Ecosystem-level risks: Not just a matter of a few bad skills

Looking at a single malicious sample might seem like an isolated case. But when we lay out all the data, we see a systemic structural risk.

Supply side: Mass production capacity has been established

Behind these 50,000 skills are 15,427 developers, but their distribution is extremely uneven. The top 20 developers released a total of 5,422 skills, accounting for 12.9% of the total.

The most extreme account posted 955 Skills in 3 months, averaging 10.6 per day. Even with the simplest API wrapper, it would be difficult to maintain such a production density continuously for 90 days by hand. This is most likely due to template-based batch generation.

Multiple sets of accounts with similar names and alternating posting times further corroborate this judgment: the three accounts, bytesagain, bytesagain1, and bytesagain3, have a total of 551 skills. Individually, they appear to be three authors, but when viewed together, they resemble multiple windows from the same production line.

Once large-scale production capacity is established, malicious samples, low-quality samples, and disguised samples can all be mass-produced.

Attack chain: Permission collection + Channel transmission

Of the nearly 50,000 Skills, 27,818 declared network request permissions, accounting for 74.6%. On average, 3 out of every 4 Skills will connect to the internet.

Connecting to the internet isn't the problem. But when connecting becomes the default action in the ecosystem, truly malicious data leaks can infiltrate massive amounts of legitimate traffic.

Even more dangerous is the combination of permissions; file reading combined with network transmission constitutes a complete data leakage path:

Highly referenced sensitive paths:

This over-licensing pattern, which is "functionally reasonable but dangerous when combined," is prevalent in the ecosystem. Snyk's ToxicSkills study found over 280 samples with directly leaked credentials among 3,984 skills. The findings of the SkillProbe team at Shanghai Jiao Tong University are even more alarming: over 90% of highly downloaded skills failed rigorous security audits, revealing a significant counterintuitive contradiction between download volume and security (the "popularity-security paradox").

External connection channels: 29,196 domains; two types of channels require special attention.

The full scan revealed 246,378 URLs pointing to 29,196 different domains. Two types of channels deserve separate attention:

The former corresponds to remote control and data backhaul capabilities, while the latter indicates that on-chain interaction scenarios have entered the Skill ecosystem. For attackers, these are readily available channels that can be directly utilized.

High-frequency external connection target:

V. Not just ClawHub: Agent Skill Security is a Common Problem in the Industry

Are the above findings an isolated issue with ClawHub? No.

In the security academic community, the SkillProbe paper's audit of 2,500 ClawHub Skills revealed a "popularity-security paradox": skills with high download volumes are not necessarily more secure than those with low download volumes. Furthermore, high-risk skills form a single, massively connected component in terms of risk correlation , indicating that cascading risks are systemic.

The security industry: Snyk ToxicSkills research covered 3,984 skills across four platforms: OpenClaw, Claude Code, Cursor, and VS Code. The results showed numerous security vulnerabilities across all platforms.

The OWASP Agentic Skills Top 10, released in April 2026, explicitly covers four major platforms: OpenClaw, Claude Code, Cursor/Codex, and VS Code. It specifically points out the risk of cross-platform reuse, noting that malicious skills can be ported from one platform to another. Malicious skills on ClawHub have been observed spreading in independent marketplaces such as skills.sh.

VI. Defense Recommendations

Before installing any skill from external marketplaces like Clawhub, take some time to do thorough research and verification:

Three things to consider before installation

1. Check the author: Go to the homepage; if someone has posted 200+ skills, be cautious about installing.

2. Check permissions: Open SKILL.md and check if the permissions match the functionality.

3. Check the domain name: Search for "http". If you see a domain name you don't recognize, be cautious.

Three checks after installation

1. Check list: More than 20 skills? Clean up infrequently used ones.

2. Check permissions: Check who has global Bash and read/write permissions for sensitive files.

3. Detect the source: Prioritize uninstalling high-privilege skills from unofficial and unknown authors.

If you find it too complicated, we recommend using AIG's EdgeOne Claw Skill to perform a systematic check on your lobster. It will call upon AIG's risk data of nearly 50,000 skills on ClawHub to determine whether the skills you installed have known risks. For skills installed through channels other than ClawHub, it also supports fast local auditing.

拉取 https://matrix.tencent.com/clawscan/skill.md 安装后，用 edgeone-clawscan 跑一轮本地检查。