Global: OpenClaw plugin marketplace compromised by supply‑chain poisoning of AI skills

Security researchers and threat analysts have identified a coordinated supply‑chain poisoning campaign that inserted hundreds of malicious extensions into OpenClaw’s official plugin marketplace, ClawHub, revealing systemic weaknesses in how emerging agent ecosystems vet third‑party skills. Malicious packages typically masqueraded as innocuous dependency installers or automation helpers; when run they deployed backdoor components capable of harvesting credentials, browser artifacts and local files. Multiple threat intelligence teams observed overlapping infrastructure — shared domains and IP ranges — linking many of the infected packages to a single organized operation rather than opportunistic, isolated uploads. Vendor audits reported large counts of flagged items (for example, one firm identified 472 malicious skills while another found 341 in a 2,857‑skill sample), demonstrating both scope and persistence. The campaign’s lures favored crypto, finance and automation labels to lower user suspicion and speed installation. Technical analysis shows attackers used runtime‑decrypted payloads (Base64 and similar loaders), commands requesting elevated permissions and social engineering prompts that urged users to paste installers — techniques that evade weak manual review. Compounding the threat, independent research found deployment‑level operational failures across the OpenClaw ecosystem: routine internet scans uncovered hundreds of gateway/admin endpoints reachable without robust access controls, and a separate backend misconfiguration exposed roughly 1.5 million API tokens and about 35,000 email addresses. A client‑side vulnerability in the OpenClaw gateway (tracked as CVE‑2026‑25253) allowed a crafted web page to steal a session credential and escalate it into full gateway authentication and arbitrary host command execution; maintainers released a patch in OpenClaw 2026.1.29 to close that specific vector. Public skill and post feeds (for example, Moltbook) also contained unvetted content: sampling found concealed instruction fragments and prompt‑injection payloads in a measurable fraction of posts (about 2.6% in one 506‑post sample), providing practical avenues for remote attackers to seed skills that later combine and execute. The combination of malware‑laden uploads, exposed tokens, reachable gateways and social‑style skill discovery creates a multiplying attack surface: small injections can be fetched, reassembled and executed across many agents, enabling secrets exfiltration, unauthorized actions and potential lateral movement into developer build systems. Short‑term mitigations include revoking and rotating exposed tokens, upgrading to patched OpenClaw releases, inventorying internet‑reachable instances, and applying IP‑filtering or VPN‑only access to gateways. Platform and marketplace operators should prioritize automated static and dynamic analysis, stronger provenance controls, stricter permission gating for skills, cryptographic signing of builds and clearer developer identity requirements. Left unchecked, these combined operational and supply‑chain failures could turn AI plugin ecosystems into prolific, low‑cost vectors for data theft, extortion and widespread disruption.