Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

OpenClaw skills and the malware channel problem for AI agents


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9223
Topic starter  

TL;DR: Among 4,310 OpenClaw skills audited and 221 analyzed in depth, 44 were tied to the ClawHavoc malware campaign, 70.1% showed OAuth over-provisioning, and 43.4% exhibited command injection patterns, according to Lakera. Agent skills are not lightweight plugins; they are executable code with marketplace distribution and host-level authority.

NHIMG editorial — based on content published by Lakera: The Agent Skill Ecosystem and OpenClaw Hackathon findings

By the numbers:

Questions worth separating out

Q: How should security teams govern AI skills that can execute code locally?

A: Security teams should govern them like executable software with delegated authority.

Q: Why do marketplace-installed AI extensions create such a large blast radius?

A: They inherit the permissions of the host environment, so one compromised extension can reach tokens, files, and network endpoints that were never meant to be shared.

Q: What breaks when AI skills are allowed to run without sandboxing?

A: Without sandboxing, a skill is no longer a bounded feature.

Practitioner guidance

  • Treat skills as executable software Require provenance checks, code review, and host isolation before any skill is installed in a production-connected environment.
  • Enforce minimal OAuth scopes Refuse broad repository, cloud, or token permissions unless the skill cannot function without them, and revalidate scopes during every upgrade.
  • Block unsafe shell execution patterns Detect and reject skills that decode payloads at runtime, construct dynamic shell commands, or fetch remote second-stage code.

What's in the full article

Lakera's full research covers the operational detail this post intentionally leaves for the source:

  • The full skill-by-skill audit breakdown across 4,310 published OpenClaw skills, including risk classification patterns.
  • Examples of the observed payload execution flow, including Base64 decoding, shell piping, and second-stage delivery.
  • Details on the ClawHavoc-linked typosquatting patterns and the named skills tied to confirmed malware delivery.
  • The public dashboard methodology used to score and classify the 221 skills reviewed in depth.

👉 Read Lakera's research on the OpenClaw agent skill malware channel →

OpenClaw skills and the malware channel problem for AI agents?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8662
 

AI skill marketplaces create an identity boundary, not just a software boundary: Once a third-party skill can execute with host privileges, the marketplace is granting operational authority, not merely functionality. That changes how security teams should think about trust, provenance, and delegated execution. The implication is that extension ecosystems need identity-style controls before they are treated as routine software distribution channels.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when a malicious AI skill steals credentials?

A: Accountability is shared across the platform operator, the publisher, and the organisation that approved the skill for use. The operator is responsible for marketplace controls and execution boundaries, the publisher for code provenance, and the enterprise for permissioning and deployment decisions. The best governance model assigns ownership before compromise occurs.

👉 Read our full editorial: OpenClaw skills show how AI extensions become malware channels



   
ReplyQuote
Share: