Remember when everyone treated npm like a trusted source? Then came event-stream. Then ua-parser-js. Then colors.js. Thousands of developers learned that “install and go” is a security posture, not a strategy.
The same thing is happening to AI tool registries right now. And nobody is treating it with the same urgency.
In April 2026, Acronis TRU published research showing that two of the most trusted platforms in the AI ecosystem, Hugging Face and ClawHub (OpenClaw’s community skill registry), were being actively exploited to distribute trojans, cryptominers, and infostealers. Not through some exotic zero-day. Through the same install flow developers use every day.
This is the AI supply chain attack era. And if you’re building with AI tools, you’re already in the blast radius.
575 Skills. 13 Accounts. Two Dominant Attackers.
Acronis Threat Research Unit identified 575 malicious skills distributed through ClawHub across 13 developer accounts. Two accounts did most of the damage:
| Account | Malicious Skills | Share |
|---|---|---|
| hightower6eu | 334 | 58% |
| sakaen736jih | 199 | 35% |
| 11 other accounts | 42 | 7% |
These skills looked legitimate. YouTube transcript summarizers. Productivity helpers. The kind of tools you’d install without a second thought because the registry made it frictionless. Under the hood, they directed users to download password-protected archives or execute encoded commands that deployed AMOS Stealer, cryptominers, and remote access trojans.
I wrote about the ClawHavoc campaign earlier this year when the first reports surfaced. That was a warning shot. This is the full picture: 575 weaponized skills, a coordinated campaign, and two platforms that host over a million ML models treating uploads with the same oversight as a public pastebin.
The Attack Is Cross-Platform. The Techniques Are Not Amateur.
This wasn’t a script kiddie dumping obvious malware. The Acronis research documents professional-grade tradecraft across Windows, macOS, and Linux:
Windows targets got VMProtect-packed payloads. A second variant used 30-byte XOR encryption for runtime string decryption and injected directly into explorer.exe. C2 communication ran over AES-encrypted HTTPS to a domain (velvet-parrot[.]com) that looks legitimate at a glance. Persistence? Scheduled tasks and Windows Defender exclusion modifications. The kind of techniques you’d see in a red team engagement, not a hobbyist project.
macOS targets received base64-encoded commands that downloaded AMOS Stealer, an infostealer sold as malware-as-a-service via Telegram. One installation and it scrapes browser credentials, crypto wallets, and session tokens.
Hugging Face as staging infrastructure. The ITHKRPAW campaign (targeting the Vietnamese financial sector) used Hugging Face dataset repositories as payload staging points. Malicious LNK files invoked Cloudflare Workers, which triggered PowerShell droppers that fetched payloads from Hugging Face. The payload chain displayed a decoy cat image to mask the activity. Researchers assessed with moderate confidence that the PowerShell dropper was itself LLM-generated, based on embedded Vietnamese-language comments and contextual ties to the ITHKRPAW operator.
Read that again. AI-generated malware, staged on an AI platform, distributed through an AI tool registry. The snake is eating its own tail.
The Prompt Injection Vector Nobody Is Discussing
The Acronis report documents something more concerning than trojanized installers: indirect prompt injection through skill files.
Attackers embedded hidden instructions within skill descriptions and documentation. When an AI agent loaded these skills, it autonomously executed the embedded commands on the user’s behalf. The user never ran anything suspicious. The agent did it for them.
This is the attack vector that pre-action gates are designed to catch. If your AI agent can install skills, execute code, or make network calls without a review step, you’re one malicious skill file away from credential theft. The agent is the attack surface, and the skill registry is the delivery mechanism.
If you’re running OpenClaw or any agentic framework with community plugins, this is not theoretical. It happened. It’s documented. The 575 skills are the proof.
Why AI Registries Are Worse Than npm
Traditional package registries are bad enough at security. AI tool registries are worse.
1. The trust model is implicit. npm has lockfiles, checksums, and provenance attestations (however imperfect). Hugging Face has model cards. ClawHub has… a listing page. When you install an OpenClaw skill, you’re trusting that the publisher is who they claim to be and that the code does what the description says. There’s no signing, no hash verification, no reproducible builds.
2. AI agents execute with user-level permissions. A malicious npm package runs in Node’s sandbox (such as it is). A malicious AI skill runs with whatever permissions your agent has, which in most setups is everything the user can do. File system access, network access, shell execution. The blast radius is inherently larger.
