HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

OpenClaw AI Agent Marketplace Serves Malicious Skills, Highlighting AI Supply‑Chain Risks

Unit 42 discovered five malicious AI skills on OpenClaw’s ClawHub marketplace that evaded built‑in scanning and were later removed. The incident underscores the need for SOC 2‑aligned vendor‑risk controls and continuous evidence of third‑party code monitoring.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 unit42.paloaltonetworks.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
unit42.paloaltonetworks.com

OpenClaw AI Agent Marketplace Serves Malicious Skills, Highlighting AI Supply‑Chain Risks

What Happened — OpenClaw’s “ClawHub” marketplace distributes markdown‑driven AI skills that run with broad local system privileges. Unit 42 identified five malicious skills—two macOS infostealers, one oversized‑file evasion package, and two novel agentic‑threat skills—that evaded the platform’s VirusTotal and ClawScan screening and were later removed after reporting.

Why It Matters for Compliance & Audit Readiness

  • The incident exemplifies a third‑party software‑supply‑chain risk that SOC 2 vendor‑management controls are designed to detect, monitor, and evidence.
  • Continuous monitoring of third‑party code repositories and automated evidence collection are essential to demonstrate due diligence during a SOC 2 audit.
  • Mapping the marketplace’s security‑screening controls to the SOC 2 CC6.1 (System Operations) and CC7.1 (Risk Management) criteria provides a defensible audit trail.

Who Is Affected – SaaS platforms that embed OpenClaw agents, financial‑services firms using AI‑driven trading bots, and any organization that permits end‑user‑generated AI skills to execute on corporate endpoints.

Recommended Actions

  • Treat AI skill marketplaces as third‑party vendors; add them to your vendor‑risk register and require SOC 2‑compatible security attestations.
  • Implement continuous code‑artifact monitoring (e.g., hash‑based integrity checks, automated scanning of newly published skills) and retain logs as audit evidence.
  • Update access‑control policies to enforce least‑privilege execution for AI agents and require multi‑factor approval before new skills are deployed.

Source: Palo Alto Unit 42 – OpenClaw AI Supply‑Chain Risk

Technical Notes – The malicious skills leveraged the ClawHub API to download markdown packages that executed native commands on macOS, used inflated file sizes to bypass ClawScan thresholds, and performed runtime affiliate‑injection and front‑running attacks. No CVE was cited; the vector is a third‑party dependency abuse. Source: same as above

📰 Original Source
https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →