AI Agent Skill Registry Integrity Gaps Enable Supply-Chain Attack Chains
Analysis of 49,943 skills in the OpenClaw registry reveals 80% contain behavioral mismatches between declared and actual capabilities; 18.9% of deviations traced to adversarial intent, concentrating in credential theft and data exfiltration chains.
Attack Brief
TargetLLM agents; AI agent-skill registries (OpenClaw); enterprises deploying agent automationVectorMalicious or undeclared third-party skills installed into production agents; multi-stage attack chains combining file read, encoding, and network transmission; credential exfiltration via environment variable accessAttributionunattributed
Technical Details
MITRE ATT&CKT1555T1552.001T1041T1027T1059IoCsOpenClaw agent-skill registryAffectedAll 49,943 skills in OpenClaw registry as of early 2026; 39,933 skills (80.0%) exhibit at least one behavioral deviation
Impact
Sectorscode generationIT operationscustomer supportinternal workflowsConfirmed DamageCredential exfiltration chains; remote code execution chains; silent data exfiltration; agent hijacking
Mitigation
PatchesPrisma AIRSUnit 42 AI Security AssessmentWorkaroundsInventory third-party skills installed in production agents; require behavioral-integrity verification before skill installation; implement registry-scale audit of skill metadata, executable code, and natural-language instructions against declared capabilitiesDetectionBehavioral Integrity Verification (BIV) audit primitive comparing skill metadata, code, and instructions across taxonomy of 29 capabilities in seven families (Network, File system, Process execution, Environment, Encoding, Credentials, Instruction-level threats); static analysis using AST-level taint analysis, regex, pattern matching across Python, JavaScript, shell; LLM-based natural-language instruction analysis for prompt-injection and instruction-override motifs
Context
Similar AttacksMobile app store and browser extension marketplace supply-chain attacks; package manager ecosystem compromises