ctipilot.ch

OpenClaw community AI-agent 'skills' as an emerging supply-chain surface

vulnerability-trend · item:kaspersky-openclaw-ai-agent-skills-supply-chain

Coverage timeline
1
first 2026-07-02 → last 2026-07-02
Briefs
1
1 distinct
Sources cited
13
13 hosts
Sections touched
1
research
Co-occurring entities
8
see Related entities below

Story timeline

  1. 2026-07-02CTI Daily Brief — 2026-07-02
    researchFirst coverage: Kaspersky — malicious SKILL.md distribution continuing on ClawHub despite scanning; single-source

Where this entity is cited

  • research1

Source distribution

  • cyera.com1 (8%)
  • imperva.com1 (8%)
  • securelist.com1 (8%)
  • thehackernews.com1 (8%)
  • trendmicro.com1 (8%)
  • unit42.paloaltonetworks.com1 (8%)
  • varonis.com1 (8%)
  • attack.mitre.org1 (8%)
  • other5 (38%)

Related entities

All cited sources (13)

Items in briefs about OpenClaw community AI-agent 'skills' as an emerging supply-chain surface (4)

Kaspersky: community AI-agent "skills" are an emerging supply-chain surface — OpenClaw marketplace still distributing malicious skills [SINGLE-SOURCE]

From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →

Kaspersky published fresh detection telemetry (through mid-June 2026) on OpenClaw, an AI-agent framework whose agents load "skills" — plaintext SKILL.md natural-language instruction files, some with embedded code — from a community marketplace ("ClawHub"), typically running with file-system access and the tokens/keys of the systems each skill touches (Kaspersky Securelist, 2026-07-01). Because building a malicious skill needs no custom-malware development, Kaspersky frames skill distribution as a supply-chain-attack analogue with an even lower bar than package-repository attacks: prior to 7 February 2026 no skills underwent any security check, and an April scan of the hub found 24 accounts distributing 600+ malicious skills, with OSINT indicating 1,100+ malicious accounts created since January. Although the marketplace has since added pre-publication scanning, Kaspersky's June detection statistics show malicious-skill activity continuing on customer endpoints. Defender takeaway: treat SKILL.md ingestion as an untrusted-code-execution surface — log and alert on file-system access and outbound network calls from AI-agent processes to non-allow-listed hosts, watch for plaintext credential/token files co-located with agent skill directories, require pre-execution scanning plus least-privilege sandboxing before any community skill runs against production credentials, and set an explicit enterprise AI-usage policy barring unreviewed third-party skill installation. Single-source (Kaspersky); no independent corroboration located this run.

Unit 42: malicious skills on the OpenClaw "ClawHub" agent marketplace deliver macOS infostealers and weaponise AI agents for financial fraud

From CTI Daily Brief — 2026-06-24 · published 2026-06-24 · view item permalink →

Palo Alto Networks Unit 42 (2026-06-23) documented five malicious skills published to ClawHub, the third-party skill marketplace for the OpenClaw AI-agent platform, active February–May 2026 (Unit 42, 2026-06-23; corroborated by Trend Micro). Two skills delivered the cluw macOS infostealer (an Atomic macOS Stealer / AMOS variant) by redirecting the agent to paste-site URLs (rentry.co, glot.io) carrying Base64-encoded curl | bash droppers. A third, omnicogg, padded its README to 22 MB to exceed the file-size threshold of both ClawScan and VirusTotal, slipping its payload past automated scanning. The most novel two cross a line into agentic abuse: money-radar fetches an attacker-controlled referrals.json at runtime to silently rewrite the financial referral links the agent recommends (revenue redirection with no re-publish), and letssendit coordinates a pool of agents to accumulate Solana ahead of operator-timed token launches — Unit 42's described first weaponisation of an AI-agent botnet for pump-and-dump fraud.

Why it matters to us: The skill-marketplace attack surface behaves like a package registry but is barely covered by existing supply-chain tooling, and "installation results in complete control over the agent's identity." For any organisation piloting agentic AI, treat skills as untrusted code: review them line-by-line before install, validate publisher provenance, and watch for agent processes spawning curl/shell, reaching paste sites, or creating cron persistence (T1195.001 supply-chain compromise, T1204.003/T1202 indirect execution, T1053.003 cron, T1555 credential access). The file-padding evasion is a reminder that a scanner with a content-size cutoff is a control with a documented bypass.

