Malicious skills targeting Claude Code and Moltbot users

Submitters: "Please use the original title, unless it is misleading or linkbait." - https://news.ycombinator.com/newsguidelines.html

In this case the original title "ClawdBot Skills ganked all my crypto" was both linkbait and misleading, because (unless I missed it), the article describes no actual such incident.

I have not been following this whole thing closely, but this is where my mind went as soon as I heard there was some overlap in the popularity of this new un-sandboxed agent and people who are into crypto. It's like if everyone who is into buying physical gold started doing a Tiktok challenge to post pictures of their houses and leave their front doors unlocked.

People say the reason nigerian prince scammers use such ridiculous story, or bank phishing has so many typos, is to pre-filter dumb and gullible people so the scammers don't waste time on targets that won't get scammed in the end.

All these AI "hacks" seem to be based on the same principle.

Watching folks speed-run this whole thing is kind of funny from the outside.

I wonder if anyone with a correct mental model of how LLM agents work (i.e, does not conceptualize them as intelligent entities) has actually granted them any permissions for their own life... personally, I couldn't imagine doing so.

Let alone crypto, the risk of reputational loss for actions performed on my behalf (even just spamming personal or professional contacts) is just too high.

I'm reminded of the quip that "mankind has already created life in their own likeness, and it's the computer virus"

Anyone dumb enough to run this on their computer deserves it.

I'd call it "suspicious" that this latest idiocy came out of nowhere and got pushed so hard to normies, when results like this are 100% predictable... if it wasn't also consistent with how the AI industry itself operates.

This was inevitable, better now than later when the damage is less widespread. Now clawdbot (or whatever they decide to call themselves) will have to respond with better security safety nets. Individually will always naively download whatever is on the internet. Platforms needs to safeguard against that.

Remember the early days of Windows? yea it's gonna happen again with AI.

> I don’t know how many people are involved in managing the ClawHub registry, but there is no evidence that the skills listed there are scanned by any security tooling. Many of the payloads we found were visible in plain text in the first paragraph of the SKILL.md file.

I shouldn't still be shocked by the incompetence and/or negligence of these people, and yet I am.

Even outside skills, prompt-injection is still unsolvable and the agents need credentials to do anything useful so these things are basically impossible to secure.

Two things:

1. Predictable. [0]

2. So that is why all those moltys were panicking earlier. [1]

[0] https://news.ycombinator.com/item?id=46788560

[1] https://news.ycombinator.com/item?id=46820962

This is wild. Not sure if it's more of a reason not to use ClawdBot, or not to get into crypto.

I can understand the thought process, although I do not agree with it, of using Clawdbot/Openclaw. I do not understand the thought process of downloading random human-readable instructions or "skills" (especially those pertaining to the manipulation of crypocurrency) and giving it to something in charge of your system without at least reading them first.

I've heard people granting access to their production servers to this thing. Apparently you can ask it to check logs to find solutions to some errors or whatever. Gotta be a complete moron to do that.

I've only installed it on a fresh VM and the first impression was underwhelming. Maybe there is some magic I can't see.

I think we all knew this would happen quickly. Clearly there's a demand for personal AI agents - does anyone have thoughts on what it would take to make a more secure one? Would current services like email need to be redesigned to accommodate AI agents?

You can tell immediately which commenters here didn't read past the clickbait headline.

Ok I ask chat GPT sometimes for advice in health / Fitness and also finance. Not like where to put my money but for general Information how stuff works what would apply here and there. The issue is already that OpenAI knows a lot of me. And ChatGPT itself when asked what he things I am etc draws a pretty clear picture. But I stay away from oversharing specific things. That is mainly my income and other super detailed data. When I ask I try to formulate it to use simple numbers and examples. Works for me. When working with coding agents I’m very skeptical to whitelist stuff. It takes quite the while before I allow a generic command to be executed outside of a sandbox. But to install a random skill to help with Finance Automation… can’t belief it. Under what stone do you have to live to trust your money be handed by an agent and then also in connection with a random skill?

>Unless you have been living under a rock, you’ve head of ClawdBot and its incredible rise to fame.

I don't consider myself as living under a rock, and this is the first time I've read anything about ClawdBot.

Seems like essentially the same threat vector as with NPM.

Not quite related: I never heard of clawdbot before, so, I guess TIL that's the bot my website keeps getting requests that are obviously malicious from.

This thing is really just a giant supply chain attack waiting to happen.

So many years of work in Software and Hardware Engineering to separate instructions from data. NX bit, ASLR, prepared statements etc.

All out the door.

I’m not installing it so someone tell me, how are skills added in ClawdBot/OpenClawd?

MCPs and agents need their own antivirus and observation / evaluation.

Root cause: PEBKAC error

This is funny, I was discussing moltbook with Claude and it told me there's already a crypto. I thought that's pretty funny, I might want to get some, but can't be arsed to figure it out.

"Do you think I could just give molt a BTC wallet with a bit of funds and tell it to figure out how to buy some?"

-"Yes, but it wouldn't be long before you get pwned."

... Six hours later, this pops on the front page :)

Mine too, I dit not have any crypto so nothing changed.

That was fast.

Amazing how people love to self-pwn all the time by doing stupid shit.

You do have to hand it to crypto, it does enable "the great sort" quite effectively. Its more or less like an organic bug-bounty system sans morality.

Hahahahaha perfect. Just perfect. PT Barnum was right.

Well, sorry but “play stupid games, earn stupid prices”

Letting a glorified lorem ipsum generator have control over anything personal or sensitive is just … what’s wrong with you? You know not of computers?

play stupid games, win stupid prizes.

>Unless you have been living under a rock, you’ve head of ClawdBot and its incredible rise to fame.

Nope, never heard of it. Is it a rock worth living under?

Good catch!