ClawHub, OpenClaw’s community skill marketplace, went from 2,857 indexed skills to over 10,700 in February 2026. During that same month, researchers tracked the number of confirmed malicious skills from 341 to 1,184. That is roughly one in nine packages. The marketplace added no new verification mechanisms, no code signing, no automated scanning, and no publisher identity requirements during that entire growth spike. ClawHub did not have a governance failure. It never had governance to begin with.
The pattern is not unique to ClawHub. Antigravity’s awesome-skills collection hit 1,304 listed skills within weeks of launch, with a README disclaimer that skills are “curated, not audited.” SkillsMP indexes over 160,000 skills scraped from GitHub with no security review. Every new AI agent skill marketplace follows the same playbook: maximize catalog size, defer trust to users, and hope nothing catches fire. That hope ran out in January 2026.
The Growth-Without-Governance Problem
ClawHub’s publishing requirements at the time of the ClawHavoc campaign: a GitHub account at least one week old and a SKILL.md file. No static analysis. No code review. No signature. No verified publisher program. No rate limiting on submissions. The result was predictable.
A single author ID, hightower6eu, uploaded 677 malicious packages according to Antiy CERT’s analysis. Twelve author IDs combined to produce 1,184 malicious skills. The attackers used automated publishing to flood the registry faster than any human reviewer could respond, with submissions arriving “every few minutes” from some accounts. Koi Security dubbed the operation ClawHavoc.
The attack categories reveal a supply chain operation, not script-kiddie mischief. Over 100 skills posed as cryptocurrency tools (Solana wallet trackers, Phantom wallet utilities). 57 masqueraded as YouTube tools. 51 claimed to be finance or social media integrations. The primary payload was Atomic Stealer, a commodity macOS information stealer sold as malware-as-a-service for $500 to $1,000 per month. It harvests Keychain credentials, browser data, cryptocurrency wallets, Telegram sessions, SSH keys, and files from Desktop and Documents folders.
What makes this worse than a typical supply chain attack is the blast radius. A malicious npm package runs in Node.js with constrained system access. A malicious agent skill runs inside an AI agent that already has shell execution, full file system read/write, access to environment variables (including API keys), and the ability to send messages through connected services. Snyk’s ToxicSkills audit found that 36% of all ClawHub skills contain detectable prompt injection, meaning the attack surface extends beyond executable payloads into natural-language instructions that only an LLM would follow.
Why Submission Volume Broke the Model
ClawHub went from under 50 new skill submissions per day in mid-January to over 500 per day by early February. A 10x increase in two weeks. Even if ClawHub had employed human reviewers, which it did not, the volume would have overwhelmed any manual process. The marketplace design assumed that growth was always good and that community curation would surface quality. Both assumptions proved wrong at scale.
The Repello AI analysis estimated that ClawHavoc affected over 300,000 AI agent users. That number comes from OpenClaw’s install base at the time, meaning the blast radius of a single coordinated publishing campaign exceeded many traditional supply chain attacks in reach.
Why “Curated” Is Not “Verified”: The Antigravity Lesson
GitHub awesome-lists have been a trusted discovery mechanism for developers since 2014. They work by social proof: a maintainer picks projects they vouch for, the list gets stars, and the stars signal quality. When awesome-lists started appearing for AI agent skills, users brought the same trust assumptions. Those assumptions do not transfer.
Antigravity’s awesome-skills repository lists 1,304+ skills for Claude Code, Cursor, Codex CLI, Gemini CLI, and other agents. It includes an installer CLI, bundles, and workflows. The README contains a clear disclaimer: skills are “curated, not audited” and “may be updated, modified, or replaced by their original maintainers at any time after being added.” But GitHub stars create a trust signal that contradicts that disclaimer. When a repository accumulates thousands of stars in weeks, users treat it as endorsement.
The gap between perceived trust and actual verification is the core vulnerability. Three distinct trust levels exist in the current ecosystem, and users routinely confuse them:
Unvetted registries (ClawHub, SkillsMP): Anyone can publish. No review. The only barrier is a GitHub account. Roughly 13% of skills on ClawHub contained critical security issues at the time of the ToxicSkills audit.
Curated collections (Antigravity awesome-skills, VoltAgent awesome-agent-skills): A maintainer selects which skills to list. This filters the worst offenders but does not guarantee security. A skill that passes curation today can be updated with malicious code tomorrow. The maintainer does not re-audit after listing. The tech-leads-club/agent-skills project emerged specifically to address this gap, positioning itself as a “managed, hardened library” with validation on every skill.
Verified registries (JFrog AI Catalog): Publisher identity is checked. Skills are scanned on upload. Provenance is tracked. This is the model npm evolved toward after event-stream, but almost no AI skill marketplace has reached this tier.
Users who install skills from an awesome-list believe they are getting vetted software. They are getting a list maintained by someone who thought the skill looked useful. The distance between those two things is measured in compromised credentials.
What npm Built After Getting Burned
The JavaScript ecosystem spent seven years building the security infrastructure that AI skill registries currently lack. That history is a roadmap, not a cautionary tale.
2018: event-stream. A widely used npm package was hijacked to steal cryptocurrency. The attacker gained commit access through social engineering, then added a targeted payload. The package had 2 million weekly downloads. npm’s response was initially reactive: revoke the compromised version, warn users, audit dependencies.
2019-2021: Mandatory 2FA and token management. npm required two-factor authentication for high-impact packages. They introduced granular access tokens, automation tokens for CI/CD, and IP-restricted tokens. These measures made account takeover harder but did not address the publishing pipeline itself.
