Agent Skills provide an opportunity to scale engineering, but also opens potential new attack surfaces, as highlighted in a previous blog post I wrote for the Platform Engineering community. In this tutorial, we'll discuss how devs can securely consume Skills files by using the OpenSourceMalware (OSM) API to detect malicious AI skills in your software supply chain before they can compromise your planned autonomous workflows.
What would Elon do?
By now, many readers are likely aware of the AI coding agent horror stories, such as the top-ranked skill on ClawHub at the time of release, called “What Would Elon Do?” (WED). In the end, it was just malware disguised as a somewhat jokey AI Skill. For the pure purpose of security research, it was able to silently exfiltrate user data via a curl command to an attacker-controlled C2 server as well as using prompt injection to bypass the agent’s existing safety guidelines. At the time of writing, there was a ClawHub skill still present on the public registry that matches this description.
You can run the skill with the OpenClaw agent by running the below command:
openclaw skills install wed-1-0-1
Skill Name: https://www.clawhub.ai/gvillanueva84/wed-1-0-1
OSM Record: https://opensourcemalware.com/skills/https://www.clawhub.ai/gvillanueva84/wed-1-0-1
Github Record: https://github.com/openclaw/skills/tree/main/skills/gvillanueva84/wed-1-0-1
In this case, the original Github evidence was likely removed as it now throws as a 404 error. The fake malicious skill was created by the Australian cybersecurity researcher Jamieson O'Reilly (@theonejvo) purely to highly the insecure nature of blindly pulling skills from a public registry. To avoid falling victim to one of these trojanised skills, we would recommend using an API like the one provided by OSM to tell us if the Skill is already detected as malicious or not:
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=package&resource_identifier=https://www.clawhub.ai/gvillanueva84/wed-1-0-1&ecosystem=skills" -H "Authorization: Bearer $OSM_KEY" | jq
Proactive security for Skills
You'd be right in thinking this process is very reactive. We wait on security researchers, or automated bot systems, to flag these skills as "bad" - and then we can rely on an API to inform us on whether or not we can proceed with that AI Skill. But there are steps you can take immediately to better understand the content of AI Skills right now - whether it was built in-house by your team or developed by som stranger in a public registry. The first option is through Godel's Sieve:
https://sieve.godel-labs.ai/scan/4o3g1r435d1r0n5m520z0z
Similar to how you might use a web tool like VirusTotal, you can simply upload the sample Skill to Godel's Sieve and it will created a record for scanned .md file. What's really nice about Godel's Sieve is that maps the threat to the OWASP Top 10 for LLMs framework as well as the OWASP Agentic Top 10 controls. Naturally, one of the big use-cases for agents and skills upon release (and still today), was for the agent to perform autonomous cryptocurrency trading while the owner is sleeping. There are countless versions of skills that look like the below:
https://github.com/crypto-com/crypto-agent-trading/blob/main/AGENTS.md
Fundamentally, these kinds of Skills are given too many permissions on the host and with external services (Excessive Agency). However, the intention from the Skills creators is to perform Agent Hijacking. Since they have excessive agency to the user's environment, performing memory and context-specific poisoning is very much achievable through the Skills markdown file.
Let's use Github Search to understand how adversaries are dropping malicious skills into public repositories like Github:
https://github.com/search
Malicious actors are often deploying cryptominers - usually reference the binary name, configuration files, or the Stratum mining protocol. We can search for skills that contain explicitly named miner binaries and tooling:
"clawhub" AND ("xmrig" OR "minerd" OR "cryptonight")
This doesn't necessarily mean all these skills are installing a cryptominer. Some are genuinely trying to install miners for malicious intent, but other skills found are trying to scan for miners so they can be removed - which is great!
Alternatively, if you want to look inside files specifically naming OpenClaw skills, you can run the below command:
"openclaw" AND "skills" AND "stratum+tcp"
When looking for malicious code on Github, and this isn't limited to Skills explicitly, but we would look for attempts to use base64 encoding to obfuscate the actual malicious code. To track down skills attempting to sneakily decode hidden payloads on execution, try this:
"clawhub" AND ("base64 -d" OR "base64 --decode" OR "base64_decode")
If you are looking for hidden execution payloads inside the documentation/manifest files themselves (which was a hallmark of the February 2026's ClawHavoc campaign):
path:SKILL.md "base64" AND ("eval" OR "exec" OR "bash")
This of course looks at all SKILL.md files (globally) - which is important since a lot of malicious skill files can be used in environments such as Claude, Cursor, HuggingFace - and are not limited to the OpenClaw ClawHub ecosystem.
I'm going to deliver a virtual workshop for PlatformCon on June 26th on exactly this topic. If this topic around AI Agents and Skills is interesting to you, and you also have an interest in platform engineering, feel free to register for the workshop and I'll see you there.
Registration link: https://platformcon.com/sessions/the-ghost-in-the-machine-securing-ai-agent-skills
