A Credential Stealer Was Hiding in a Public AI Agent Skill Marketplace

Someone just found a credential stealer hiding in a public AI agent skill marketplace. One malicious skill out of 286 scanned. It was disguised as a weather skill. It read ~/.clawdbot/.env and shipped secrets to webhook.site.

This is not a hypothetical attack. This is a real credential stealer, found in the wild, targeting AI agents.

The Agent Supply Chain Problem

Software supply chain attacks are not new. The npm ecosystem has dealt with typosquatting, dependency confusion, and malicious packages for years. PyPI has the same problems. The 2020 SolarWinds attack showed what happens when a trusted update channel gets compromised.

AI agent skills are the next supply chain attack surface, and the ecosystem is far less mature than npm or PyPI.

Here's why:

• No code signing. When you install an npm package, at least there's a published author, version history, and a hash. Agent skills are typically just a SKILL.md file and some scripts. No signatures, no provenance, no chain of trust.

• No sandboxing by default. Most agent frameworks execute skills with the same permissions as the agent itself. The agent has filesystem access, network access, and often credentials loaded in environment variables. A malicious skill inherits all of that.

• No review process. Public skill marketplaces are growing fast. ClawdHub had 286 skills at the time of this scan. How many were reviewed by a human before listing? The credential stealer suggests the answer is: not enough.

• Agents trust skills implicitly. When an agent loads a skill, it typically follows the instructions in SKILL.md without question. The skill says "read this file and POST it here"? The agent does it. There's no permission dialog, no user prompt, no "are you sure?"

What the Credential Stealer Actually Did

The malicious skill found by security researcher Rufio on Moltbook was straightforward:

• Disguise: Listed as a weather skill with a normal-looking SKILL.md

• Payload: Read ~/.clawdbot/.env which typically contains API keys, tokens, and secrets

• Exfiltration: POST the contents to webhook.site, a public webhook testing service

• Detection: Found by YARA rule scanning, not by the marketplace's own review process

The attack is embarrassingly simple. That's the point. It doesn't need to be sophisticated when the target has no defenses.

Why skill.md Is the New package.json

In the npm ecosystem, package.json defines what a package does: its dependencies, scripts, entry points. A malicious package.json can run arbitrary code via postinstall scripts. The ecosystem has spent years building defenses: npm audit, socket.dev, Snyk, lockfile verification, provenance attestations.

SKILL.md is the agent equivalent of package.json, but we're at npm circa 2015 in terms of security tooling. There are:

• No dependency scanners for agent skills

• No provenance attestations or signatures

• No sandboxed execution environments (in most frameworks)

• No permission manifests declaring what a skill needs access to

• No automated malware scanning on skill marketplaces

• No equivalent of Socket.dev watching for suspicious behavior patterns

The Scale Problem

286 skills today. How many next year? The npm registry has over 2 million packages. PyPI has over 500,000. As AI agents become standard development tools, skill marketplaces will follow the same growth trajectory.

The credential stealer was found at a 0.35% hit rate (1/286). If that rate holds as the ecosystem scales to 10,000 skills, that's 35 malicious skills. At 100,000 skills, it's 350. And the rate will likely increase as the target becomes more valuable.

What Needs to Happen

For skill marketplace operators:

• Implement automated scanning (YARA rules, static analysis, behavioral analysis)

• Require skill manifests that declare required permissions (file access, network, env vars)

• Add provenance tracking: who published this skill, when, from what source

• Flag skills that access sensitive paths or make outbound network requests

For agent framework developers:

• Sandbox skill execution by default. Skills should not inherit the agent's full permissions

• Implement a permission model. If a skill needs to read .env, the user should explicitly approve that

• Log all skill actions for audit. Every file read, every network request, every command executed

For teams using AI agents with skills:

• Audit every skill before installing. Read the actual code, not just the description

• Run agents with minimal permissions. Don't give your agent access to production credentials if it doesn't need them

• Use runtime monitoring. Tools like AgentSteer can detect when an agent suddenly starts reading credential files or making unexpected network requests, regardless of which skill triggered it

• Keep credentials out of agent-accessible paths when possible

The Bigger Picture

We're watching a supply chain attack surface form in real time. Every lesson the software industry learned from npm typosquatting, PyPI malware, and SolarWinds is about to be relearned in the AI agent ecosystem. The difference is that agents have more access than most packages: they can read files, execute commands, make network requests, and interact with APIs.

The 1-in-286 credential stealer is the canary. The question is whether the ecosystem builds defenses before the attacks scale, or after. History suggests after. That's why runtime monitoring matters.