The OpenClaw Supply Chain Crisis Is Bigger Than npm's — And Nobody's Auditing It
341 malicious skills. 12% of the entire registry. Screening bypassed. All major AI providers blocking it. The AI agent supply chain is on fire and there's no audit infrastructure.
The npm ecosystem has been fighting malicious packages for a decade. In its worst month, about 0.2% of new packages were flagged as malicious. The AI agent ecosystem just shattered that record in its first quarter.
OpenClaw’s ClawHub marketplace: 341 malicious skills out of 2,857. That’s 12%.
Let that sink in. More than 1 in 10 AI agent extensions were actively malicious — stealing credentials, exfiltrating data, committing financial fraud, and executing arbitrary code. And the automated screening? Bypassed.
The Numbers That Should Terrify You
Here’s what security researchers found between February and May 2026:
- 341 malicious skills identified by Koi Security in a single audit of 2,857 skills — a 12% infection rate
- 335 of those were part of the coordinated ClawHavoc campaign, systematically distributing the Atomic macOS Stealer (AMOS)
- Over 2,200 additional malicious skills found on GitHub by Trend Micro
- 42,665 publicly accessible OpenClaw instances discovered by researchers scanning the internet
- 1.5 million authentication tokens exposed in the related Moltbook platform breach
- 3 high-impact CVEs disclosed in a 3-day window, including CVE-2026-25253 (CVSS 8.8): one-click remote code execution
- 7.1% of marketplace skills exposed API keys, credentials, or credit card data through problematic
SKILL.mdinstructions alone — no malware required — per Snyk
This isn’t a theoretical supply chain problem. This is npm’s event-stream incident multiplied by 341, running with filesystem access and live API tokens.
The 5 Evasive Skills That Broke Screening
Unit 42 (Palo Alto Networks) documented five malicious skills that bypassed ClawHub’s automated screening — a combination of VirusTotal scanning and ClawScan, their purpose-built security scanner. Here’s what got through:
1. TradingView Paste-Site Lures
Disguised as a legitimate financial data integration. The SKILL.md instructed the agent to pull data from paste sites disguised as TradingView endpoints. The agent, acting through its own authenticated session, would exfiltrate financial data to attacker-controlled infrastructure.
2. Oversized Padded README Dropper (omnicogg)
Used file padding to inflate the package size beyond scanner limits. The README contained what looked like legitimate documentation, but embedded within was obfuscated malicious code. ClawScan’s file-size limits meant it never completed analysis.
3. Runtime Affiliate Injection (money-radar)
The most insidious of the five. Posed as a financial advisor tool with a legitimate UI. At runtime, it pulled a referrals.json from a remote CDN that contained affiliate injection rules. The agent would silently insert affiliate links into financial recommendations — generating commission fraud through the agent’s own authenticated sessions. No malware signature to detect because the malicious behavior was purely configuration-driven.
4. Agentic Front-Running (letssendit)
Designed to monitor the agent’s transaction queue. When it detected a cryptocurrency transaction being prepared, it would front-run it — submitting a higher-gas version of the same transaction to capture the value. This exploits the agent’s own transaction signing authority.
5. Atomic Stealer Variants (x2)
Two separate skills delivered the AMOS infostealer, targeting credentials, browser data, crypto wallets, Telegram sessions, VPN profiles, and Apple Keychain items. Both passed VirusTotal because they used delayed execution and environment-specific triggers that evaded sandbox analysis.
The Industry Response: Block Everything
The reaction from major AI providers tells you how serious this is:
- Anthropic: Claude Code refuses requests or charges extra if commits mention “OpenClaw” (1,349 points on HN)
- Anthropic (escalation): No longer allows Claude Code subscriptions to use OpenClaw at all (1,099 points on HN)
- Google: Restricted Google AI Pro/Ultra subscribers from using OpenClaw (802 points on HN)
- HN thread: “Top downloaded skill in ClawHub contains malware” hit 334 points with 151 comments — the developer community is alarmed
When Anthropic, Google, and the entire HN front page are all reacting to the same platform within weeks, you’re not looking at isolated incidents. You’re looking at a structural failure in how AI agent supply chains are secured.
