Ko »veščine« postanejo dobavna veriga: poziv k prebujanju zaradi zlonamerne programske opreme na trgu OpenClaw

V zadnjih nekaj letih je »agent umetne inteligence« prenehal biti le marketinška fraza in postal pravi delovni tok: pomočnik, ki lahko bere vaše datoteke, odpre brskalnik, izvaja ukaze in združuje dejanja v različnih storitvah. To je obljuba.

Težava je v tem, damoč ima distribucijski kanalIn ta kanal se vse pogosteje imenujespretnost: majhen, deljiv paket z navodili, ki agenta (in pogosto uporabnika) nauči, kako opraviti nalogo. To je čas za trgovino z aplikacijami za agente – le da so »aplikacije« pogostonavodila za znižanje cen.

Poročila tega tedna o zlonamernih spretnostih OpenClaw so zgodnji in zelo glasen signal, da se bomo kmalu ponovili zgodovini dobavne verige odprte kode – vendar z novostjo: namesto da bi zastrupili prevedeno odvisnost, lahko napadalci zastrupijodokumentacijain uporabite agentovo ustrežljivost kot mazivo.

Spodaj je praktična razlaga, kaj se je zgodilo, zakaj deluje tako dobro in kaj lahko storite glede tega.

Kaj so OpenClaw veščine (in zakaj so pomembne)

OpenClaw je populariziral preprost model razširitve: dodajte »veščino«, ki pojasnjuje, kako opraviti ozko nalogo – objavo na družbenih omrežjih, čiščenje map, povzemanje poročila, avtomatizacijo poteka dela – in agent pridobi novo zmogljivost.

V širšem ekosistemu »veščin agentov« je veščina običajno mapa, zgrajena okoliSKILL.mddatoteka. Ta datoteka vsebuje:

  • Metapodatki(ime / opis)
  • Navodila(dejanski koraki)
  • Neobvezno:skriptein druga združena sredstva

To se sliši neškodljivo, ker je videti kot dokumentacija. Ampak dokumentacija je ravno tisto, čemur ljudje hitro sledijo, še posebej, če je videti kot seznam predpogojev ali vodnik za namestitev.

Spretnosti imajo tudi dinamiko »zmagovalec vzame vse«: ljudje gravitirajo k temu, kar je priljubljeno, kaj je novo in kar je videti, kot da bo prihranilo čas. Zaradi tega je javni trg spretnosti zelo dragocen cilj: z nekaj najboljšimi prenosi lahko dosežete koncentriran nabor zahtevnih uporabnikov – razvijalcev, operaterjev in vseh, ki imajo na svojem računalniku dragocene reference.

Osnovni trik: markdown ni več »vsebina« – to je namestitveni program

Tradicionalni napadi na dobavno verigo programske opreme pogosto zahtevajo tehnične naložbe: zmedo glede odvisnosti, tipografske napake, zlonamerne skripte po namestitvi, ohranjanje nadzora nad imenom paketa in izogibanje skenerjem.

Trg znanj in spretnosti znižuje standarde.

Zlonamerna veščina lahko naredi nekaj tako preprostega, kot je to:

  1. Predstavite verodostojno orodje (»veščina Twitterja«, »sledilnik kriptovalut«, »pomočnik za avtomatizacijo«).
  2. Dodajte razdelek »Predpogoji« z »zahtevano odvisnostjo«.
  3. Zagotovite priročno povezavo in enovrstični ukaz.
  4. Za izvedbo se zanesite na človeka (ali agenta).

To ni nova ideja socialnega inženiringa – uporablja se že leta – ampak delovni tokovi agentovojačatito:

  • Agenti samozavestno povzemajo dokumente (»Samo zaženite to, da namestite odvisnost«).
  • Agenti zmanjšajo trenje tako, da namesto vas ustvarijo ukaz.
  • V nekaterih nastavitvah lahko agenti sami izvajajo ukaze lupine.

Na tej točki »dokumentacija« postane pot oddaljenega izvajanja.

Kaj poročila pravijo, da se je zgodilo v ekosistemu OpenClaw

Več člankov opisuje kampanjo, v kateri so napadalci na tržnico ClawHub naložili veliko število zlonamernih veščin in uporabili »korake za nastavitev« za dostavo zlonamerne programske opreme za krajo informacij.

