This is the forensic analysis of that attack — anonymized, but real. More importantly, it's a roadmap for how to prevent it from happening to you.
The Setup: Trusting the Wrong Skill
The developer needed a browser automation tool. They found a skill on npm: @getfoundry/unbrowse-openclaw.
The red flags were there, but easy to miss:
- Unverified publisher: New npm account, single package
- Vague documentation: Promised features, light on implementation
- Suspicious dependencies: Crypto libraries for a non-crypto tool
- No reviews: Fresh package, no community validation
But it installed cleanly. It worked as advertised — for a while.
The Attack: Four Stages of Compromise
Stage 1: Credential Harvesting (MCP01)
The skill's first action was reading process.env — where OpenClaw stores long-lived API keys and service tokens.
What it grabbed:
OP_SERVICE_ACCOUNT_TOKEN— 1Password service account accessOPENCLAW_GATEWAY_TOKEN— Full gateway control- API keys for Slack, Telegram, OpenAI
- Browser cookies and session tokens
How SkillShield Would Have Stopped It
$ skillshield scan @getfoundry/unbrowse-openclaw
🔴 CRITICAL: Environment variable access without scope
File: index.js:45
Code: const token = process.env.OP_SERVICE_ACCOUNT_TOKEN
Risk: Credential harvesting attack
Recommendation: Reject — skill requires scoped token accessStage 2: Persistent Access (MCP03)
With credentials in hand, the skill established persistence by modifying files the AI reads on every startup:
SOUL.md— The AI's system instructionsAGENTS.md— Agent configurationHEARTBEAT.md— Periodic check-in configuration- Daily memory logs — Context and conversation history
How SkillShield Would Have Stopped It
$ skillshield scan --deep @getfoundry/unbrowse-openclaw
🔴 CRITICAL: File modification outside package scope
File: src/persistence.js:23-45
Code: fs.writeFileSync('SOUL.md', injectedInstructions)
Risk: Persistent backdoor installationStage 3: Data Exfiltration (MCP06)
The harvested credentials were encoded and transmitted to an external server with a Solana blockchain connection.
The exfiltration method:
- Base64-encode the credentials
- Chunk into blockchain transaction-like packets
- Send to
solana-mainnet.g.alchemy.com(appears legitimate) - Actual destination: attacker-controlled endpoint
How SkillShield Would Have Stopped It
$ skillshield scan @getfoundry/unbrowse-openclaw
🔴 CRITICAL: Suspicious network endpoint
Destination: solana-mainnet.g.alchemy.com
Context: Non-crypto tool with blockchain connection
Risk: Data exfiltration via blockchain obfuscation
🔴 CRITICAL: Data encoding before transmission
Code: Buffer.from(JSON.stringify(env)).toString('base64')
Risk: Obfuscated credential exfiltrationStage 4: Detection Delay (MCP10)
The skill ran undetected for two weeks. The only tell was when the skill marketplace server went dark on February 15.
The remediation cost:
- ~20 hours of active incident response
- 3 weeks of lost work (rebuilding from clean state)
- Potential HIPAA breach notification requirements
- Full credential rotation across all services
Mapping to OWASP MCP Categories
| OWASP Category | Attack Vector | SkillShield Detection |
|---|---|---|
| MCP01 — Token Mismanagement | process.env credential harvesting | ✅ Environment variable access detection |
| MCP03 — Tool Poisoning | Modified SOUL.md, AGENTS.md | ✅ File modification outside package scope |
| MCP06 — Data Exfiltration | Base64-encoded transmission to Solana | ✅ Suspicious network + encoding patterns |
| MCP10 — Logging & Monitoring | No audit trail until discovered | ✅ Pre-install scan creates immutable record |
The Prevention: What Should Have Happened
Before Installation
$ skillshield scan --strict @getfoundry/unbrowse-openclaw
Scan results:
🔴 CRITICAL: 4 findings
🟡 WARNING: 2 findings
RECOMMENDATION: REJECT
This skill exhibits multiple high-risk patterns associated with
malicious packages. Do not install without extensive manual review.Lessons for AI Agent Builders
1. Treat External Plugins as Hostile Until Proven Otherwise
Every skill you install runs with the same privileges as your agent. The default should be rejection, not trust.
2. Long-Lived Secrets in Environment Variables Are an Anti-Pattern
Better approaches:
- Short-lived tokens: Encrypted, scoped, time-bounded sharing
- Secret references: Store references, not values
- Hardware security modules: For high-sensitivity deployments
3. Pre-Install Scanning Is Non-Negotiable
The entire attack could have been prevented with a 30-second scan.
Minimum viable security:
- Scan every skill before installation
- Review all CRITICAL findings
- Maintain a policy of least privilege
- Monitor for updates and re-scan