OpenClaw skill registries are becoming an agent supply-chain risk

At a glance

What this is: This analysis shows how agent skill registries can be abused as a supply chain for infostealer delivery, with markdown instructions acting as executable setup paths.

Why it matters: It matters because IAM, PAM, and NHI teams now have to govern agent-installed content, local execution, and session-secret exposure as one attack surface.

👉 Read 1Password's analysis of OpenClaw skill registries and malware delivery

Context

Agent skill registries look like documentation stores, but in practice they can carry executable intent through links, install steps, bundled scripts, and trust cues such as “top downloaded.” That shifts the governance problem from simple content review to identity and execution control around agents, terminals, browser sessions, and secret-bearing developer devices.

The identity issue is straightforward: once an agent can recommend, stage, or trigger commands on a machine with active credentials, the registry becomes part of the access path. That creates a machine-identity and agent-governance problem at the same time, especially where corporate devices, saved sessions, and developer tokens are already present.

Key questions

Q: What breaks when agent skill registries can deliver malicious installers?

A: The trust model breaks because users and agents begin treating setup instructions as benign, even when those instructions lead to payload staging and credential theft. Once a skill can carry a prerequisite link or bundled script, the registry becomes part of the attack path. Security teams should treat install flows as execution events, not documentation events.

Q: Why do agent-installed skills increase identity risk on developer machines?

A: They increase risk because developer machines often already hold browser sessions, tokens, SSH keys, and cloud access. A malicious skill does not need to defeat the whole identity stack if it can harvest what is already present on the endpoint. That is why agent governance and secret hygiene now have to be managed together.

Q: What do security teams get wrong about MCP and skill safety?

A: They assume structured tool mediation is enough. MCP can help govern some tool calls, but it does not stop a malicious skill from using direct shell instructions, social engineering, or bundled scripts outside the protocol boundary. The safer model is to assume any skill may try to reach local execution unless blocked.

Q: Who is accountable when an agent skill install leads to secret theft?

A: The accountable parties are the team that allowed the device, credentials, and execution path to overlap without adequate control, plus the operators responsible for registry governance and incident response. The practical answer is to assign ownership across endpoint policy, identity governance, and agent enablement before the next install event.

Technical breakdown

Why skill markdown behaves like an installer

In agent ecosystems, a skill is not just explanatory text. A skill file can contain step-by-step instructions, dependency prompts, links to staging pages, and optional bundled scripts. That means the boundary between documentation and execution is porous. When a user or agent follows a prerequisite step, the next action may already be controlled by the attacker. This is why skills can become a distribution layer rather than a benign knowledge layer. The real risk is not that the markdown contains code blocks. The risk is that the markdown directs trust toward external infrastructure that can deliver payloads outside normal tool mediation.

Practical implication: treat skill ingestion as code execution review, not content moderation.

Why MCP controls do not fully contain malicious skills

Model Context Protocol can structure tool access, but it does not automatically govern everything an agent can be persuaded to do. A malicious skill can route around MCP by using direct shell commands, social engineering language, or bundled scripts that run outside the tool boundary. That means the presence of MCP is not a safety guarantee. Security teams need to distinguish between mediated tool calls and unmediated local execution. If the skill can tell a user to paste a command, or can trigger a helper script, the control plane has already been bypassed in practice.

Practical implication: assume any skill can attempt command execution outside the MCP boundary unless explicitly blocked.

Why the infostealer payload is an identity problem, not just malware

The payload described in the article targets browser sessions, cookies, saved credentials, API keys, SSH keys, and cloud tokens. That is an identity haul, not just a device compromise. Once those artifacts are harvested, the attacker can impersonate the user or the workload across developer tools, source control, cloud consoles, and CI/CD. In identity terms, the compromise moves from the endpoint to the trust fabric. The important pattern is that a registry-delivered installer can rapidly turn documentation trust into account takeover opportunity.

Practical implication: prioritize secret exposure review and session revocation whenever agent-install steps are executed on a privileged device.

Threat narrative

Attacker objective: The attacker’s objective is to harvest reusable identity material from a trusted developer device and turn it into broader account compromise.

1. Entry occurs through a convincing skill entry in the registry, where a seemingly normal package description points to a required prerequisite and external install path.
2. Credential access follows when the staged payload runs on a developer device and targets browser sessions, cookies, saved passwords, API keys, SSH keys, and cloud tokens.
3. Impact is achieved through infostealer-driven account takeover potential across email, source control, cloud consoles, and CI/CD systems.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agent skill registries are becoming a supply chain for identity compromise. When documentation can carry prerequisites, links, and bundled execution steps, the registry is no longer a passive catalog. It becomes a trust distribution channel that can deliver malware, social engineering, or agent-normalized command execution. The practitioner implication is that skill governance has to be treated as an identity and execution control problem, not a documentation hygiene issue.

