Go to ICLR 2026 Workshop AIWILD homepageClawdPwned: Malicious Instructions in the OpenClaw AI Agent Skills repository
Keywords: LLM Security, Agentic AI Security, AI Agents, Supply-chain Security, Suppy-chain Vulnerability, Prompt Injection, AI Safety, ClawdBot, OpenClaw
TL;DR: We audit 2,556 ClawdBot agent skills against the OWASP LLM Top 10, identify 49 likely malicious skills, and propose registry and runtime defenses to secure the AI agent supply chain.
Abstract: OpenClaw (formerly ClawdBot) has experienced explosive growth, gaining over 141,000 GitHub stars and enabling thousands of users to integrate AI agents into their most sensitive workflows (Slack workspaces, personal data sources, financial accounts and social media platforms). This widespread adoption introduces a critical attack surface: skills, the modular capability extensions that grant agents access to tools, APIs, credentials, and system resources. A malicious actor who publishes a compromised skill to ClawHub can harvest credit card numbers, steal LinkedIn and cryptocurrency wallet credentials, execute obfuscated malware, or orchestrate large-scale social media manipulation.
We present the first large-scale security audit of this ecosystem, evaluating 2,556 publicly available skills against the OWASP LLM Top 10 framework. Our analysis identifies 49 skills that are likely malicious, including tsyvic/buy-anything (harvests full credit card details and executes purchases autonomously), zaycv/linkedin-job-application (collects LinkedIn credentials and 2FA secrets via obfuscated base64|bash installers), aslaep123/reddit-trends (enables multi-account vote manipulation with anti-detection systems), zaycv/polymarket-trading (extracts wallet private keys through password-protected executables), and cgallic/wake-up-skill (poisons agent memory with attacker-controlled content). The most common attack mechanism in malicious skills was Sensitive Information Disclosure (92.4\%), followed by Excessive Agency enabling unauthorized financial transactions and mass automation (90.5\%), and Supply Chain attacks through fetch-and-execute patterns (69.6\%). We propose concrete mitigations including permission manifests, cryptographic integrity verification, secret scoping, and per-action confirmation gates to protect the rapidly growing agentic AI ecosystem.
PDF: pdf
Email Sharing: We authorize the sharing of all author emails with Program Chairs.
Data Release: We authorize the release of our submission and author names to the public in the event of acceptance.
Submission Number: 57
Loading