CRITICAL March 5, 2026 7 min read

2,200 Malicious Skills Found in the Wild — What the OpenClaw Security Report Means for AI Platforms

SkillShield Research Team

Security Research

The Numbers Are In — And They're Bad

Last week, a researcher published what may be the most detailed public audit of an AI agent skill ecosystem to date. Using the OpenClaw marketplace as a live test bed and mapping findings against the OWASP Agentic AI Top 10, they catalogued:

  • 2,200 malicious or suspicious skills in active distribution
  • 9 CVEs attributable to skills shipped without security review
  • Exploits spanning prompt injection, credential exfiltration, and unauthorised tool chaining

The thread hit r/artificial (1.23M subscribers). The comments aren't panicking — they're asking why wasn't this caught before shipping?

That's the right question.

Static Scanning Isn't Enough — ClawDefend Proved It

The same week, a developer posted to Hacker News under "Show HN: Scanning 277 AI Agent Skills for Security Issues." Their tool, ClawDefend, runs a combination of static analysis and LLM-assisted review. Results:

  • 277 skills scanned
  • 9,710 findings — averaging 35 findings per skill
  • 70% of skills triggered at least one security rule

ClawDefend is free, well-built, and the methodology is open. It also surfaced something the community needs to say out loud: static scanning alone cannot catch runtime behaviour.

Rules-based scanners are good at finding known patterns — hardcoded secrets, suspicious imports, known malicious signatures. They struggle with:

  • Intent drift — skills that look clean but behave differently in agent context
  • Chained tool abuse — skills that are individually safe but dangerous when combined
  • Runtime credential harvesting — exfiltration that only triggers after a session is established
  • Prompt injection payloads embedded in skill metadata or descriptions

This is the gap SkillShield is built for. For a detailed breakdown of how these attacks are constructed, see our post on the anatomy of a malicious skill and our analysis of tool poisoning attacks.

Runtime Security Is a Different Problem

SkillShield operates at the layer ClawDefend can't reach: runtime.

When a skill is invoked inside an agent session, SkillShield monitors the execution trace — not just the code. It scores behaviour across four dimensions:

  1. Permission scope — is the skill requesting access it was never granted?
  2. Data movement — is it touching credentials, tokens, or personal data in unexpected ways?
  3. External egress — is it making network calls to domains outside its declared scope?
  4. Tool chaining patterns — is it orchestrating other tools in ways that bypass approval workflows?

Static analysis tells you what a skill says it will do. Runtime monitoring tells you what it actually does.

Owning the Narrative: This Is Why We're Building

We'll say the quiet part loud: the OpenClaw CVE report isn't a scandal — it's a proof of concept for the exact problem SkillShield exists to solve.

Every AI skill marketplace faces the same challenge. Skills are often AI-generated. Review processes are manual and don't scale. Publishers range from enterprise security teams to solo developers who haven't thought about supply chain risk. The threat model is new enough that most platforms don't have the vocabulary for it yet, let alone the tooling.

SkillShield's bet is simple: the agent skill layer will become the new browser extension ecosystem — with the same surface area, the same distribution challenges, and the same abuse potential. The browser extension security story took ten years to mature. The AI agent skills story is moving ten times faster.

The researchers who published the OpenClaw audit framed it as a cautionary tale. We'd frame it differently: it's an accurate description of the current state, and the right response is a structured security layer, not a takedown.

That's what we're building.

What You Can Do Now

If you're a platform operator or developer working with AI skills, three concrete steps:

  1. Audit your dependency chain. Know every skill your agents can invoke. ClawDefend is free — run it.
  2. Add a review gate. Don't ship skills without a structured approval step. Manual review is better than none; automated scoring is better than manual.
  3. Monitor at runtime. Static review is table stakes. Behavioural monitoring is where the real risk lives.

If you're building a platform and want a runtime security layer without building it yourself, SkillShield is in early access.

Sources

  • External OWASP Agentic case study (OpenClaw ecosystem, 9 CVEs, 2,200 skills): https://gsstk.gem98.com/en-US/blog/a0087-openclaw-meltdown-owasp-agentic-living-case-study
  • r/artificial thread — "The OpenClaw Meltdown: 9 CVEs, 2,200 Malicious Skills": https://www.reddit.com/r/artificial/comments/1rkiq9a/the_openclaw_meltdown_9_cves_2200_malicious/
  • HN "Show HN: Scanning 277 AI Agent Skills for Security Issues" (ClawDefend): https://news.ycombinator.com/item?id=47234428
  • HN "When AI Writes the Software, Who Verifies It?" — 127pts: https://news.ycombinator.com/item?id=47215027
  • OWASP LLM / Agentic AI Top 10: https://owasp.org/www-project-top-10-for-large-language-model-applications/

Share this article

Share on X Share on LinkedIn
Back to all articles