A major security warning has hit the OpenClaw AI ecosystem. Blockchain security firm SlowMist found a large supply chain attack inside ClawHub. It is a platform’s plugin marketplace. The issue surfaced after Koi Security scanned 2,857 skills and flagged 341 of them as malicious.
SlowMist reports supply chain poisoning in OpenClaw’s ClawHub plugin center. Weak reviews allowed numerous malicious skills to infiltrate and spread harmful code. Koi Security scanned 2,857 skills, identifying 341 malicious. SlowMist analyzed >400 IOCs, revealing organized batch… pic.twitter.com/5Kwho8aXMQ
— Wu Blockchain (@WuBlockchain) February 9, 2026
That means around 12% of the scanned plugins carried harmful code. The discovery raised concerns because OpenClaw has grown fast in recent months. Its open-source agent tools attracted many developers. It is also made the platform a bigger target for attackers.
Weak Reviews Let Malicious Skills Slip In
The attack worked because of weak review checks in the plugin store. Hackers uploaded skills that looked normal on the surface. However, the code inside them carried hidden instructions. SlowMist said many of these skills used a two-stage attack. First, the plugin contained obfuscated commands. These often appeared as normal setup or dependency steps. But the commands secretly decoded hidden scripts.
Then, the second stage downloaded the real malicious payload. The code pulled data from fixed domains or IP addresses. After that, it executed malware on the victim’s system. One example involved a skill called “X (Twitter) Trends.” It looked harmless and useful. However, it hid a Base64-encoded backdoor. The code could steal passwords, collect files and send them to a remote server.
Hundreds of Malicious Plugins Found
The scale of the attack surprised many analysts. Out of 2,857 scanned skills, 341 showed malicious behavior. Koi Security linked most of them to one large campaign. SlowMist also analyzed more than 400 indicators of compromise. The data showed organized batch uploads. Many plugins used the same domains and infrastructure.
The risks were serious for users running these skills. Some plugins requested shell access or file permissions. That gave the malware a chance to steal credentials, documents, and API keys. Some fake skills even mimicked crypto tools, YouTube utilities or automation helpers. These familiar names made them easier to install without suspicion.
Security Firms Urge Caution
Security researchers have already started cleanup efforts. SlowMist reported hundreds of suspicious items during early scans. Meanwhile, Koi Security released a free scanner for OpenClaw skills. Experts now warn users to avoid blindly running plugin commands. Many attacks started from simple setup steps inside skill files. Users should also avoid skills that ask for passwords or broad system access.
Developers are also urged to test plugins in isolated environments. Independent scans and official sources should be the first line of defense. This incident shows the risks inside fast growing AI ecosystems. Plugin marketplaces often move quickly, but security checks may lag behind. As AI agents gain more power, these platforms will need stronger review systems. Until then, users may need to treat every plugin like a potential threat.