Imperva and Varonis: indirect prompt injection and "agent phishing" against the OpenClaw AI agent — fixed in v2026.4.23, but the attack class generalises

From CTI Daily Brief — 2026-06-12 · published 2026-06-12 · view item permalink →

Two independent teams published complementary findings against OpenClaw, the self-hosted AI-agent platform that plugs into messaging systems, mailboxes, file systems and APIs. Imperva showed that shared contact names, vCard fields and location-pin labels flow into the LLM prompt with no untrusted-content boundary: a crafted contact — its injected command hidden behind 65 whitespace characters so the UI truncates it — executed python3 on the victim's host the moment the victim shared the contact with their agent (Imperva, 2026-06-10). Varonis demonstrated "agent phishing": a plain email from a plausible sender persuaded a mailbox-connected agent to forward mock AWS IAM keys and a customer export to an external address, with no exploit involved — the agent simply lacks sender-identity verification before acting (Varonis, 2026-06-09). Both teams note OpenClaw's default memory persistence lets one successful injection survive across sessions. The vendor fix (v2026.4.23) moves messaging-object metadata into a separate untrusted channel — but the structural lesson stands: wherever an agent ingests third-party-controlled strings (contacts, calendar invites, ticket bodies), that channel is an injection surface (T1059). Defender takeaway: pin OpenClaw ≥ v2026.4.23; inventory which AI agents hold mailbox send-permissions or shell access; gate agent-initiated outbound actions behind approval workflows the same way you gate privileged operations.

CVE-2026-44112 / CVE-2026-44113 / CVE-2026-44115 / CVE-2026-44118 — OpenClaw "Claw Chain": four chainable flaws in autonomous-agent platform enable sandbox escape → credential leak → privilege escalation → file disclosure

From CTI Daily Brief — 2026-05-16 · published 2026-05-16 · view item permalink →

Cyera Research published on 2026-05-15 four chained vulnerabilities in OpenClaw (also marketed as Clawdbot), an autonomous AI-agent platform released in late 2025 with integrations including Microsoft Agent 365 (Cyera Research, 2026-05-15 · The Hacker News, 2026-05-15). All four CVEs are fixed by the OpenClaw release dated 2026-04-23, addressed under GitHub Security Advisories GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx. The defender-relevant detail is that an attacker who can obtain code execution inside the OpenClaw managed sandbox — achievable via a malicious plugin, prompt injection into the agent context, or supply-chain compromise of an OpenClaw plugin — can chain the four primitives to a full sandbox-escape → credential-harvest → owner-level agent control → file-disclosure sequence whose steps each mimic normal agent behaviour and so evade controls calibrated to "human-attacker" indicators. CVE-2026-44112 (CVSS 9.6, Critical) is a TOCTOU race in the OpenShell sandbox backend that lets the sandbox process win the filesystem write race and redirect writes outside the intended mount root, enabling host-filesystem tampering and persistent backdoor placement. CVE-2026-44115 (CVSS 8.8, High) is an incomplete allowlist in OpenClaw's command parser — shell-expansion tokens embedded in environment-variable names bypass the validation gate, leaking API keys, tokens, and credentials at execution time. CVE-2026-44118 (CVSS 7.8, High) trusts a client-controlled senderIsOwner flag in MCP loopback messages without validating against the authenticated session, allowing privilege escalation to owner-level agent control. CVE-2026-44113 (CVSS 7.7, High) is the companion TOCTOU read escape enabling file disclosure outside the sandbox root. Exposure is broad: Cyera cites ~65 K (Shodan) and ~180 K (ZoomEye) publicly accessible OpenClaw instances as of May 2026, summing to an estimated ~245 K exposed servers. No in-the-wild exploitation reported at disclosure. Detection: alert on the agent process writing files outside designated sandbox mount directories; flag MCP loopback messages with senderIsOwner=true from sources not matching the authenticated session; alert on environment-variable expansion in command strings at agent execution time.