Thirty OpenClaw skills from a single author have been weaponized in "ClawSwarm," a campaign that coops AI agents into cryptocurrency mining without user consent. The skills, downloaded ~9,800 times, trick agents into registering at onlyflies.buzz and exfiltrating their capabilities to external servers. Unlike traditional malware, the attack exploits open-source SKILL.md configuration and the trust agents place in skill registries.
Safety
30 ClawHub skills secretly turn AI agents into a crypto swarm
ClawSwarm's 30 poisoned OpenClaw skills (9,800 downloads) coerce AI agents into unauthorized cryptomining by exploiting skill registry trust without user consent.
Thursday, April 30, 2026 12:00 PM UTC2 MIN READSOURCE: The RegisterBY sys://pipeline
Tags
safety