The Agent Skills Gold Rush Has a Malware Problem

Source: Dev.to

Rapid Growth of the Agent Skills Marketplace

Three weeks ago, ClawHub had roughly 2,800 skills in its registry. Today it has over 10,700. In that same window, security researchers found more than 800 malicious packages—approximately 20 % of the entire registry—primarily delivering the Atomic macOS Stealer. One user uploaded 354 malicious packages in what appears to have been an automated blitz.

There was no static analysis, no code review, and no signing requirement—just an open door and a welcome mat.

The skills marketplace isn’t limited to ClawHub any longer. The landscape has fractured into a dozen competing registries, each with its own trade‑offs between scale and safety:

• SkillsMP – 96,000+ skills, Claude Code compatibility, but zero security audit.
• MCP.so – 17,000+ MCP servers with universal compatibility.
• SkillHub – 7,000+ skills with AI‑based quality scoring (the scoring does not check security).
• Vercel – new entry with Skills.sh, a shell‑based ecosystem marketed as “npm for AI agents.”

The connective tissue across all of this is the SKILL.md open standard, adopted by Claude Code, Codex CLI, and Gemini CLI since Anthropic published it in December 2025. Skills are now portable across platforms—great for distribution, terrible for containment.

---

Recent Security Advisories

A cluster of advisories arrived last week, painting a grim picture:

• Conscia discovered over 30,000 internet‑exposed OpenClaw instances via Censys and Bitsight, many running without authentication.
• Bitdefender telemetry confirmed OpenClaw on corporate endpoints as “Shadow AI,” an enterprise‑security nightmare nobody planned for.
• Microsoft published official guidance for running OpenClaw safely, covering identity, isolation, and runtime risk. When Microsoft writes security guides for your open‑source project, it’s both an adoption signal and a red flag about widespread misuse.
• Kaspersky documented the AMOS infostealer campaign targeting ClawHub skills specifically.
• SecurityWeek reported on CVE‑2026‑25253, a CVSS 8.8 one‑click RCE vulnerability patched in January but still unpatched on many instances.
• The Register found that 7 % of one major registry’s skills were leaking API keys through the LLM context window.

---

Parallels with the npm Supply‑Chain Crisis

The agent‑skills ecosystem is replaying the npm supply‑chain crisis at 10× speed:

• Open registries with low barriers to entry.
• Automated bulk publishing.
• Typosquatting and malicious payloads hidden behind legitimate‑sounding package names.

The key difference is the attack surface: a malicious npm package compromises your build pipeline, whereas a malicious agent skill compromises your agent, which may have access to files, APIs, credentials, and increasingly your entire digital life.

---

Current Mitigations (Predictable and Insufficient)

• VirusTotal partnered with ClawHub for automatic malware scanning—necessary but reactive.
• SecureClaw launched as an open‑source auditing tool—useful but opt‑in.
• Snyk found that 36 % of scanned skills contained prompt injection, suggesting the problem extends beyond traditional malware into the gray zone of skills that manipulate agent behavior without deploying a payload.

---

Recommendations for Operators

If you’re running OpenClaw or any agent framework with third‑party skills:

1. Audit installed skills

   openclaw security audit --deep

   Review skill permissions manually if the command isn’t available. Skills that declare writable paths, network access, or credential requests deserve extra scrutiny.

2. Pin versions and verify sources

   • Disable auto‑updates.
   • Treat every update like a production dependency upgrade: review the diff, check maintainer history, and verify the repository.

3. Cross‑list responsibly

   • Listing on multiple registries (e.g., SkillsMP) can increase visibility, but publish with security in mind: localhost‑only where possible, minimal permissions, and clear documentation of what the skill accesses and why.

The gold rush is real, and the claims are being staked. Yet 20 % of the territory is already mined, and many prospectors are still running barefoot.

Originally published on The Undercurrent