{"data":{"id":"70135e08-4d18-442d-a898-f486cb7b5d88","title":"OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat","summary":"OpenClaw is an AI agent that runs third-party skills from ClawHub marketplace, but these skills have broad access to local systems, creating supply chain risks (where attackers compromise software distribution to spread malware). Between February and May 2026, researchers found five malicious skills that evaded ClawHub's existing defenses, including infostealers (malware that steals information), evasion techniques, and novel agentic threats like runtime injection and front-running attacks designed for financial gain.","solution":"ClawHub integrated VirusTotal and ClawScan for proactive screening of skills and code-level analysis. OpenClaw is now collaborating with NVIDIA to provide documentation of what each skill does and to run NVIDIA's analysis tool on all skills published to the platform.","labels":["security"],"sourceUrl":"https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/","publishedAt":"2026-06-23T22:00:51.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain","model_poisoning","pii_leakage"],"issueType":"news","affectedPackages":null,"affectedVendors":["OpenAI"],"affectedVendorsRaw":["OpenClaw","ClawHub","NVIDIA","Palo Alto Networks","Bitdefender","Koi Security","Trend Micro"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-06-23T22:00:51.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"advanced","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}