Thirty ClawHub skills published by a single author are silently co-opting AI agents and creating a mass cryptocurrency mining swarm – without any malware or user consent.
Agentic AI security outfit Manifold's research lead Ax Sharma spotted the skills on ClawHub, a registry and marketplace for OpenClaw skills.
A ClawHub user who goes by "imaflytok" published the skills, which have scored around 9,800 downloads. Sharma told The Register that this campaign – he calls it “ClawSwarm” – differs from past efforts to distribute malicious ClawHub code because it doesn’t use malware or target humans.
Instead, ClawSwarm targets the agents themselves and SKILL.md files, documents that give agents instructions on how to interact with other systems.
"ClawSwarm isn't a vulnerability disclosure," Sharma told us. "There's no flaw to patch and nothing covert about the infrastructure. It's an open source project on GitHub with public docs, a Telegram group, and a token on a public chain."
The campaign sees a user install a seemingly benign skill – these purport to be everything from a cron helper (903 downloads) to an Agent Security skill (685 downloads), a whale watcher (347 downloads), a cross-platform poster (292 downloads), and a predictions market integration (154 downloads).
The AI agent then registers itself at "onlyflies.buzz," a site that centers around $FLY tokens and "provocative" art.
After registering itself with the external server, the agent follows the instructions in a SKILL.md file and therefore reports its name and capabilities to the third-party, along with what skills it has installed.
The agent stores credentials on disk, checks in every four hours, and assuming the right skills are installed, it generates a Hedera crypto wallet and registers the private key with the same server. The human user doesn't approve any of this activity and doesn’t see it happening.
In addition to being the name of the crypto-swarm campaign Sharma documented, ClawSwarm is also an open source agentic skill framework on GitHub. The imaflytok's skills open at onlyflies.buzz are one such implementation of that framework.
"You can read all of this and conclude it's a small crypto community building agent infrastructure. Maybe it is," Sharma wrote. "But the mechanism is identical regardless of intent: an AI agent silently registering with a third party server, reporting its capabilities, generating crypto keys, and accepting remote tasks – all without the user initiating or approving any of it."
- OpenClaw reveals meaty personal information after simple cracks
- CEO spills the Tea about massive token farming campaigns
- Anthropic closes door on subscription use of OpenClaw
- DIY AI bot farm OpenClaw is a security 'dumpster fire'
It's similar to the earlier Tea Protocol token farming campaigns, in which more than 150,000 spammy packages flooded the npm registry to farm Tea points.
ClawSwarm, according to Sharma, "follows the same playbook," but uses skills instead of npm packages. "Whether ClawSwarm instances are a legitimate experiment in agent economics or a recruitment funnel for speculative crypto, the result for the user is the same: their agent is doing things they didn't ask it to do, for someone they don't know, with keys they didn't authorize," he wrote.
ClawHub maintainers did not immediately respond to The Register's inquiries, nor did the legitimate ClawSwarm open source framework.
Sharma says maintainers are in a tough position because it's not really a security problem, despite agents joining a network and generating wallets without their human user's approval.
"The registry layer is the wrong place to solve this," he told The Register. "A scanner looking for malicious code patterns finds nothing: the cURL calls are clean, the SDK is legitimate. What's needed is runtime visibility into what agents actually do once a skill is installed. Registries could require disclosure of network endpoints and wallet generation in skill manifests, but that's a policy question, not a security one." ®