The Poisoned Skill Library: Why the AI Supply Chain Just Became Australia's Newest Attack Surface

In the last fortnight, security researchers have published findings that should rewire how Australian businesses think about AI risk. Acronis Threat Research Unit identified 575 malicious skills inside the OpenClaw ecosystem, distributed through ClawHub by just thirteen developer accounts. Snyk audited the broader agent skill landscape and found that roughly one in five skills is outright malicious, and more than a third contain serious security flaws. The supply chain that feeds your AI agents has been compromised, and most enterprise security programmes do not yet have controls that acknowledge it as a category.

What actually happened

The Acronis disclosure is the clearest evidence yet that AI distribution platforms have become a primary target for organised attackers. Two threat actors operating as "hightower6eu" and "sakaen736jih" between them published more than five hundred trojanised skills on ClawHub, the public registry for OpenClaw's agent ecosystem. The malicious skills masquerade as legitimate utilities. Examples include YouTube transcript summarisers and productivity helpers. They secretly instruct users to download password-protected archives or execute encoded commands. Payloads include conventional Windows trojans, cryptocurrency miners, and AMOS, the Atomic macOS Stealer that is widely distributed under malware-as-a-service arrangements.

This sits on top of a separate Koi Security audit that examined all 2,857 skills on ClawHub and found 341 malicious entries, with 335 traced to a single coordinated operation called ClawHavoc. A third research effort from Snyk, branded ToxicSkills, scanned 3,984 skills across ClawHub and skills.sh and flagged 36 per cent as carrying security flaws, with approximately 900 classified as outright malicious. Even after the disclosure, eight confirmed malicious skills remained publicly available at publication.

Why this attack class is genuinely different

Conventional supply chain attacks compromise one system at a time. A poisoned npm package installs on a developer's laptop, executes once, and exfiltrates whatever it can reach. The compromise is contained to the install boundary.

AI skill attacks are not contained. They exploit the trust relationship between the user and the AI agent, and they do so through a technique called indirect prompt injection. The malicious payload is embedded not in executable code, but in instructions written inside skill files that the agent reads as part of its normal operation. When the agent processes the skill, it executes those instructions on behalf of the user. The agent itself is not compromised. It is functioning exactly as designed. The trust it places in skill content is what attackers weaponise.

The implications cascade. An OpenClaw agent operating inside an enterprise environment typically has access to databases, internal APIs, cloud credentials, and network resources. When that agent executes a malicious skill, it does not act with the user's permissions. It acts with the agent's. In enterprise deployments, that is a substantially larger blast radius than the user's own laptop.

Two research disclosures from earlier this year illustrate how sophisticated this category has already become. The BadSkill attack demonstrated a 99.5 per cent attack success rate using a backdoor poisoning rate of just 3 per cent across eight model architectures. Document-Driven Implicit Payload Execution, a technique disclosed in a separate paper, embeds malicious logic inside code examples and configuration templates in skill documentation. When a coding agent references the documentation during normal work, it copies the malicious example into production and executes the payload. Static analysis caught the technique in roughly 2.5 per cent of cases. Alignment filters did not catch it at all.

The broader pattern

The ClawHub disclosure is not an isolated incident. It is the AI-specific expression of a supply chain attack pattern that has been accelerating across software for the past twelve months.

In March 2026, the LiteLLM package on PyPI was compromised, with the breach exposing approximately 500,000 credentials including API keys for Meta, OpenAI, and Anthropic. Meta froze AI data work temporarily after determining that training infrastructure secrets were at risk. The compromise was tracked as CVE-2026-33634 with a CVSS score of 9.4.

In April, the Bitwarden CLI package on npm was hijacked for ninety minutes. The payload was specifically designed to harvest credentials from AI coding tools, including Claude Code, Cursor, Codex CLI, and Aider. Days later, the PyTorch Lightning package was compromised for forty-two minutes with a credential-stealing payload from the Mini Shai-Hulud campaign. The European Commission itself was breached after attackers poisoned Trivy, an open-source security scanning tool. The tools designed to detect supply chain attacks were themselves becoming attack vectors.

Hugging Face has its own version of this story. Acronis tracked the ITHKRPAW campaign, which targeted Vietnamese financial sector organisations in January using a malicious LNK file that invoked Cloudflare Workers, served a PowerShell dropper, and fetched its final payload from a Hugging Face dataset repository while opening a decoy cat image to mask activity. A separate fake OpenAI repository, Open-OSS/privacy-filter, accumulated 244,000 downloads before removal. Analysis confirmed most downloads were automated bots inflating credibility.

