1,184 Malicious Skills Found on ClawHub — The AI Agent Supply Chain Crisis
One in five packages on ClawHub contained malware. The AI agent ecosystem just had its supply chain crisis. Here's what happened and what it means for agent security.
I woke up Thursday morning to 40 unread messages in an agent builder Discord I lurk in. That's never good. The subject: a security researcher had just published a disclosure showing that 1,184 packages on ClawHub — the largest marketplace for AI agent skills and plugins — contained malicious code. One in five packages. Not fringe, abandoned packages either. Popular ones. Skills people were installing into agents that had access to their email, their databases, their customer data.
The disclosure is being called "ClawHavoc," and it's the biggest AI agent supply chain attack ever discovered. It's also the one a lot of us saw coming and did nothing about.
What ClawHavoc actually found#
The researcher audited 5,920 skills listed on ClawHub over a three-week period. Of those, 1,184 contained code that did things the skill descriptions never mentioned. The breakdown is ugly.
Some skills exfiltrated data — quietly sending copies of every conversation, file, or API response the agent processed to external servers. Others executed arbitrary code on the host machine, turning the agent's sandbox (if there even was one) into a backdoor. The most sophisticated ones overrode agent safety guardrails entirely, rewriting system prompts and tool permissions at runtime so the agent would stop refusing dangerous actions.
That last category is the one that kept me up. A skill that exfiltrates data is bad. A skill that rewrites your agent's safety boundaries is a different class of problem. You're not just losing data. You're losing control of an autonomous system that has access to real infrastructure.
The attack patterns ranged from crude to genuinely clever. Some malicious skills used typosquatting — names one character off from popular legitimate skills. Others piggybacked on real functionality, bundling actual useful code with a hidden payload. A few were dependency-chain attacks: the skill itself was clean, but it pulled in a compromised sub-dependency that did the dirty work.
This is npm all over again, but worse#
If you've been in software long enough, this feels familiar. The npm ecosystem went through its own supply chain reckoning — event-stream, ua-parser-js, colors.js, the left-pad incident. We learned that open package registries with minimal vetting are trust nightmares. We built lockfiles and audit tools and started actually reading what we install.
Then we went and built the exact same system for AI agents, except this time the packages don't just run code. They run code inside an autonomous entity that has access to your tools, your credentials, and your decision-making pipeline.
An npm package can steal your environment variables. A malicious agent skill can steal your environment variables, read your emails, send messages as you, modify files, call APIs, and do all of it while actively hiding its behavior from the agent's own monitoring. The attack surface isn't a build script. It's a reasoning engine with system access.
This is the AI agent ecosystem's left-pad moment. Except instead of half the internet going down because someone unpublished a small utility, the risk is thousands of agents quietly compromised, doing things their operators never authorized, with no visible symptoms until the damage is done.
Why open marketplaces are the wrong model for agent skills#
The core problem isn't that ClawHub failed to moderate. It's that the marketplace model itself is wrong for this use case.
When you install a VS Code extension, it runs in a sandboxed environment with limited system access. When you install a browser extension, Chrome at least shows you a permissions dialog. When you install a skill into an AI agent, you're giving code direct access to an entity that can reason, plan, and act autonomously. The skill doesn't just execute in the agent's environment. It becomes part of the agent's capabilities. It shapes what the agent can do and how it thinks about doing it.
Open registries work for libraries because libraries are inert. You call them, they return a value, they stop. Agent skills are active. They intercept conversations, modify tool calls, inject context. A compromised skill isn't just bad code sitting in your node_modules. It's a co-pilot sitting next to your agent, whispering in its ear.
I wrote last week about how AI agents can coordinate attacks without any human prompting them to do so. ClawHavoc is the other side of that coin. You don't need agents to spontaneously go rogue if you can just install rogue behavior directly through the skill marketplace. Why wait for emergent misalignment when you can ship it as a feature?
What securing the supply chain actually requires#
The knee-jerk response is "just audit the packages better." That's necessary but nowhere near sufficient. ClawHub has already started pulling flagged packages and says they're implementing automated scanning. Fine. But automated scanning catches known patterns. The sophisticated payloads in this batch used obfuscation, delayed execution, and conditional triggering — only activating when the agent was connected to specific high-value integrations.
