OpenClaw's Skill Marketplace and the Emerging AI Supply Chai...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk
• Blog Title: OpenClaw's Skill Marketplace and the Emerging AI Supply Chain Threat
• Suggested Section: AI Security -> AI Agent Supply Chain / Malicious Skills, or Phishing Methodology -> AI Agent Abuse Local AI CLI Tools And MCP

🎯 Content Summary

Unit 42 analyzed OpenClaw's ClawHub skill marketplace and found that malicious or abusive AI-agent skills remained available between February and May 2026 despite newer screening controls. OpenClaw is an AI agent that executes third-party skills from ClawHub. These skills are markdown-driven packages, typically defined through files such as SKILL.md, README.md and other package metadata. The key security issue is that skill logic is interpreted by the agent an...

🔧 Technical Details

Semantic instruction hijacking in AI-agent skills: In markdown-driven AI-agent ecosystems, a malicious skill can abuse natural-language instructions instead of exploiting a software bug. The attacker places commands, prerequisites, data-fetching rules or workflow constraints in files such as SKILL.md or README.md. Because the agent treats those instructions as part of the skill's logic, the skill can inherit the agent's access to local files, shells, credential managers, authenticated sessions and financial workflows. The reusable trick is to make unsafe behavior look like required setup or normal task execution.

Fake prerequisite block plus Base64 curl | bash delivery: A malicious skill can block normal operation until the agent completes an attacker-defined prerequisite. In the observed TradingView-themed skills, the prerequisite sent execution to rentry[.]co/openclaw-code, where a Base64-encoded terminal comm...

🤖 Agent Actions

Done.

Updated:

• src/AI/AI-MCP-Servers.md

Added concise new coverage for:

• markdown skill marketplaces as AI supply-chain attack surface
• semantic instruction hijacking
• fake prerequisite + paste-site/Base64 dropper pattern
• oversized markdown padding for scanner evasion
• runtime remote-config / affiliate injection
• agentic financial abuse
• practical review heuristics for third-party skills

Also updated the file’s ## References section with the sources used.

Validation:

• Re-read the edited section and references
• Ran local sanity checks successfully
• mdbook build could not be executed here because mdbook is not installed in this environment (mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk

Content Categories: Based on the analysis, this content was categorized under "AI Security -> AI Agent Supply Chain / Malicious Skills, or Phishing Methodology -> AI Agent Abuse Local AI CLI Tools And MCP".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0