The governance gap that lets this happen

Publishing a skill to ClawHub requires only a SKILL.md markdown file and a GitHub account less than a week old. There is no code signing requirement, no mandatory security review, and no sandboxed evaluation environment. The parallels to npm circa 2018 are direct, and not flattering.

OWASP formally categorised this threat class as LLM03:2025, covering vulnerable or outdated dependencies, compromised pre-trained models, malicious LoRA adapters, poisoned training data and RAG sources, model merge vulnerabilities on platforms like Hugging Face, and malicious or compromised plugins. A separate category, MCP04:2025, covers software supply chain attacks and dependency tampering for MCP-based integrations. The standards exist. What does not yet exist is production-grade tooling, mandatory enforcement, or anywhere near enough industry awareness. Most enterprise AI security programmes still treat this as a future concern. The Acronis, Snyk, and Koi disclosures together demonstrate that it is a present one.

What this means for Australian regulated industries

For Australian businesses, particularly those operating under APRA prudential standards, this category of attack creates a direct compliance exposure.

CPS 230 came into force on 1 July 2025. It requires regulated entities to identify, assess, and manage operational risk associated with material service providers, including risks from technology arrangements and third-party dependencies. An organisation that allows its AI agents to consume skills from public marketplaces without supplier due diligence, dependency review, or change control is operating in direct tension with what CPS 230 requires. The agent's skill registry is a material service provider in everything but the contractual label.

CPS 234 requires information security capability commensurate with the size, complexity, and threat environment. A 575-skill malicious campaign across the dominant agent marketplace, targeting both Windows and macOS with credential theft payloads, is a clear threat environment change. Boards and audit committees will reasonably expect to see updated risk registers, updated control frameworks, and updated incident response plans that reflect the new attack class.

The Essential Eight, in its current form, does not cleanly cover this category. Application control was designed for traditional executables. It does not natively contemplate an AI agent autonomously executing instructions found inside a markdown skill file. Restricting administrative privileges does not constrain an agent that has been granted broad access in order to be useful. Patching does not apply to skills that contain no traditional code vulnerability. The framework remains essential, but the controls require interpretation and extension to remain effective against agent-layer threats.

A five-control defensive playbook for Australian organisations

Allow-list skills, do not allow public skill installation. Treat the public agent skill registry the same way you would treat an unsigned Windows executable from a website. Maintain an internal allow-list of approved skills that have passed review. Block agent skill installation from public registries by default.

Pin and review skill versions. Where skills are permitted, pin them to specific reviewed versions. Do not allow agents to auto-update from upstream. Treat skill updates the same way you treat dependency updates in any production codebase: reviewed, tested, approved.

Constrain agent privileges. Apply least privilege rigorously to agent service accounts. An agent that drafts emails does not need database write access. An agent that summarises documents does not need cloud credential access. Assume any skill can become malicious, and design the blast radius accordingly.

Inspect skill content as code. Skills are code, even when they look like configuration. Run static analysis against skill files. Treat indirect prompt injection patterns, hidden instruction blocks, encoded commands, and external download instructions as red-flag signals. Review and approve skills the same way you review and approve open-source dependencies.

Update third-party risk and incident response to include the AI distribution layer. Add agent skill marketplaces, model repositories, and AI plugin registries to your supplier inventory. Run them through CPS 230 third-party risk assessment. Update your incident response playbooks so that a skill compromise has documented containment, eradication, and notification procedures, the same way you would for a compromised npm package.

The window for action is now

The AI ecosystem is repeating a mistake the broader software industry already made. The current state of agent skill marketplaces is structurally equivalent to npm and PyPI in their earliest, most permissive eras, and attackers have noticed. The difference this time is speed. The publishing-to-exploitation cycle is shorter. The blast radius of a compromised component is larger, because agents act with privilege on behalf of users. And the regulatory expectations on Australian organisations, particularly those under APRA, are already in force.

At ValiDATA AI, we help Australian regulated industry leaders build the operational frameworks, supplier risk processes, and agent governance controls that make this category of risk manageable rather than existential. If your organisation is deploying agents and consuming skills from public registries without a governance framework around it, the time to address that is before the next disclosure, not after.