Unit 42 found 5 malicious skills that passed ClawScan + VirusTotal

Reddit r/openclaw 06/24/26, 06:24 AM News

security malicious-skills ai-agents unit-42 claiscan virustotal

Summary

Unit 42 discovered five malicious AI agent skills that evaded detection by ClawScan and VirusTotal, including referral-hijacking, crypto wallet draining, and a dropper hidden via size padding, demonstrating that signature scanning is ineffective against instruction-based threats.

The two that stuck with me weren't malware at all: money-radar posed as a financial advisor and pulled a referrals.json from a bad domain on every run. The publisher swapped which products the agent recommended at runtime. The affiliate link showed up as expert advice. letssendit pooled SOL from installed agents so the operator could front-run a meme coin launch and dump on pump.fun. A coordinated agent botnet running a rug pull. And the dumb one: omnicogg padded its README with 22MB of junk so scanners skipped the file for being too big. Clean verdict, AMOS dropper inside. Signature scanning does nothing here. A skill that tells your agent to always use a referral link isn't a payload anyone flags. It's just instructions. The Pass badge means nothing. Honestly my takeaway is just: don't install skills. Write your own. If you can read what a skill does, you can write it yourself, and then you actually know what your agent is running.

Original Article

Similar Articles

ClawHub Security Signals: When VirusTotal, Static Analysis, and SkillSpector Disagree

Hugging Face Daily Papers

This paper investigates security scanner disagreement for AI agent skills, finding that VirusTotal, static analysis, and NVIDIA SkillSpector flag different skills with minimal overlap. It releases a sanitized dataset of over 67,000 skill versions to support further research on layered security governance.

I got paranoid about OpenClaw skills injecting crap into my system prompt, so I built a quarantine pipeline with two LLMs as reviewers (93.75% detection, zero false negatives)

Reddit r/openclaw

A developer built a quarantine pipeline using two LLM reviewers (Claude and Codex) to detect injection attacks in OpenClaw skills, achieving 93.75% detection rate with zero false negatives. The system uses a dual mandate of checklist-based pattern matching and open analysis to catch both known and novel injection techniques.

The AI industry’s model and agent skill repositories are full of malware. The infrastructure built to accelerate development is now the vector for compromising it.

Reddit r/ArtificialInteligence

Hugging Face and ClawHub, major repositories for AI models and agent skills, have been systematically compromised with hundreds of malicious entries that steal credentials and hijack systems for cryptocurrency mining, exploiting trust in shared infrastructure.

Malicious skills on claw hub and hugging face

Reddit r/openclaw

Both Claw Hub and Hugging Face have been compromised, with 575 malicious skills uploaded; users are advised to exercise caution when using content from these platforms.

Skill Inspector

Product Hunt

Skill Inspector is a developer tool that audits AI agent skills to help prevent malware risks.