30 OpenClaw Skills Weaponized for Crypto Swarm Without User Consent
Key Takeaways
- ▸30 OpenClaw skills on ClawHub have been used to create a 'crypto swarm' that recruits AI agents without user consent or awareness
- ▸The campaign uses legitimate SKILL.md configuration files to instruct agents to register with external servers, report capabilities, and generate cryptocurrency wallets
- ▸ClawSwarm reveals a fundamental gap in runtime visibility for agentic AI systems—agents can execute complex third-party instructions without explicit user approval
Summary
A security researcher at Manifold has discovered a campaign dubbed "ClawSwarm" in which 30 OpenClaw skills published to ClawHub have been covertly co-opting AI agents for cryptocurrency mining operations. The malicious skills, published by a user named "imaflytok," have accumulated around 9,800 downloads and operate without any traditional malware or explicit user knowledge.
Once installed, these seemingly benign skills—ranging from cron helpers to security utilities—cause AI agents to silently register with external servers (onlyflies.buzz), report their capabilities and installed skills, generate Hedera crypto wallets, and accept remote tasks. The agents store credentials locally, check in every four hours, and participate in a network centered around $FLY tokens—all without the agent owner's approval or awareness.
Maniford researcher Ax Sharma emphasizes that ClawSwarm differs from traditional malicious campaigns because it exploits no code vulnerabilities and uses no malware. Instead, it leverages legitimate SKILL.md configuration files to instruct agents what to do. The campaign raises critical questions about runtime visibility and user control in agentic AI systems, particularly as open-source agent frameworks gain adoption.
- Traditional code scanning tools cannot detect this attack pattern, forcing the security community to rethink how agent ecosystems are governed
Editorial Opinion
ClawSwarm exposes a critical governance gap in how AI agents execute third-party skills without explicit runtime approval from human users. While this particular campaign may be a legitimate cryptocurrency experiment, the mechanism—silent agent enrollment in external networks, wallet generation, and remote task execution—represents a template that far more malicious actors could exploit. Open-source agent ecosystems urgently need robust runtime visibility, capability-based permissions, and user control mechanisms before they can be considered production-ready for enterprise or security-sensitive applications.