2022: Verified publishers. npm launched the verified publisher badge, confirming that the publishing entity matches the stated identity. This does not guarantee code quality, but it establishes accountability. If a verified publisher ships malware, there is a real identity to trace.
2023: Sigstore provenance. npm integrated Sigstore to generate provenance attestations. When a package is published with --provenance, the npm CLI works with CI/CD providers to create a cryptographic attestation linking the published package to a specific source commit and build environment. The attestation is logged in a public transparency ledger. You can verify that the code you install was built from the source you can inspect.
2024-2025: Trusted publishing. npm adopted trusted publishing, eliminating long-lived secrets entirely. CI/CD pipelines authenticate via OpenID Connect rather than stored tokens. PyPI followed a parallel path, with trusted publishers becoming the default for new projects by 2024.
AI skill registries have none of these layers. No 2FA requirements for publishers. No verified identity. No provenance attestation. No build transparency. No trusted publishing pipeline. The entire trust model for ClawHub was “read the SKILL.md before enabling.” For Antigravity and SkillsMP, it is “trust the curator” or “trust the search results.” As Snyk’s researchers noted, this model “clearly fails at scale.”
Building the Trust Pyramid AI Skills Need
The pieces for a governed AI skill registry already exist. They just have not been assembled for agent skills yet.
Identity and Provenance
JFrog’s AI Catalog launched in March 2026 as a central control plane that automatically scans, verifies, and signs all AI skills on upload. It detects vulnerabilities, malicious payloads, and compliance risks before skills reach production. JFrog built this for NVIDIA’s OpenShell platform, but the architecture applies to any skill registry.
The Agent Name Service proposal, currently under discussion at the Internet Engineering Task Force, maps agent identities to verified capabilities, cryptographic keys, and endpoints. Think DNS for agents: a resolution layer that binds a skill’s claimed identity to a verifiable publisher.
Automated Scanning at Publish Time
Cisco released an open-source Skill Scanner that combines static analysis, behavioral analysis, LLM-assisted semantic inspection, and VirusTotal integration. Snyk’s mcp-scan uses multi-model analysis to catch prompt injection payloads that regex-based scanners miss. Both tools exist today. Neither is required by any major skill registry before publication.
Running these scanners before listing, not after discovery, would have caught the ClawHavoc campaign before the first user installed a poisoned skill. The 677 packages from hightower6eu followed identical programmatic patterns that any static analyzer would flag.
Version Pinning and Update Transparency
npm packages have lockfiles. Agent skills do not. When you install a skill, you get whatever version exists at that moment. When the skill author pushes an update, you get the new version silently. There is no package-lock.json equivalent, no changelog requirement, no diff review before upgrade.
A skill that passes review on Monday can be replaced with a malicious version on Tuesday. The curated awesome-list still points to it. The SkillsMP index still shows it. The user’s agent loads the new version on next startup. This is the update-in-place problem that lockfiles solved for package managers a decade ago.
What You Should Do Now
Until registries fix their governance, the burden falls on users. Run Snyk’s mcp-scan on every skill before enabling it: uvx mcp-scan@latest --skills. Use project-level skill directories (.claude/skills/) rather than global installation to limit blast radius. Pin skill versions by forking repositories rather than pointing to upstream. Maintain an inventory of every skill in use across your team. Rotate any credentials that installed skills have access to.
For organizations, treat skill governance like dependency governance. Build an AI Bill of Materials that maps the complete dependency graph of every agent skill deployed. Include skills in your existing software composition analysis pipeline. And push registries toward the npm model: verified publishers, provenance attestation, and automated scanning before publication.
Frequently Asked Questions
Why are AI agent skill marketplaces a security risk?
AI agent skill marketplaces like ClawHub lack basic governance controls: no verified publishers, no code signing, no automated security scanning before publication, and no provenance tracking. Anyone with a week-old GitHub account can publish a skill. Antiy CERT found 1,184 malicious skills on ClawHub in February 2026, and Snyk’s audit showed 36% of all skills contain security flaws. Unlike traditional package managers, agent skills inherit full system permissions including shell access and credential store visibility.
What is the difference between curated and verified AI skill registries?
Curated registries like Antigravity awesome-skills and VoltAgent have a maintainer who selects which skills to list, but does not audit code or monitor for post-listing changes. Verified registries like JFrog AI Catalog check publisher identity, scan skills on upload for malware and vulnerabilities, and track provenance. Curated means someone thought the skill looked useful. Verified means the publisher’s identity is confirmed and the code has been scanned.
What security controls does npm have that AI skill registries lack?
npm built several layers of security after the 2018 event-stream incident: mandatory two-factor authentication for high-impact packages, verified publisher badges, Sigstore-based provenance attestations linking packages to source commits, and trusted publishing via OpenID Connect. AI skill registries currently have none of these controls. There is no publisher verification, no code signing, no provenance tracking, and no build transparency.
How can I protect myself when installing AI agent skills?
Run Snyk’s mcp-scan tool before enabling any skill (uvx mcp-scan@latest --skills). Install skills at the project level rather than globally to limit blast radius. Pin versions by forking skill repositories instead of pointing to upstream. Maintain an inventory of all installed skills. Rotate credentials that installed skills can access. For organizations, build an AI Bill of Materials and include skills in existing software composition analysis pipelines.
What was the ClawHavoc attack campaign?
ClawHavoc was a coordinated malware campaign that planted 1,184 malicious skills on OpenClaw’s ClawHub marketplace in early 2026. Twelve author IDs published skills disguised as cryptocurrency tools, YouTube utilities, and finance integrations. The primary payload was Atomic Stealer, a macOS information stealer. A single author ID (hightower6eu) uploaded 677 malicious packages. The campaign affected an estimated 300,000 AI agent users.