Markdown is executable intent when an agent can act on it. The assumption that documentation is inert was designed for human readers who can pause, interpret, and validate before acting. That assumption fails when the actor can operationalize instructions immediately through a browser, terminal, or helper script. The implication is that security models built around human review of instructions need to be rethought for agent-mediated workflows.

Ephemeral trust is not enough if the device already holds durable secrets. A local agent may appear transient, but the machine it runs on often contains persistent browser sessions, developer tokens, and cloud credentials. That means a short-lived installer can still access long-lived identity material. The practitioner implication is that endpoint trust, secret scope, and agent execution authority must be governed as one system.

Skill registries create a new form of identity blast radius. Once a malicious skill can influence or trigger execution, the impact is not limited to the agent itself. It extends to the user’s sessions, the device’s stored credentials, and any downstream systems those credentials reach. The implication for the field is that agent identity controls will need stronger provenance, revocation, and mediation than today’s package and plugin models provide.

OpenClaw-style ecosystems show why agent governance cannot be bolted onto secrets management later. The attack path begins with trust in a registry and ends with credential theft, which means the attack surface spans discovery, installation, execution, and session reuse. Practitioner teams need to align NHI, PAM, and endpoint controls before agent adoption scales, because the compromise path already exists.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• A useful next lens is The 52 NHI breaches Report, which helps teams connect credential exposure to real-world compromise patterns.

What this signals

Ephemeral execution, durable exposure: agent skill abuse collapses the gap between “just trying a tool” and “handling a breach.” The operational signal is that any environment where skills can invoke installers or scripts must be treated as a privileged execution zone, especially when browser sessions and developer tokens already exist on the same device.

Teams should expect their agent adoption programme to intersect with secrets management much earlier than they planned. In our research, the average estimated time to remediate a leaked secret is 27 days, which is far longer than the time it can take for stolen credentials to become operationally useful.

The next governance step is not simply banning agents. It is separating experimentation from sensitive identity domains, then enforcing provenance, mediation, and revocation across skill registries, endpoint policy, and secret lifecycle controls. That is where the trust layer has to move now.

For practitioners

• Restrict agent installation to isolated devices Block agent skill experimentation on any machine that has corporate access, saved sessions, or production credentials. Use a separate, disposable environment with no access to email, source control, cloud consoles, or CI/CD systems.
• Treat skill installs as potential incidents If any install command from a skill has been run on a work device, pause sensitive work, engage incident response, and rotate browser sessions, developer tokens, SSH keys, and cloud console sessions before resuming.
• Review registry content for execution cues Scan skills for one-liner installers, encoded payloads, quarantine removal steps, and bundled scripts. Flag any external link that moves from documentation into command execution or helper script download.
• Default-deny local command execution Require explicit mediation before any shell command, browser action, or credential-store access is allowed. Make command execution time-bound, revocable, and logged end to end.
• Limit secret reach on developer endpoints Reduce the number of durable secrets available on machines used for agent testing. Remove standing cloud sessions, shorten token lifetime, and separate daily development access from privileged administrative credentials.

Key takeaways

• Agent skill registries can function as an identity compromise channel when documentation carries install steps, links, or bundled scripts.
• The practical risk is not the markdown file itself, but the ability of that file to steer local execution toward credential harvesting and account takeover.
• Teams should isolate experimentation, tighten secret reach on developer endpoints, and treat skill installs as security-relevant events.

Key terms

• Agent Skill Registry: A repository where agent task packages, instructions, and optional scripts are distributed. In practice, it can become part of the execution path when users or agents trust installation steps inside the package and follow them on a local machine with credentials already present.
• Executable Intent: Documentation that does more than describe a task and instead pushes the reader or an agent toward action. In agent ecosystems, executable intent can be embedded in markdown, links, prerequisite steps, or helper scripts that trigger local commands and downstream compromise.
• Identity Blast Radius: The amount of identity access an attacker can gain after compromising one machine, session, or credential set. It includes browser sessions, cloud tokens, developer keys, and linked administrative access, which is why endpoint compromise can quickly become enterprise-wide account compromise.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: OpenClaw skill registries are becoming an attack surface for malware delivery. Read the original.