Security researchers have uncovered a coordinated supply chain attack targeting ClawHub, the official plugin marketplace of the open-source AI agent project OpenClaw, raising fresh concerns about security gaps across emerging Web3 developer ecosystems.
According to the blockchain security firm SlowMist, attackers have successfully uploaded hundreds of malicious “skills” to ClawHub by exploiting weaknesses in its review and verification processes.
How SKILL.md became an attack vector
Unlike traditional code repositories, OpenClaw skills rely heavily on a file called SKILL.md, which often serves as both documentation and an installation guide. SlowMist found that attackers abused this structure by embedding malicious shell commands inside what appeared to be normal setup instructions.
Many of the skills used Base64-encoded commands to disguise download-and-execute behaviour, tricking users into running them during installation. Once triggered, these commands pulled additional payloads from remote servers, allowing attackers to update malware without modifying the original skill. This two-stage delivery method helped the malicious skills evade simple keyword-based reviews.
Crypto-themed lures and reused infrastructure
The investigation revealed that many of the malicious skills were deliberately named after crypto-related tools, financial utilities, or security updates categories, more likely to gain trust from Web3 developers. One widely downloaded skill, “X (Twitter) Trends,” appeared legitimate but secretly deployed malware that harvested files from user devices and uploaded them to a command-and-control server.
SlowMist linked much of the activity to a small set of reused IP addresses and domains, including infrastructure previously associated with data theft and extortion campaigns. Blockchain threat intelligence platforms confirmed that these endpoints had been flagged for malicious activity earlier this year.
Using its MistEye monitoring system, SlowMist has identified more than 470 malicious skills and has shared indicators of compromise with affected users. The firm warned that as crypto-native AI agents and plugin marketplaces continue to expand, poorly secured distribution channels are increasingly becoming prime targets for large-scale supply-chain attacks.
In a similar post-mortem analysis published for the Truebit exploit, SlowMist explained that the incident was caused by flawed smart-contract logic rather than a sophisticated external breach.
Enjoyed this piece? Bookmark DeFi Planet, explore related topics, and follow us on Twitter, LinkedIn, Facebook, Instagram, Threads, and CoinMarketCap Community for seamless access to high-quality industry insights.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