The Real Problem: Agents Are Identity-Bearing
What makes OpenClaw’s crisis different from traditional supply chain attacks is the identity assumption.
A malicious npm package can steal environment variables. A malicious ClawHub skill steals the agent’s authenticated identity — everything the agent can access, through the agent’s own sessions. As Unit 42 put it:
“When a malicious skill is installed, it can seize full control of the agent’s identity and execute unauthorized actions through the agent’s own authenticated sessions, all without needing a conventional exploit.”
The malicious skill doesn’t need to find a vulnerability. It is the vulnerability — or rather, it inherits the agent’s full authority by design. The agent’s own trust model becomes the attack vector.
The Screening Gap: Automated ≠ Secure
ClawHub had screening: VirusTotal for known malware signatures, ClawScan for behavioral analysis. Five malicious skills still got through between February and May 2026.
This is the same gap we’ve been documenting across the entire AI agent security landscape. Automated tools (Layers 1-5 in our 6-layer framework) operate on patterns — signatures, heuristics, known-bad behaviors. They cannot reason about:
- Configuration as attack vector:
money-radarhad zero malware — its malicious behavior was entirely in a JSON config file - Agent authority abuse:
letssenditdidn’t steal credentials; it abused the agent’s legitimate transaction authority - Multi-stage context attacks:
omnicoggused file padding that’s technically valid per the spec - Semantic manipulation: skills that produce harmful outputs through entirely valid API calls
Only a human auditor — examining the intent behind the configuration, the context of the agent’s authority, the chain of trust from publisher to runtime — can catch these.
The Audit Infrastructure Doesn’t Exist Yet
Here’s the scariest part: there is no standardized way to audit an AI agent’s supply chain today.
- SBOMs don’t capture agent skills, tool permissions, or credential scope
- AI-BOMs are emerging but focus on models, not runtime agent behavior
- AgentRiskBOM (arXiv, June 2026) is the first academic proposal for a risk-scoping BOM for AI agents — it’s promising but not adopted
- ClawTrust.ai now exists specifically because OpenClaw’s security was so broken
- ClawScan (OpenClaw’s own tool) missed 5 of the most sophisticated attacks
The npm ecosystem took years to build audit infrastructure — npm audit, Socket.dev, Snyk, Socket Security. The AI agent ecosystem has none of this, and it’s growing faster than npm ever did.
What This Means for Your AI Agents
If you’re deploying AI agents in production — whether through OpenClaw, Claude Code, Cursor, or any other platform — here’s what you need to audit right now:
- Skill/extension inventory: Do you know every skill your agent has installed? Every dependency? Every
SKILL.mdit reads? - Credential scope: What tokens, API keys, and sessions does each skill have access to? Can you audit what each skill actually accesses vs. what it claims to access?
- Configuration review:
money-radarhad zero malware signatures — its malicious behavior was entirely in a JSON file. When was the last time someone manually reviewed your agent’s runtime configuration? - Publisher trust: Can you trace every skill back to a verified publisher? OpenClaw’s screening was bypassed. Your agent platform’s screening can be too.
- Runtime behavior monitoring: Are you logging what your agents actually do? Not what they’re supposed to do — what they actually do.
The Bottom Line
The AI agent supply chain is where the npm ecosystem was in 2016 — growing explosively, with security as an afterthought. But the blast radius is orders of magnitude larger. An npm package can steal your CI secrets. A malicious AI agent skill can drain your bank account through your agent’s own authenticated sessions.
Every team deploying AI agents in production needs an audit. The tools don’t exist yet — but the threat does.
At dotfm, we audit AI-built and AI-augmented applications for the failure modes automated tools can’t catch. If you’re deploying AI agents and want to know what your supply chain actually looks like, get in touch.
Is your AI-built app ready for real users?
We audit, harden, and ship AI-built apps. From security review to production deployment.
Get an audit →