Incident · curated 27 Jun 2026
First reported 24 Jun 2026 · 2d ago
Single-source incident — first reported, latest, and curated coincide.
Malicious skills distributed through an AI agent marketplace can deliver infostealers and compromise downstream users, highlighting the AI supply-chain attack surface.
OpenClaw reportedly removed five malicious packages from its ClawHub skills marketplace that bypassed security checks while containing infostealers and other threats, posing an AI agent supply-chain risk.
Why it matters
Malicious skills distributed through an AI agent marketplace can deliver infostealers and compromise downstream users, highlighting the AI supply-chain attack surface.