On February 9, 2026, the Slow Mist security team discovered 341 malicious skills on OpenClaw's official plugin center, ClawHub. These skills disguise themselves as crypto asset tools, security checkers, or automation scripts, but execute meticulously designed attack instructions underneath. One skill named "Crypto Portfolio Optimizer," after gaining user trust, began scanning the local system's ~/.config directory for MetaMask extension files and mnemonic phrase backups.This is not an ordinary malware incident. It marks the evolution of cybersecurity threats into a new phase: attackers are no longer just exploiting software vulnerabilities but are beginning to attack the trust relationship between humans and AI. When millions of users are accustomed to giving instructions like "help me manage my crypto assets" or "check the security of this transaction" to AI assistants, a polluted AI ecosystem becomes the most elegant backdoor into the Web3 world.
A Fundamental Shift in Attack Paradigm: From Code Vulnerabilities to "Intent Hijacking"
Traditional cybersecurity revolves around code vulnerabilities: buffer overflows, SQL injection, cross-site scripting. These attacks exploit mistakes in software implementation. AI Agent security faces a completely different threat model—intent hijacking.
Users express intentions to AI Agents: "Please analyze my investment portfolio," "Help me execute a trade on Uniswap," "Check the security of this smart contract." In a healthy ecosystem, the AI calls the corresponding tool skills to complete these tasks. But in a polluted ecosystem, malicious skills "hijack" this intent. Superficially, the AI is indeed performing the requested operation—generating an investment analysis report, executing a transaction, returning a security check result. Simultaneously, however, it executes operations never authorized by the user in the background: uploading private keys to a remote server, tampering with transaction recipient addresses, transferring user assets to attacker-controlled wallets.
The concealment of such attacks stems from the black-box nature of AI interaction. Users struggle to understand the detailed process of how the AI completes tasks, only seeing the final result. When a portfolio analysis skill requests "temporary access to your browser extension data to fetch real-time prices," most users will click agree, unaware that this permission is being used to steal wallet information. The collective appearance of 341 malicious skills proves this attack pattern has achieved industrialized production, forming a complete "skill supply chain" attack system.
Dissecting the Attack Chain: The Playbook of 341 Malicious Skills
The attack details disclosed by Slow Mist reveal a highly mature attack methodology. Malicious skills commonly use a two-stage loading mechanism to evade detection: the first stage fetches the second-stage attack payload via Base64-encoded curl commands, and the second stage deploys an executable file named dyrtvwjfveyxjf23. This design makes the skill's code itself appear harmless, revealing malicious behavior only upon execution.
More importantly is the precise targeting of the attacks. These skills are not randomly distributed malware but spear-phishing attacks specifically designed for crypto users. "Crypto Asset Checker," "Gas Fee Optimization Tool," "Smart Contract Audit Assistant"—each skill name precisely targets the core needs of Web3 users. Attackers deeply understand the psychology of their target users: crypto users are highly security-sensitive, thus more easily attracted by "security check" type skills; they pursue efficiency, thus will try "automated trading" tools; they need to manage multiple wallets, thus will use "asset aggregators."
The ultimate goals of the attacks also show a clear escalation path. Early attacks mainly stole system information and documents, while the newly discovered skills have begun to include modules specifically targeting crypto assets: scanning for MetaMask extension data in browsers, searching for configuration files of common wallet applications, looking for keystore directories and mnemonic phrase backup files. Some skills even attempt to interact with locally running Ethereum nodes, probing RPC endpoint configurations. From "obtaining system information" to "stealing crypto assets," attackers are rapidly evolving along the path of highest value density.
Projecting the Next Generation of Attacks: When AI Agents Become the Premium Entry Point for APTs
If current attacks are merely "proofs of concept," then the threats in the next stage will fundamentally change the cybersecurity landscape. AI Agents could become the dream entry point for Advanced Persistent Threat (APT) actors. Attackers might target a specific crypto project team, custom-develop a "Smart Contract Collaborative Development Assistant" skill. This skill is pushed to ClawHub and, via social engineering, guides the target team to install it. Once running, it not only steals the team's development keys and wallet information but also implants backdoors in the codebase, automatically transferring control to the attacker upon smart contract deployment. Throughout the attack, the AI Agent becomes the "Trojan horse," and the user voluntarily invites it through the gates.
Attackers might also stop creating single malicious skills and instead pollute the skill version of a popular open-source tool. Imagine a widely used "Web3.py Interaction Assistant" skill being implanted with malicious code; all users employing this skill to interact with the blockchain might have their transactions silently tampered with. The amplification effect of such an attack far exceeds traditional supply chain attacks because the propagation speed and user trust in AI skills are both higher. Future malicious skills might even possess a certain degree of autonomous decision-making ability. It could observe a user's operational patterns: if the user frequently interacts with DeFi protocols, focus on stealing DeFi-related keys; if the user holds a large number of NFTs, target NFT marketplace authorizations. This adaptive capability would render traditional rule-based security detection utterly ineffective.