3. The user doesn’t review the execution. When you npm install, you can inspect package.json scripts. When an AI agent loads a skill, the execution happens inside the agent’s reasoning loop. The user sees the output, not the process. Indirect prompt injection exploits this gap perfectly.
What This Means for Anyone Building with AI
If you’re building AI-powered systems (and if you’re reading this, you probably are), here’s what the 575 malicious skills should change about how you work:
Audit your installed skills. If you’re running OpenClaw, check every installed skill for encoded commands, external download URLs, or obfuscated scripts. The Acronis report includes IoCs (indicators of compromise). Block 91.92.242[.]30 and velvet-parrot[.]com at your firewall.
Treat AI registries as untrusted input. Same discipline you’d apply to a random npm package from a zero-follower account. Read the source. Check the publisher history. If a skill needs network access or shell execution to function, that’s a red flag.
Gate your agent’s actions. Every tool call, every file write, every network request from an AI agent should pass through a mechanical review gate. Not a prompt-based safety check. A code-level gate that can’t be bypassed by clever prompt injection. I’ve been building these for months. The Acronis research validates why.
Monitor for explorer.exe injection and Defender exclusion changes. These are the specific persistence techniques documented in the campaign. If your EDR isn’t watching for them, you have a visibility gap.
Assume Hugging Face models are untrusted until verified. The platform hosts over a million models. It’s been used as a malware staging ground. Download, isolate, verify, then deploy. Never pull directly into production.
The Pattern Keeps Repeating
Vercel got breached through an AI tool. OpenClaw accumulated eight CVEs in three months. Now ClawHub and Hugging Face are confirmed distribution channels for trojans and infostealers. Every layer of the AI stack has been compromised at least once in 2026.
The builders who survive this era won’t be the ones with the best prompts or the fastest shipping velocity. They’ll be the ones who treated their AI tools with the same suspicion they’d give any other third-party dependency.
Trust nothing. Verify everything. Gate every action.
Frequently Asked Questions
What is an AI supply chain attack?
An AI supply chain attack compromises AI tools, models, or registries that developers trust and integrate into their workflows. Instead of attacking the target directly, attackers poison the tools developers use. The ClawHub campaign is a textbook example: 575 malicious skills disguised as legitimate AI tools, distributed through a trusted registry, deploying malware when installed. It follows the same pattern as npm or PyPI supply chain attacks, but with larger blast radius because AI agents typically run with broader system permissions.
How were Hugging Face and ClawHub used to distribute malware?
ClawHub (OpenClaw’s skill registry) hosted 575 malicious skills across 13 developer accounts. These skills masqueraded as productivity tools while deploying trojans, cryptominers, and infostealers. Hugging Face was used as infrastructure for staging payloads: the ITHKRPAW campaign stored malicious payloads in Hugging Face dataset repositories, which were fetched by PowerShell droppers during the infection chain. Both platforms were exploited because they allow relatively open publishing with minimal verification.
What is indirect prompt injection in AI skills?
Indirect prompt injection is an attack where malicious instructions are hidden in content that an AI agent processes. In the ClawHub campaign, attackers embedded hidden commands within skill files and documentation. When an AI agent loaded the skill, it read the hidden instructions and executed them autonomously, without the user’s knowledge or approval. The user sees the agent working normally. The agent is executing attacker-controlled commands. This is why mechanical pre-action gates (code-level checks, not prompt-based filters) are essential for any agent that loads external plugins.
How can I check if I’m affected by the ClawHub malicious skills campaign?
Start with three steps: (1) audit installed OpenClaw skills for encoded commands, external download URLs, or obfuscated scripts. Look for base64-encoded strings, PowerShell invocations, or connections to unknown hosts. (2) Check your network logs for connections to the documented C2 infrastructure: IP 91.92.242[.]30 and domain velvet-parrot[.]com. (3) On Windows, check for unexpected scheduled tasks and Windows Defender exclusion path modifications. Acronis TRU published full indicators of compromise (IoCs) including file hashes in their report.
Tom Tokita is an AI consultant and operations architect based in Manila, Philippines. He runs Aether Global Technology Inc., a Salesforce consulting partner. His production AI system uses mechanical pre-action gates on every tool call. Not because of theory, but because of incidents exactly like the ones documented here.