Po besedah ​​Jasona Mellerja iz 1Passworda je ena od najpogosteje prenašanih veščin vključevala navodila, ki so uporabnike usmerila v postopno verigo dostave: povezavo do »odvisnosti«, zakrit ukaz in nato koristni tovor, ki je na koncu namestil program za krajo informacij, namenjen vdoru v računalnik in pridobivanju dragocenih skrivnosti.

CyberInsider, ki se sklicuje na raziskavo podjetja Koi Security, opisuje podoben vzorec v velikem obsegu: trojanske spretnosti z »predpogoji«, ki uporabnikom naročajo, naj zaženejo zakrite skripte lupine ali prenesejo arhive, zaščitene z geslom, kar doseže vrhunec v koristnih obremenitvah, kot je Atomic macOS Stealer (AMOS) – družina zlonamerne programske opreme, povezana s krajo poverilnic in ciljanjem denarnic.

Ali se natančne številke med poročili razlikujejo,oblikaje dosleden:

  • Spretnosti, uporabljene kot distribucija
  • »Predpogojna« navodila, uporabljena kot prepričevalni element
  • Kradljivci informacij, uporabljeni kot končni cilj

Ta končni cilj je pomemben: sodobni kradljivci informacij ne iščejo enega samega gesla – iščejožetoni seje,profili brskalnika,SSH ključi,poverilnice v oblakuinkripto denarniceZ drugimi besedami: stvari, ki en ogrožen prenosnik spremenijo v širši kompromis.

Če ste kdaj pomislili: "Jaz ne bi nasedel na to," imate verjetno prav, ko ste mirni in skeptični.

Toda poteki dela agentov spremenijo kontekst:

  • Hitrost postane privzeta.Uporabljate agenta, ker želite hitro ukrepati.
  • Kognitivna obremenitev je oddana zunanjim izvajalcem.Agent spremeni neurejeno stran z navodili v samozavesten kontrolni seznam.
  • Avtoriteta je izposojena.Če agent reče »To je standardna odvisnost«, se zdi preverjen.

Z drugimi besedami: agenta ni treba »prevarati« v tehničnem smislu. Samo prisoten mora biti, ko vas spodbujajo k tveganemu dejanju. To je dovolj, da vpliva na vedenje.

In če tinareditiČe agentu omogočite neposredno izvajanje ukazov, lahko zlonamerna veščina postane »prostoročni kompromis«.

'Kaj pa MCP? Mar ne naj bi to naredilo orodja varnejša?'

Protokol konteksta modela (MCP) je resničen korak naprej pri strukturiranju dostopa do orodij. Standardizira, kako gostitelji izpostavljajo orodja, vire in pozive, ter poudarja soglasje in nadzor uporabnikov.

Vendar MCP ne naredi "veščin" čarobno varnih.

Zakaj?

  • Spretnosti lahko uporabnikom naročijo izvajanje ukazov zunaj meje MCP.
  • Spretnosti se lahko povezujejo s skripti ali prenosi, ki se nikoli ne dotikajo MCP.
  • Vsaka veščina sploh ne uporablja MCP.

MCP lahko pomaga, če gostitelj implementira močno dodeljevanje dovoljenj, jasne pozive k soglasju, beleženje in varne privzete nastavitve. Vendar pa ga lahko mehanizem distribucije, ki temelji na znižanju cen, še vedno zaobide z navadnim starim socialnim inženiringom.

To je agentska različica varnosti dobavne verige (in o tem smo že govorili)

Svet programske opreme se je na težji način naučil, da:

  • Priljubljeni registri so zlorabljeni.
  • Tipografsko skvotiranje deluje.
  • »Namesti tega pomočnika« je pogosta vstopna točka.
  • Najdragocenejše žrtve so tiste, ki gradijo stvari.

Trgi znanj in spretnosti združujejo te izkušnje z dvema novima pospeševalcema:

  1. "Paket" so lahko navodila, ne kode – in navodila je težje zanesljivo skenirati.
  2. Izvajalno okolje je bogato s poverilnicamipo zasnovi: brskalniki, prijavljeni v vse, terminali s ključi SSH, oblačni CLI-ji, upravitelji gesel in lokalne datoteke.

V nekem smislu je tržnica znanj trgovina z aplikacijami, kjer lahko najboljše aplikacije rečejo »Kopiraj in prilepi to v Terminal, da omogočiš funkcijo.« To ni rešljiv problem z enim potrditvenim poljem.

