The SlowMist security team conducted an analysis immediately after the incident was exposed and issued an alert to clients through MistEye, while continuously tracking new malicious skills on ClawHub.
Authors: Yao & sissice
Editor: 77
background
Recently, the open-source AI agent project OpenClaw has unexpectedly gained popularity, and its official plugin center, ClawHub, has quickly attracted a large number of developers. SlowMist security team monitoring revealed that ClawHub is gradually becoming a new target for attackers to carry out supply chain poisoning. Due to the platform's lack of a robust and rigorous review mechanism, a large number of malicious skills have been infiltrated and used to spread malicious code or deliver harmful content, posing potential security risks to developers and users.
The SlowMist security team conducted an analysis immediately after the incident was exposed and issued an alert to clients through MistEye, while continuously tracking new malicious skills on ClawHub.
In the OpenClaw ecosystem, the more accurate term for skills is the "skill folder" under the AgentSkills specification, with the core file usually being SKILL.md.
The core risk of SKILL.md lies in the fact that it is not an auditable and reproducible build artifact from the code repository, but rather a set of instructions that users can easily execute directly. In the agent ecosystem, Markdown often serves as the "installation/initialization entry point," causing the text to evolve from "instructions" into "commands." Attackers only need to package malicious commands as dependency installation or environment configuration steps (such as curl | bash, Base64 decoded execution) to trick users into completing the execution chain, thereby achieving data penetration and theft.
According to Koi Security's report, 341 malicious skills were identified in a scan of 2,857 skills, reflecting a typical "plugin/extension market supply chain poisoning" pattern.
Attack Method Analysis
After merging the IOCs of over 400 malicious skills, we found that many samples repeatedly pointed to a small number of fixed domains or multiple random paths under the same IP, showing obvious resource reuse and convergence characteristics. This is more like a gang-like, batch attack: a large number of malicious skills share the same batch of domains/IPs, and the attack methods are basically the same.
In terms of delivery, attackers often use public platforms as intermediaries for distribution, such as text hosting sites like GitHub Releases and glot.io. Malicious networks typically employ a two-stage loading logic: the first stage uses obfuscated instructions to pass detection, and the second stage dynamically pulls high-risk payloads. This strategy significantly reduces the exposure of the skill shell, facilitating rapid updates to backend resources by attackers.
In addition, the naming of skills is also relatively focused, mainly revolving around crypto assets, financial information, and scenarios that are more likely to make people lower their guard, such as "updates/security checks/automation tools".
The poisoning chain can be summarized as follows:
1) A malicious skill disguises "dependency installation/initialization" in SKILL.md;
2) Hide the actual commands using Base64/segmented scripts;
3) After decoding, perform a typical download and execution (curl fetch → bash execution);
4) The first phase then retrieves samples for the second phase;
5) Finally, the process of closing the loop and continuously updating the site is completed using a small number of fixed IPs/domains.
Trojan Analysis
Take the popular "X (Twitter) Trends" skill as an example. From the appearance description, the skill seems normal, and the usage description is as expected. However, it actually hides a backdoor command that has been encoded in Base64.
The attackers used Base64 encoding to achieve "readability obfuscation," making SKILL.md appear to output configuration strings or installation information, thus lowering the reader's guard. This also evades some coarse keyword-based detection methods (such as directly matching curl|bash).
After decoding the base64 command, it is essentially a typical "download and execute" instruction:
The first-stage sample is just an entry point; the real functionality is placed in the second-stage sample, allowing attackers to easily replace the payload and iterate quickly without having to frequently modify the skill shell.
The above command will download and execute a program named q0c7ew2ro8l2cfqp from 91.92.242.30, which in turn downloads and executes the second-stage sample dyrtvwjfveyxjf23.
The main purpose of this phased delivery is "low-cost iteration + reduced exposure": the skill shell (SKILL.md) can remain relatively stable and even look like a normal installation guide; the real malicious capabilities are placed in the second-stage sample. Attackers can quickly update the functions and countermeasures by simply replacing the second-stage payload, while also bypassing static text-based review and blocking.
Dynamic analysis revealed that the second-stage sample would masquerade as a system dialog box to steal user passwords. After verifying the password's validity, it would collect and archive local information and documents in a temporary directory and read files from Desktop / Documents / Download.
Malicious Domain Analysis
According to the threat intelligence platform, the malicious domain socifiapp[.]com was registered on July 14, 2025, and has been marked as malicious remote control.
