820 Malicious Skills Found in OpenClaw's ClawHub Marketplace

Malicious Skills in ClawHub Marketplace
OpenClaw's ClawHub marketplace contains over 10,000 installable skills that extend what AI agents can do. Security researchers recently reported that 820 of these skills contain confirmed malware with actual malicious payloads.
Specific Malicious Behaviors Found
The analysis identified concrete malicious components including:
- Keyloggers
- Data-exfiltration scripts
- Hidden shell commands
- Background processes sending files to external servers
These are not just suspicious behaviors or poorly written code, but confirmed malware with malicious payloads.
Security Implications
Installing affected skills could give attackers access to:
- Local files
- Credentials
- Project data
The level of access depends on permissions granted to the AI agent. ClawHub skills function similarly to npm packages or browser extensions, meaning they can execute code and interact with the local environment. This creates supply-chain style security risks where malicious code can be introduced through third-party extensions.
Marketplace Security Concerns
The discovery raises questions about whether AI marketplaces like ClawHub are moving faster than their security models can handle, or if this represents typical growing pains for a new ecosystem. The scale of the issue (820 out of 10,000+ skills) suggests significant security challenges in vetting third-party extensions for AI agents.
📖 Read the full source: r/openclaw
👀 See Also

5 Malicious OpenClaw Skills That Passed ClawScan + VirusTotal: Unit 42 Analysis
Unit 42 found 5 malicious OpenClaw skills that bypassed ClawScan and VirusTotal. Techniques included runtime referral swapping, SOL pooling for pump-and-dump, and 22MB README padding to hide an AMOS dropper.

Anthropic reveals industrial-scale Claude AI data extraction by Chinese labs
Anthropic confirmed Chinese AI labs used over 24,000 fraudulent accounts to scrape 16 million exchanges from Claude, extracting safety guardrails and logic structures for military and surveillance systems.

Claude Cowork 'Allow All Browser Actions' Permission Security Concerns and Proposed Fixes
A Reddit user highlights that Claude Cowork's 'Allow all' button grants permanent, unrestricted browser access across all future sessions with no visibility, boundaries, or expiration, creating security risks. The post proposes session-scoped or skill-scoped permissions as safer defaults.

Litellm PyPI Package Compromised: Malicious Version 1.82.8 Exfiltrated Credentials
The litellm PyPI package, which unifies calls to OpenAI, Anthropic, Cohere and other LLM providers, was compromised with malicious version 1.82.8 that exfiltrated SSH keys, cloud credentials, API keys, and other sensitive data for about an hour.