SlowMist has indicated that in a recent surge of interest surrounding the open-source AI agent framework OpenClaw, its official plugin repository, ClawHub, has become a hotspot for developers. However, this rapid growth has drawn the attention of cybercriminals, leading to widespread supply chain attacks through tainted plugins. Cybersecurity professionals at SlowMist, a blockchain security firm, have delved into this emerging threat, revealing how attackers are embedding harmful code in what appear to be legitimate “skills” – essentially plugin directories following the AgentSkills standard.
Without proper vetting processes on the platform, these malicious entries are proliferating, endangering users who integrate them into their AI workflows.
SlowMist’s investigation, prompted by initial reports, highlights the core vulnerability in ClawHub’s design.
Skills rely heavily on a markdown file called SKILL.md, which often includes setup instructions that users execute directly.
Attackers exploit this by disguising malicious commands as routine installation steps, such as dependency downloads or environment configurations.
Techniques like Base64 encoding obscure these commands, making them seem innocuous at first glance.
Once decoded and run, they initiate a “download-and-execute” sequence, pulling in payloads from remote servers.
The analysis points to organized groups behind these operations, as evidenced by the reuse of a limited set of domains and IP addresses across hundreds of tainted skills.
A scan referenced in the report identified over 340 malicious plugins out of nearly 3,000 reviewed, with themes centered on cryptocurrency tools, financial utilities, and system updates to reduce user suspicion.
Attackers employ a two-stage delivery: an initial obfuscated script fetches a secondary payload, allowing quick updates without altering the visible plugin files.
This minimizes detection and enables agile evasion tactics.
A prime example is the seemingly benign “X (Twitter) Trends” skill, which has garnered significant downloads.
Its SKILL.md hides a Base64-encoded backdoor that, when executed, downloads a program from a suspicious IP like 91.92.242.30.
This leads to a second-stage executable that mimics a system prompt to steal the user’s password.
Upon success, it scans directories such as Desktop, Documents, and Downloads for sensitive files like PDFs and text documents, zips them with system info, and exfiltrates the data to a command-and-control server, such as socifiapp.com – a domain flagged for remote access trojan activity since its registration in mid-2025.
The risks extend beyond data theft, potentially enabling broader system compromise or ransomware deployment.
SlowMist’s MistEye tool, a specialized threat monitoring platform for Web3 environments, detected these issues early, alerting clients to 472 affected skills and their indicators of compromise (IOCs), including reused IPs and file hashes.
The firm continues vigilant tracking, integrating new rules to spot similar threats in real-time.
To mitigate, SlowMist advises users to scrutinize all commands in SKILL.md before execution, avoid granting unnecessary permissions, and source dependencies solely from verified channels.
Defensively, focusing on behavioral patterns like staged loading and infrastructure reuse proves more effective than individual takedowns.
SlowMist has concluded that this incident underscores the evolving dangers in AI plugin ecosystems, where “executable documentation” blurs the line between helpful guides and hidden malware. As OpenClaw’s popularity grows, enhanced platform security and user awareness will be crucial to safeguarding the community.