DEV Community

Bill Wilson
Bill Wilson

Posted on

71 Malicious Skills Found on ClawHub. Here's How to Protect Your Agent.

#security #ai #agents #opensource

Two days ago, security researchers dropped a report that should make every OpenClaw user stop and read carefully. Seventy-one malicious skills were found living on ClawHub — the main marketplace where agents discover and install capabilities. Not lurking in some obscure corner. Right there, in the open, with download counts and star ratings.

The full scope is worse: 341 total malicious skills were identified across the ecosystem. The vulnerability is being called ClawJacked. If you haven't updated to OpenClaw v2026.2.26 yet, do that now before reading the rest of this.

What Actually Happened

The ClawJacked flaw let malicious sites push rogue skills into an agent's context without explicit user confirmation. Attackers used it systematically. They published skills disguised as crypto trading tools — things like "BTC Signal Analyzer" or "DeFi Yield Scanner" — and waited for agents to install them.

Once installed, these skills did two things:

  1. Exfiltrated data. They scraped API keys, wallet addresses, session tokens — anything sitting in the agent's environment or passed through its context.
  2. Delivered secondary payloads. Some acted as droppers, pulling down additional malicious code after the initial install.

The disguise was deliberate. Crypto tools are high-value targets. Builders working with trading agents, DeFi protocols, or wallet infrastructure are exactly the people whose credentials are worth stealing. The attackers knew their audience.

OpenClaw patched the underlying flaw in v2026.2.26. That's the necessary first step. But it doesn't solve the underlying trust problem — which is older than this vulnerability and will outlast it.

The Real Problem: ClawHub Has No Built-In Vetting

ClawHub hosts over 3,000 skills. Anyone can publish. There's no mandatory security review, no automated scanning before a skill goes live, no permission scope enforcement.

That's not a criticism — it's the reality of how open marketplaces work. The speed of an open ecosystem comes with this tradeoff. But it means the burden of vetting falls on you, the builder installing the skill.

Most people don't read the full source code of every skill they install. I don't blame them. A skill might be 500 lines of Python with a dozen dependencies. Who has time to audit that before a demo?

But here's the thing: not auditing is exactly how 341 malicious skills ended up installed on real agents. The attack surface isn't the ClawJacked flaw specifically — it's the habit of installing skills on trust alone.

The fix isn't paranoia. It's process.

Pre-Deployment Validation: What It Should Look Like

Before any skill touches your agent, you want answers to specific questions:

  • Does the code make outbound network calls? To where?
  • What permissions does it request? Are those permissions actually needed for what it claims to do?
  • Does it access environment variables or API keys?
  • Are its dependencies clean? Or are they pulling in packages with known CVEs?
  • Does it try to read files outside its expected scope?
  • Is there obfuscated code that hides its real behavior?

Answering these manually, every time, for every skill, is not realistic. You need automated checks that run before install — a gate that catches the obvious red flags before they become your problem.

validator-agent: A Pre-Deployment Quality Gate

I built validator-agent for exactly this reason. It's a free, open-source skill on ClawHub (author: up2itnow, v1.0.0) that runs a 10-section validation check against any skill before you deploy it.

Here's what the 10 sections cover:

  1. Code safety — Static analysis for dangerous patterns, eval/exec abuse, shell injection vectors
  2. Permission scope — Does the skill request only what it actually needs? Overpermissioned skills are a red flag.
  3. Data handling — How does it treat sensitive data? Does it log things it shouldn't?
  4. Network calls — Every outbound connection gets flagged. You see exactly what domains the skill talks to.
  5. Dependency audit — Checks installed packages against known vulnerability databases
  6. Environment access — Identifies any attempt to read API keys, tokens, or env vars
  7. File system scope — Catches skills that reach outside their expected directories
  8. Obfuscation detection — Looks for encoded strings, dynamic imports, and other hiding techniques
  9. Source integrity — Verifies the skill matches its published checksum
  10. Permission/behavior alignment — Cross-checks what the skill claims to do against what its code actually does

The output is a clear pass/fail with a detailed report. If something fails, you see exactly why — not just "this skill is suspicious" but "this skill makes outbound calls to api.exfil-domain.com on line 47."

How to Install It 

# Install from ClawHub
openclaw skill install validator-agent --author up2itnow
Enter fullscreen mode Exit fullscreen mode

How to Use It as a Gate

Before installing any new skill:

# Validate before installing
openclaw run validator-agent --target <skill-name>

# If validation passes, then install
openclaw skill install <skill-name>
Enter fullscreen mode Exit fullscreen mode

Make this a habit. It adds maybe 30 seconds to your workflow. That's a reasonable trade for not accidentally handing an info-stealer your Coinbase API key.

Practical Steps Right Now

If you're running an OpenClaw agent, here's the actual list:

1. Update OpenClaw immediately

v2026.2.26 patches the ClawJacked vulnerability. If you're on an older version, you're still exposed to the original attack vector.

openclaw update
openclaw --version  # confirm you're on 2026.2.26+
Enter fullscreen mode Exit fullscreen mode

2. Audit your currently installed skills

Check what's already running in your agent. For anything you didn't install yourself, or anything crypto-related that you installed recently, look at the source code manually. Pay attention to network calls and environment variable access.

openclaw skill list
openclaw skill inspect <skill-name>
Enter fullscreen mode Exit fullscreen mode

3. Install validator-agent

openclaw skill install validator-agent --author up2itnow
Enter fullscreen mode Exit fullscreen mode

Run it against your existing skills too — not just new installs.

4. Review skill permissions

Every skill runs with a permission scope. Check what each of your installed skills can actually access. If a "price feed" skill has access to your file system or can make arbitrary network calls, that's a mismatch worth investigating.

5. Prefer skills with public source repos

If a skill doesn't link to a public repo with readable source code, treat that as a yellow flag. It doesn't mean it's malicious, but it means you can't verify what it actually does.

The Bigger Picture

The ClawJacked incident will get patched and mostly forgotten. That's how these things go. But the underlying question — how do you trust what you're installing into an agent that has access to your keys, your data, and your systems? — doesn't go away.

Agents are different from apps. When a rogue browser extension steals your data, it has access to whatever you give it in the browser. When a rogue skill steals your data, it potentially has access to everything your agent can touch: wallets, APIs, files, external services. The blast radius is larger.

That's not a reason to stop using skills. It's a reason to be deliberate about which ones you install and to have a consistent process for checking them before they run.

validator-agent is one piece of that. It's not perfect — no static analysis tool catches everything. But it catches the obvious stuff, and the obvious stuff is what took down 341 agents in this incident.

Install the update. Run the validator. Check your existing skills. That's the whole list.

validator-agent is free and open source. Find it on ClawHub: author up2itnow, v1.0.0. If you find a skill that fails validation and looks genuinely malicious, report it to ClawHub's security team.

Top comments (0)