Praktična obramba (za običajne uporabnike)

Če eksperimentirate z agentom, ki ima lokalni dostop, ga morate obravnavati kot novega uporabnika operacijskega sistema s supermočmi.

Tukaj je pragmatično izhodišče:

  1. Uporabite namenski računalnik ali virtualni strojza poskuse agentov. Brez shranjenih poslovnih prijav. Brez produkcijskih ključev SSH. Brez sej skrbništva v oblaku.
  2. Pri enovrstičnih namestitvenih programih je privzeta nastavitev »ne«.Še posebej vse, kar se zvija v sh, uporablja base64 ali vas prosi, da odstranite zaščite operacijskega sistema.
  3. Ne zaupajte »najbolj prenesenim«.Priljubljenost je trik za rast, ne varnostni model.
  4. Če ste že nekaj izvedli, najprej izmenično izberite tisto, kar je pomembno.Seje brskalnika, ključi SSH, žetoni API-ja, ključi v oblaku.
  5. Prednost dajte veščinam, ki so pod nadzorom virov in jih je mogoče pregledati(Git repozitorij z zgodovino, znanimi vzdrževalci, jasnim izvorom).

Kaj bi morale tržnice storiti (če želijo preživeti)

Če vodite javni register znanj in spretnosti, izvajate napadalno površino.

Nekaj ​​praktičnih korakov, ki znatno povečajo stroške napadalca:

  • Ugled in izvor založnika(preverjene identitete, zgodovina, podpisovanje).
  • Samodejno skeniranjeza sumljive vzorce (kodirani koristni tovori, zakrite enovrstične izjave, odstranitev iz karantene, arhivi, zaščiteni z geslom, »odvisnost od namestitve jedra« z zunanjimi povezavami).
  • Opozorilo o trenju uporabniškega vmesnikaza zunanje povezave in ukaze lupine.
  • Hitra odstranitev in viden odziv na incident(obravnavajte ga kot trgovino z aplikacijami, ne kot Pastebin).

Nič od tega ni popolno, vendar kupujejo čas – in čas je tisto, kar branilci potrebujejo.

Kaj naj graditelji agentov predvidevajo v prihodnje

Če gradite samo izvajalno okolje agenta, predpostavite, da bodo veščine orožene.

To pomeni:

  • Izvajanje ukaza za zavrnitev privzetih vrednosti(zahtevajo soglasje za vsak ukaz posebej, ne pa enkratnih preklopov).
  • Močno peskovno okoljeza dostop do datotečnega sistema in brskalnika.
  • Časovno omejena dovoljenja z omejenim obsegomz enostavnim preklicem.
  • Dnevniki, ki jih je mogoče spremljatitega, kar je agent prebral in kaj je izvedel.

Končno stanje je v isti smeri, kot jo je oblak ubral pred leti: identiteta, politika, najmanj privilegijev in revizijske sledi – vendar znižano na raven delovne postaje.

Bistvo

Zgodba o znanjih OpenClaw ni le »nekateri ljudje so naložili zlonamerno programsko opremo«. Gre za predogled naslednjega bojišča v dobavni verigi:veščine kot distribucija, markdown kot izvedbena pot in agenti kot pospeševalnik.

Če bodo agenti delovali na naših osebnih in službenih računalnikih, ekosistem potrebuje plast zaupanja, ki tržnice znanj obravnava kot trgovine z aplikacijami, dokumentacijo kot kodo in »koristno avtomatizacijo« obravnava kot privilegirano operacijo – ne kot priložnostno udobje.


