Three weeks ago, ClawHub had roughly 2,800 skills in its registry. Today it has over 10,700. In that same window, security researchers found more than 800 malicious packages — approximately 20% of the entire registry — primarily delivering Atomic macOS Stealer. One user uploaded 354 malicious packages in what appears to have been an automated blitz.

There was no static analysis. No code review. No signing requirement. Just an open door and a welcome mat.

The Marketplace Explosion

The skills marketplace isn't just ClawHub anymore. The landscape has fractured into a dozen competing registries, each with its own trade-offs between scale and safety:

SkillsMP leads with 96,000+ skills and Claude Code compatibility — but zero security audit. MCP.so hosts 17,000+ MCP servers with universal compatibility. SkillHub offers 7,000+ with AI-based quality scoring (though scoring doesn't check security — a distinction worth noting). And Vercel just entered with Skills.sh, a shell-based ecosystem they're positioning as "npm for AI agents."

The connective tissue across all of this is the SKILL.md open standard, adopted by Claude Code, Codex CLI, and Gemini CLI since Anthropic published it in December 2025. Skills are now portable across platforms. That's great for distribution. It's terrible for containment.

The Security Reality

The advisories arrived in a cluster last week, and they paint a grim picture:

Conscia found over 30,000 internet-exposed OpenClaw instances via Censys and Bitsight, many running without authentication. Bitdefender telemetry confirmed OpenClaw on corporate endpoints as "Shadow AI" — the enterprise security nightmare nobody planned for.

Microsoft published official guidance for running OpenClaw safely, covering identity, isolation, and runtime risk. When Microsoft writes security guides for your open-source project, that's simultaneously the ultimate adoption signal and a red flag about how many people are running it wrong.

Kaspersky documented the AMOS infostealer campaign targeting ClawHub skills specifically. SecurityWeek reported on CVE-2026-25253 — a CVSS 8.8 one-click RCE vulnerability patched in January but still unpatched on many instances. And The Register found that 7% of one major registry's skills were literally leaking API keys through the LLM context window.

The npm Parallel Is Exact

If this feels familiar, it should. The agent skills ecosystem is replaying the npm supply chain crisis at 10x speed. Open registry with low barriers to entry. Automated bulk publishing. Typosquatting. Malicious payloads hiding behind legitimate-sounding package names. The only difference is the attack surface — when a malicious npm package runs, it compromises your build pipeline. When a malicious agent skill runs, it compromises your agent, which has access to your files, your APIs, your credentials, and increasingly your entire digital life.

The responses are predictable and insufficient. VirusTotal partnered with ClawHub for automatic malware scanning — necessary but reactive. SecureClaw launched as an open-source auditing tool — useful but opt-in. The Snyk team found that 36% of scanned skills contained prompt injection, suggesting the problem extends well beyond traditional malware into the gray zone of skills that manipulate agent behavior without deploying a payload.

What Builders Should Do Now

If you're running OpenClaw or any agent framework with third-party skills:

Audit what you have installed. Run openclaw security audit --deep if available. Review skill permissions manually if not. Skills with writable path declarations, network access, or credential requests deserve extra scrutiny.

Pin versions and verify sources. Don't auto-update skills. Treat every update like a dependency upgrade in production — review the diff, check the maintainer history, verify the repository.

Cross-list if you publish. SkillsMP's 96K skills and Claude Code compatibility make it worth listing on multiple registries. But publish with security in mind: localhost-only where possible, minimal permissions, clear documentation of what your skill accesses and why.

The gold rush is real. The claims are being staked. But 20% of the territory is mined, and the prospectors are still running in barefoot.