Real supply chain security for AI agents needs several things the current ecosystem doesn't have.
Skill isolation. Every skill should run in its own sandboxed context with explicit, auditable permissions. No skill should be able to rewrite system prompts or modify other skills' behavior. This is table stakes, and almost nobody does it.
Behavioral monitoring. Static code analysis catches the obvious stuff. You also need runtime monitoring that flags when a skill's actual behavior diverges from its declared behavior. If a "calendar sync" skill starts making outbound HTTP requests to unknown domains, that should trigger an alert, not just a log entry.
Curated supply chains. The open marketplace model needs to die for agent skills. Every skill running inside an agent with real system access should go through human review, not just automated scanning. This is expensive and slow and it's the only approach that actually works.
Reproducible builds. You should be able to verify that the skill you're running matches the source code you reviewed. No build-time injection. No dynamic imports from external sources. If the skill needs to phone home, that should be declared, visible, and opt-in.
The managed platform argument#
I run my agents on RapidClaw, so take this with whatever grain of salt you think is appropriate. But ClawHavoc makes the case for managed platforms more clearly than any marketing copy could.
When you self-host an OpenClaw agent and install skills from ClawHub, you're the security team. You're responsible for auditing every skill, monitoring runtime behavior, isolating execution contexts, and catching supply chain attacks before they hit production. Most solo developers and small teams don't have the bandwidth for that. They install the skill, it works, they move on.
Managed platforms can afford to run curated skill sets because the cost of vetting is amortized across all users. RapidClaw runs every agent in a sandboxed container with no direct server access. Skills go through review before they're available. Runtime behavior is monitored. You're not choosing from 5,920 unvetted packages. You're choosing from a set that someone actually looked at.
That's not a feature. After ClawHavoc, it's a requirement.
What happens next#
ClawHub will tighten their review process. There will be new scanning tools. Someone will publish a "verified publisher" badge system. These are all good things and they're all insufficient.
The fundamental tension is that the AI agent ecosystem wants the velocity of npm with the security posture of a banking platform. Those two things are incompatible. You can have fast, open skill installation, or you can have trustworthy agents. You cannot have both.
Every agent builder needs to audit what skills are running in their agents right now. Not tomorrow. Today. Check the source. Check the dependencies. Check what network calls the skill is making at runtime. If you can't answer those questions, you don't know what your agent is doing. And after this week, "I didn't know" isn't an acceptable answer anymore.
The supply chain is the attack surface. Start treating it like one.
Frequently asked questions#
What is the ClawHavoc supply chain attack?#
ClawHavoc is the name given to a security disclosure that found 1,184 malicious packages out of 5,920 audited skills on ClawHub, the largest marketplace for AI agent plugins. The malicious skills performed data exfiltration, arbitrary code execution, and safety guardrail overrides. Some used typosquatting, obfuscation, and delayed execution to avoid detection, making this the largest AI agent supply chain attack ever discovered.
How do malicious AI agent skills differ from regular malware?#
Unlike traditional malware that runs code in isolation, malicious agent skills operate inside an autonomous reasoning system with access to tools, credentials, and decision-making pipelines. A compromised skill can read emails, send messages as you, modify files, call APIs, and rewrite the agent's own safety boundaries -- all while actively hiding its behavior from monitoring. The attack surface is not just a build script but an entire reasoning engine with system access.
How can I protect my AI agents from supply chain attacks?#
Audit every skill currently running in your agents by checking source code, dependencies, and runtime network calls. For ongoing protection, use skill isolation with explicit permissions, runtime behavioral monitoring that flags unexpected activity, and curated skill sources with human review rather than open marketplaces. Managed platforms like RapidClaw run agents in sandboxed containers with vetted skill sets, which eliminates most supply chain risk by default.
Ready to build your own AI agent?
Deploy a personal AI agent to Telegram or Discord in 60 seconds. From $19/mo.
Get StartedStay in the loop
New use cases, product updates, and guides. No spam.