Viri

Document Title
When ‘skills’ become the supply chain: the OpenClaw marketplace malware wake‑up call
Malicious AI-agent ‘skills’ are turning documentation into a distribution channel for infostealers. Here’s how it works — and how to defend against it.
Title Attribute
oEmbed (JSON)
oEmbed (XML)
JSON
View all posts by Admin
Ikea’s bargain Matter-over-Thread devices are stumbling at the hardest step: getting connected
Should AI chatbots have ads? What Anthropic’s ‘no ads’ stance really means
Page Content
When ‘skills’ become the supply chain: the OpenClaw marketplace malware wake‑up call
Nature
Climate
/
General
/ By
Admin
In the last couple of years, “AI agent” stopped being a marketing phrase and started being a real workflow: an assistant that can read your files, open your browser, run commands, and stitch together actions across services. That’s the promise.
The problem is that
power has a distribution channel
. And that channel is increasingly called a
skill
: a small, shareable “how-to” package that teaches an agent (and often the user) how to accomplish a task. It’s the app store moment for agents — except the “apps” are frequently
markdown instructions
.
This week’s reports about malicious OpenClaw skills are an early, very loud signal that we’re about to repeat open-source supply‑chain history — but with a twist: instead of poisoning a compiled dependency, attackers can poison
documentation
and use the agent’s helpfulness as the lubricant.
Below is a practical explainer of what happened, why it works so well, and what you can do about it.
What OpenClaw skills are (and why they matter)
OpenClaw popularized a simple extension model: drop in a “skill” that explains how to do a narrow task — post on social media, clean folders, summarize a report, automate a workflow — and the agent gains a new capability.
In the broader “agent skills” ecosystem, a skill is typically a folder built around a
SKILL.md
file. That file contains:
Metadata
(name / description)
Instructions
(the actual steps)
Optionally:
scripts
and other bundled assets
That sounds benign because it looks like documentation. But documentation is exactly what people follow quickly, especially when it looks like a prerequisite list or installation guide.
Skills also have a “winner takes all” dynamic: people gravitate to what’s popular, what’s new, and what looks like it will save time. That makes a public skills marketplace a high-value target: compromise a few top downloads, and you can reach a concentrated set of power users — developers, operators, and anyone who has valuable credentials sitting on their machine.
The core trick: markdown isn’t “content” anymore — it’s an installer
Traditional software supply chain attacks often require technical investment: dependency confusion, typosquatting, malicious post-install scripts, maintaining control over a package name, and dodging scanners.
A skills marketplace lowers the bar.
A malicious skill can do something as simple as this:
Present a plausible tool (“Twitter skill,” “crypto tracker,” “automation helper”).
Add a “Prerequisites” section with a “required dependency.”
Provide a convenient link and a one‑liner command.
Rely on the human (or the agent) to execute it.
That’s not a new social engineering idea — it’s been used for years — but agent workflows
amplify
it:
Agents summarize docs confidently (“Just run this to install the dependency”).
Agents reduce friction by generating the command for you.
In some setups, agents can run shell commands themselves.
At that point, “documentation” becomes a remote execution path.
What the reports say happened in the OpenClaw ecosystem
Multiple write-ups describe a campaign in which attackers uploaded large numbers of malicious skills to the ClawHub marketplace and used “setup steps” to deliver infostealing malware.
According to 1Password’s Jason Meller, a top-downloaded skill included instructions that funneled users into a staged delivery chain: a link to a “dependency,” an obfuscated command, and then a payload that ultimately installed an infostealer designed to raid the machine for valuable secrets.
CyberInsider, citing research from Koi Security, describes a similar pattern at scale: trojanized skills with “Prerequisites” instructing users to run obfuscated shell scripts or download password-protected archives, culminating in payloads such as Atomic macOS Stealer (AMOS) — a malware family associated with credential theft and wallet targeting.
Whether the exact counts differ between reports, the
shape
is consistent:
Skills used as distribution
“Prerequisite” instructions used as persuasion
Infostealers used as the end goal
That end goal matters: modern infostealers aren’t after one password — they’re after
session tokens
,
browser profiles
SSH keys
cloud credentials
, and
crypto wallets
. In other words: the stuff that turns one compromised laptop into a broader compromise.
Why agents make this worse than a normal scammy download link
If you’ve ever thought, “I wouldn’t fall for that,” you’re probably right when you’re calm and skeptical.
But agent workflows change the context:
Speed becomes the default.
You’re using an agent because you want to move quickly.
Cognitive load is outsourced.
The agent turns a messy instruction page into a confident checklist.
Authority is borrowed.
If the agent says “This is the standard dependency,” it feels vetted.
In other words: the agent doesn’t need to be “tricked” in a technical sense. It just needs to be present while you’re being nudged to do a risky thing. That’s enough to tip behavior.
