What is the Hugging Face and ClawHub supply chain attack?

Acronis TRU uncovered a coordinated campaign where 13 developer accounts uploaded 575+ trojanized AI skills across both Hugging Face and ClawHub (OpenClaw's marketplace), deploying trojans, cryptominers, and AMOS stealer.

Who are the threat actors behind the 575 malicious ClawHub skills?

Two primary accounts: hightower6eu (334 skills, 58%) and sakaen736jih (199 skills, 34.6%), with 11 additional accounts contributing smaller volumes.

How do the malicious OpenClaw skills work?

The trojanized skills masquerade as legitimate tools but use hidden commands, encoded PowerShell, password-protected archives, and indirect prompt injection to deploy malware on victims' machines.

What is indirect prompt injection in ClawHub skills?

Hidden instructions embedded in skill definition files that AI agents read and execute autonomously on behalf of users, turning agents into unwitting malware intermediaries.

What malware payloads are deployed by the malicious skills?

Trojans, cryptominers, and AMOS stealer (Atomic Stealer), a macOS-focused infostealer commonly distributed via malware-as-a-service.

How is this different from the ClawHavoc campaign?

ClawHavoc targeted ClawHub alone with 1,184 malicious skills. The Acronis TRU finding covers a cross-platform campaign hitting both Hugging Face and ClawHub simultaneously, with named threat actors identified.

Does this affect Windows and macOS users?

Yes. The campaign targets both platforms — Windows via trojans and cryptominers, macOS via AMOS stealer.

← Back to dashboard

clawsmith.com/signal/acronis-tru-hugging-face-clawhub-575-malicious-skills-prompt-injection

⚠ IssueWide OpenLive

Acronis TRU: Hugging Face & ClawHub Poisoned With 575+ Malicious AI Skills via Indirect Prompt Injection

13 developer accounts — primarily hightower6eu (334 skills) and sakaen736jih (199 skills) — uploaded 575+ trojanized AI skills across Hugging Face and ClawHub that masquerade as legitimate tools but deploy trojans, cryptominers, and AMOS stealer via hidden commands and indirect prompt injection, weaponizing AI agents as unwitting malware intermediaries.

Product Idea from this Signal

A security layer that vets ClawHub skills for malware and prompt injection before your agent installs them

133.9k ▲

ClawHub grew 380% to 13,729 skills in Q1 2026. Snyk found 36% contain prompt injection and 1,467 carry malicious payloads. The ClawHavoc campaign planted 1,184 weaponized skills in the marketplace. VirusTotal integration catches known malware but misses novel prompt injection, data exfiltration via tool outputs, and social engineering patterns unique to AI agent skills. This tool performs deep behavioral analysis of every skill before installation, catching threats that signature-based scanners miss.

SECURITYCLIDEVTOOLOPEN-SOURCE

CompetitiveView Opportunity →

Product Idea from this Signal

A CLI tool that scans a running OpenClaw instance for active CVEs, malicious skills, and supply chain tampering before they get exploited

807 ▲

OpenClaw has accumulated 433+ CVEs in five months including critical auth bypasses (CVSS 9.8), sandbox escapes, and nation-state supply chain attacks targeting the npm ecosystem. Most operators have no idea which CVEs affect their specific version, whether their installed skills contain backdoors, or if their dependency tree has been tampered with. This tool runs a comprehensive security audit against a live OpenClaw instance and outputs an actionable remediation plan.

CLIOPEN-SOURCESECURITYDEVTOOLAUDIT

CompetitiveView Opportunity →

Product Idea from this Signal

A CLI security scanner that intercepts and blocks malicious ClawHub skills before they compromise your OpenClaw instance

183.8k ▲

ClawHub has 824+ malicious skills in circulation. 12% of published skills contain malicious code, supply chain rug-pulls, or data exfiltration payloads like AMOS stealer and ClawHavoc. OpenClaw's built-in VirusTotal integration only catches known signatures after publication, leaving zero-day threats and behavioral exploits wide open. This tool sits between ClawHub and your install command, running behavioral analysis, permission auditing, and network call inspection on every skill before it touches your system.

CLIOPEN-SOURCESECURITYDEVTOOL

Competitive75 leadsView Opportunity →