IP address 91.92.242.30 is reused in numerous malicious attacks. According to publicly available threat intelligence, this IP is associated with historical infrastructure related to Poseidon. This group's common modus operandi includes extortion following data theft.
MistEye Response
MistEye is a threat intelligence and dynamic security monitoring tool independently developed by SlowMist, focusing on the Web3 domain. We have deeply integrated security monitoring and intelligence aggregation functions to provide users with real-time risk alerts and asset protection.
Upon confirming the characteristics of the malicious behavior, the MistEye system immediately triggered a high-risk alert. This alert involved 472 malicious skills and their associated Indicators of Compromise (IOCs), and the relevant threat intelligence has been fully pushed to the customer.
The battle over the skills ecosystem continues. MistEye will continue to monitor major app stores around the clock to ensure the timely detection and identification of new malicious skills. Going forward, we will officially launch specific monitoring rules for skills mechanisms to provide customers with longer-term security protection.
Summarize
The essence of this incident lies in the supply chain risks brought about by "ecosystem entry point + text command execution": skill shells can be infinitely rebranded, but attackers truly rely on a few reusable remote resources and landing points. For the defense side, identifying three signals—"two-stage loading," "highly reusable infrastructure," and "naked IP landing points"—is often more effective than removing skills one by one. The IOCs below can be used for rapid blocking and threat hunting, but it is more recommended to combine them with behavioral tracking to establish long-term detection capabilities.
Protective measures
- Do not treat the "installation steps" in SKILL.md as a trusted source; any command that requires copying and pasting should be audited first.
- Be wary of prompts that ask for "system password/accessibility/system settings," as these are often points where risks escalate.
- Prioritize obtaining dependencies and tools from official channels, and avoid executing installation scripts from unknown sources.
IOCs
Domain
socifiapp[.]com
rentry[.]co
install[.]app-distribution.net
URL
hxxp[:]//91.92.242.30/7buu24ly8m1tn8m4
hxxp[:]//91.92.242.30/x5ki60w1ih838sp7
hxxp[:]//91.92.242.30/528n21ktxu08pmer
hxxp[:]//91.92.242.30/66hfqv0uye23dkt2
hxxp[:]//91.92.242.30/6x8c0trkp4l9uugo
hxxp[:]//91.92.242.30/dx2w5j5bka6qkwxi
hxxp[:]//54.91.154.110:13338/
hxxp[:]//91.92.242.30/6wioz8285kcbax6v
hxxp[:]//91.92.242.30/1v07y9e1m6v7thl6
hxxp[:]//91.92.242.30/q0c7ew2ro8l2cfqp
hxxp[:]//91.92.242.30/dyrtvwjfveyxjf23
hxxps[:]//rentry.co/openclaw-core
hxxps[:]//glot.io/snippets/hfdxv8uyaf
hxxp[:]//92.92.242.30/7buu24ly8m1tn8m4
hxxp[:]//95.92.242.30/7buu24ly8m1tn8m4
hxxps[:]//install.app-distribution.net/setup/
hxxp[:]//11.92.242.30/7buu24ly8m1tn8m4
hxxp[:]//202.161.50.59/7buu24ly8m1tn8m4
hxxp[:]//96.92.242.30/7buu24ly8m1tn8m4
hxxps[:]//glot.io/snippets/hfd3x9ueu5
IP
91.92.242.30
104.18.38.233
95.92.242.30
54.91.154.110
92.92.242.30
11.92.242.30
202.161.50.59
96.92.242.30
file
filename: dyrtvwjfveyxjf23
SHA256: 30f97ae88f8861eeadeb54854d47078724e52e2ef36dd847180663b7f5763168
filename: 66hfqv0uye23dkt2
SHA256: 0e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65
filename: x5ki60w1ih838sp7
SHA256: 1e6d4b0538558429422b71d1f4d724c8ce31be92d299df33a8339e32316e2298
filename: dx2w5j5bka6qkwxi
SHA256: 998c38b430097479b015a68d9435dc5b98684119739572a4dff11e085881187e
filename: openclaw-agent.exe
SHA256: 17703b3d5e8e1fe69d6a6c78a240d8c84b32465fe62bed5610fb29335fe42283
Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests and do not reflect the position of Web3Caff. The information contained in the articles is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.
Welcome to the official Web3Caff community : Twitter account | Web3Caff Research Twitter account | WeChat reader group | WeChat official account