And if you
do
allow the agent to run commands directly, a malicious skill can become “hands-free compromise.”
‘But what about MCP? Isn’t that supposed to make tools safer?’
Model Context Protocol (MCP) is a real step forward for structuring tool access. It standardizes how hosts expose tools, resources, and prompts, and it emphasizes user consent and control.
However, MCP doesn’t magically make “skills” safe.
Why?
Skills can instruct users to run commands outside the MCP boundary.
Skills can link to scripts or downloads that never touch MCP.
Not every skill uses MCP at all.
MCP can help when the host implements strong permissioning, clear consent prompts, logging, and safe defaults. But a markdown-based distribution mechanism can still route around it through plain old social engineering.
This is the agent version of supply-chain security (and we’ve been here before)
The software world learned the hard way that:
Popular registries get abused.
Typosquatting works.
“Install this helper” is a common entry point.
The most valuable victims are the ones building things.
Skills marketplaces combine those lessons with two new accelerants:
The “package” can be instructions
, not code — and instructions are harder to scan reliably.
The runtime environment is credential-rich
by design: browsers logged into everything, terminals with SSH keys, cloud CLIs, password managers, and local files.
In a sense, a skills marketplace is an app store where the top apps are allowed to say “Copy-paste this into Terminal to enable the feature.” That’s not a solvable problem with one checkbox.
Practical defenses (for normal users)
If you’re experimenting with an agent that has local access, you need to treat it like a new operating system user with superpowers.
Here’s the pragmatic baseline:
Use a dedicated machine or VM
for agent experiments. No saved corporate logins. No production SSH keys. No cloud admin sessions.
Default to “no” on one-liner installers.
Especially anything that pipes curl into sh, uses base64, or asks you to remove OS protections.
Don’t trust “top downloaded.”
Popularity is a growth hack, not a security model.
Rotate what matters first if you already ran something.
Browser sessions, SSH keys, API tokens, cloud keys.
Prefer skills that are source-controlled and reviewable
(Git repos with history, known maintainers, clear provenance).
What marketplaces should do (if they want to survive)
If you run a public skills registry, you are running an attack surface.
A few practical steps that meaningfully raise attacker cost:
Publisher reputation and provenance
(verified identities, history, signing).
Automated scanning
for suspicious patterns (encoded payloads, obfuscated one-liners, quarantine removal, password-protected archives, “install core dependency” with offsite links).
Warning UI friction
for external links and shell commands.
Fast takedown and visible incident response
(treat it like an app store, not a pastebin).
None of these are perfect, but they buy time — and time is what defenders need.
What agent builders should assume going forward
If you’re building the agent runtime itself, assume skills will be weaponized.
That means:
Default-deny command execution
(require per-command consent, not once-and-forever toggles).
Strong sandboxing
for file system and browser access.
Scoped, time-bound permissions
with easy revocation.
Auditable logs
of what the agent read and what it executed.
The end state is the same direction the cloud took years ago: identity, policy, least privilege, and audit trails — but brought down to the workstation level.
Bottom line
The OpenClaw skills story isn’t just “some people uploaded malware.” It’s a preview of the next supply-chain battlefield:
skills as distribution, markdown as an execution path, and agents as the accelerator.
If agents are going to live on our personal and work machines, the ecosystem needs a trust layer that treats skills marketplaces like app stores, treats documentation like code, and treats “helpful automation” as a privileged operation — not a casual convenience.
Sources
https://www.theverge.com/news/874011/openclaw-ai-skill-clawhub-extensions-security-nightmare
https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface
https://cyberinsider.com/341-openclaw-skills-distribute-macos-malware-via-clickfix-instructions/
https://agentskills.io/what-are-skills
https://modelcontextprotocol.io/specification/2025-06-18
Previous Post
Next Post
oEmbed (JSON)
oEmbed (XML)
JSON
View all posts by Admin
Ikea’s bargain Matter-over-Thread devices are stumbling at the hardest step: getting connected
Should AI chatbots have ads? What Anthropic’s ‘no ads’ stance really means
Malicious AI-agent ‘skills’ are turning documentation into a distribution channel for infostealers. Here’s how it works — and how to defend against it.
Document Title
Page not found - Florin.blog
Image Alt
Florin.blog
Title Attribute
Florin.blog » Feed
RSD
Skip to content
Placeholder Attribute
Search...
Page Content
Page not found - Florin.blog
Skip to content
Home
Blog
Garden Decor
Indoor
Main Menu
This page doesn't seem to exist.
It looks like the link pointing here was faulty. Maybe try searching?
Search for:
Search
Quick Links
Outdoors
About
Contact
Explore
Bestsellers
Hot deals
Best of The Year
Featured
Gift Cards
Help
Privacy Policy
Disclaimer
: As an Amazon Associate, we earn from qualifying purchases — at no extra cost to you.
Florin.blog
Florin.blog » Feed
RSD
Search...
l Slovenščina