OpenClaw’s plugin marketplace, ClawHub, has come under security scrutiny after researchers uncovered a large number of malicious plugins embedded within the platform.
Blockchain security firm SlowMist says gaps in the review process allowed harmful code to spread through plugins that appeared legitimate.
The findings highlight growing supply chain risks across fast-scaling AI ecosystems, where official plugin hubs are often trusted by developers.
As ClawHub gained traction among AI agent builders, its moderation systems failed to keep pace with growth, creating an opening for attackers to distribute unsafe code through everyday development tools.
Weak checks draw attention
SlowMist says ClawHub’s screening controls were not strict enough to detect hidden threats before publication.
Attackers allegedly submitted skills that looked useful on the surface but contained concealed commands capable of triggering harmful actions once installed.
Because plugins are hosted on an official OpenClaw platform, developers were more likely to follow installation instructions without deep inspection.
Researchers warn that this implicit trust increases exposure, allowing malicious code to propagate quietly across projects that reuse popular skills.
🚨 Threat Intelligence | Analysis of ClawHub Malicious Skills Poisoning
As the #OpenClaw AI agent ecosystem rapidly grows, SlowMist has observed ClawHub becoming a new target for large-scale supply chain attacks. Due to insufficient review mechanisms, hundreds of malicious
Scale of exposure emerges
Independent analysis suggests the issue is not limited to a handful of plugins. A separate scan by Koi Security reviewed 2,857 skills on ClawHub and flagged 341 as malicious.
SlowMist carried out its own investigation, tracking more than 400 threat indicators across the ecosystem.
That deeper review identified repeated technical patterns linking many of the unsafe skills.
According to researchers, the overlap points to an organised effort rather than isolated uploads.
Multiple plugins appeared to rely on similar infrastructure, indicating sustained activity rather than one-off abuse.
Installation process exploited
Researchers say the attacks hinge on how OpenClaw skills are structured. Many rely on instruction files that users execute directly during setup.
Attackers took advantage of this design by embedding hidden download-and-run commands within those instructions.
In several cases, the initial commands were obfuscated using encoded text to disguise their true function.
Once decoded and executed, the code quietly retrieved a secondary program from an external server.
That second-stage payload then performed the malicious activity.
This layered method makes detection more difficult and allows attackers to update the harmful component without changing the visible plugin listing, extending the lifespan of the threat.
Shared infrastructure raises red flags
SlowMist says its analysis linked many of the malicious skills to a small group of domains and server addresses, including 91.92.242.30.
The repeated use of the same infrastructure across different plugins suggests coordination and planning.
Security teams are now urging OpenClaw users to scrutinise installation steps carefully and avoid running unfamiliar commands.
Until stronger review and monitoring controls are implemented, researchers warn that ClawHub could remain an attractive target for supply chain-style attacks targeting AI developers.
The post Researchers warn OpenClaw users after malicious plugins surface on ClawHub appeared first on Invezz