A Revolution in Security Paradigm: From "Signature Detection" to "Behavioral Intent Monitoring"
Faced with AI Agent security threats, traditional security solutions are obsolete. Antivirus software's signature databases cannot handle the hundreds of new AI skills generated daily; firewall network traffic monitoring cannot see the flow of intent inside AI Agents; permission-based access control is too coarse-grained to distinguish between "legitimate wallet reading" and "malicious key theft."
The new security paradigm must be rebuilt around three core principles: Real-time Alignment and Verification of Intent and Behavior. Security systems need to monitor the complete execution chain of an AI Agent: the user's original input intent → the AI's understood intent decomposition → specific operations of skill calls → the final produced effects. Any deviation between steps should trigger alerts. If a skill attempts to read browser extension data under the intent of "checking investment portfolio," this should be flagged as suspicious behavior. Sandboxed Execution Environment with Least Privilege. Each AI skill should run in a strictly isolated sandbox, with access only to the minimum dataset necessary to complete the task. If it's an investment analysis skill, it doesn't need filesystem access; if it's a transaction execution skill, it only needs interaction permissions for a specific DApp, not control of the entire browser. Containerization technologies similar to Docker need to be introduced into the AI Agent ecosystem. Decentralized Reputation and Verification Network. Sole reliance on a centralized "official plugin center" for security review has proven to be a single point of failure. The future requires establishing a decentralized reputation system akin to smart contract audits: skill developers publish skills with verifiable identities, security experts audit skills and publish audit reports, and users make installation decisions based on audit history and community feedback. Blockchain technology itself can be used to store skill hashes and audit proofs, ensuring immutability.
Emergency Action Guide: Fortifying Defenses Before the Storm
For Web3 users, developers, and project parties, immediate action is critical. Ordinary users should follow the "three no's principle" for skill installation: do not install skills from unknown sources, do not install skills requesting excessive permissions, do not install skills without community verification history. Simultaneously, establish a "three-layer defense" of environmental isolation: use dedicated devices or virtual machines for crypto asset operations, physically separate the AI Agent usage environment from the asset storage environment, set different security levels for wallets used for different purposes. Behavioral monitoring also requires setting up "three checkpoints": regularly review the list of installed skills, monitor AI Agent network connection requests, audit files and system changes generated by skills.
Developers need to implement "shift-left security" in engineering practices, considering security constraints during the skill design phase, implementing fine-grained permission management, and avoiding blanket "all-or-nothing" authorizations. Perform "deep audits" of all third-party dependencies, especially those handling sensitive data or performing critical operations. Integrate automated security scanning into CI/CD pipelines, conduct static and dynamic analysis on every version of a skill, and establish a "security gate" for continuous integration.
Project parties must assume ecosystem responsibility, establishing strict "access mechanisms" for skill markets, requiring developers to provide identity verification and security descriptions for skills, formulating clear "emergency response" plans for security incidents, including rapid takedown, user notification, and loss assessment. Encourage white-hat hackers to discover security issues through bug bounty programs, enhance the entire ecosystem's security awareness through security education, and build a healthy "security culture."
Redefining Trust Boundaries in the Age of Intelligence
The 341 malicious skills are not just a security incident; they are a declaration of redrawn boundaries. On one side of this boundary lies the limitless potential of AI Agents as productivity tools; on the other side lies attackers launching dimension-reduction strikes by exploiting the new trust relationship between humans and AI. In the past, we built security defenses at the levels of operating systems, applications, and network protocols. Now, we must establish a new defense line at the layer where intent translates into execution. This line no longer protects merely data and systems, but the foundation of trust for human-AI collaboration.
For the Web3 world, this challenge is especially severe. Web3's core promise is to return control from centralized institutions to the individual, and AI Agents could become the "Trojan horse" of this promise—superficially granting users greater control, while actually introducing new centralization risk points. If users must completely trust AI Agents to safely manage their crypto assets, then the core tenet of "your keys, your crypto" becomes meaningless in practice. The solution will not come from a single technology or a single team. It requires the collective participation of security researchers, AI developers, blockchain engineers, and end-users. It requires new security protocols, new audit standards, new governance models. But most importantly, it requires a cognitive awakening: while embracing the efficiency revolution brought by AI, we must guard the redefined trust boundary between humans and machines with equal, if not greater, vigilance. The 341 malicious skills are an alarm but also an opportunity. They force us to confront and solve the most profound security challenges of AI Agents before they become mainstream. The outcome of this battle will determine whether we move towards a future where everyone can safely use intelligent agents or step into a dark forest where every AI assistant could be a potential attacker. The choice lies in the present moment.
