The Agent Skills Gold Rush Has a Malware Problem

Three weeks ago, ClawHub had roughly 2,800 skills in its registry. Today it has over 10,700. In that same window, security researchers found **more than 800 malicious packages** — approximately 20% of the entire registry — primarily delivering Atomic macOS Stealer. One user uploaded 354 malicious packages in what appears to have been an automated blitz. There was no static analysis. No code review. No signing requirement. Just an open door and a welcome mat. [](https://substackcdn.com/image/fetch/$s_!CeHA!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c697ff7-cb0b-4fac-874a-2be1c558c643_1344x896.jpeg) ## The Marketplace Explosion The skills marketplace isn't just ClawHub anymore. The landscape has fractured into a dozen competing registries, each with its own trade-offs between scale and safety: **SkillsMP** leads with 96,000+ skills and Claude Code compatibility — but zero security audit. **MCP.so** hosts 17,000+ MCP servers with universal compatibility. **SkillHub** offers 7,000+ with AI-based quality scoring (though scoring doesn't check security — a distinction worth noting). And **Vercel** just entered with Skills.sh, a shell-based ecosystem they're positioning as "npm for AI agents." The connective tissue across all of this is the SKILL.md open standard, adopted by Claude Code, Codex CLI, and Gemini CLI since Anthropic published it in December 2025. Skills are now portable across platforms. That's great for distribution. It's terrible for containment. ## The Security Reality The advisories arrived in a cluster last week, and they paint a grim picture: **Conscia** found over 30,000 internet-exposed OpenClaw instances via Censys and Bitsight, many running without authentication. Bitdefender telemetry confirmed OpenClaw on corporate endpoints as "Shadow AI" — the enterprise security nightmare nobody planned for. **Microsoft** published official guidance for running OpenClaw safely, covering identity, isolation, and runtime risk. When Microsoft writes security guides for your open-source project, that's simultaneously the ultimate adoption signal and a red flag about how many people are running it wrong. **Kaspersky** documented the AMOS infostealer campaign targeting ClawHub skills specifically. **SecurityWeek** reported on CVE-2026-25253 — a CVSS 8.8 one-click RCE vulnerability patched in January but still unpatched on many instances. And **The Register** found that 7% of one major registry's skills were literally leaking API keys through the LLM context window. ## The npm Parallel Is Exact If this feels familiar, it should. The agent skills ecosystem is replaying the npm supply chain crisis at 10x speed. Open registry with low barriers to entry. Automated bulk publishing. Typosquatting. Malicious payloads hiding behind legitimate-sounding package names. The only difference is the attack surface — when a malicious npm package runs, it compromises your build pipeline. When a malicious agent skill runs, it compromises your *agent*, which has access to your files, your APIs, your credentials, and increasingly your entire digital life. The responses are predictable and insufficient. VirusTotal partnered with ClawHub for automatic malware scanning — necessary but reactive. SecureClaw launched as an open-source auditing tool — useful but opt-in. The Snyk team found that 36% of scanned skills contained prompt injection, suggesting the problem extends well beyond traditional malware into the gray zone of skills that manipulate agent behavior without deploying a payload. ## What Builders Should Do Now If you're running OpenClaw or any agent framework with third-party skills: **Audit what you have installed.** Run `openclaw security audit --deep` if available. Review skill permissions manually if not. Skills with writable path declarations, network access, or credential requests deserve extra scrutiny. **Pin versions and verify sources.** Don't auto-update skills. Treat every update like a dependency upgrade in production — review the diff, check the maintainer history, verify the repository. **Cross-list if you publish.** SkillsMP's 96K skills and Claude Code compatibility make it worth listing on multiple registries. But publish with security in mind: localhost-only where possible, minimal permissions, clear documentation of what your skill accesses and why. The gold rush is real. The claims are being staked. But 20% of the territory is mined, and the prospectors are still running in barefoot. --- *Originally published on [The Undercurrent](https://www.theundercurrent.dev/p/the-agent-skills-gold-rush-has-a?utm_source=devto&utm_medium=crosspost&utm_campaign=the-agent-skills-gold-rush-has-a)*