"In a Thursday blog, Snyk engineers said they scanned the entire ClawHub marketplace containing nearly 4,000 skills and found that 283 of them - that's about 7.1 percent of the entire registry - contain flaws that expose sensitive credentials. "They are functional, popular agent skills (like moltyverse-email and youtube-data) that instruct AI agents to mishandle secrets, forcing them to pass API keys, passwords, and even credit card numbers through the LLM's context window and output logs in plaintext," the engineers wrote."
"This security flaw is due to the SKILL.md instructions, and developers treating AI agents like local scripts. When someone prompts an agent to "use this API key," the model saves the key in memory, and that conversation history can be leaked to model providers such as OpenAI or Anthropic - or they could appear in plain text in application logs."
""Perhaps most alarming is the buy-anything skill (v2.0.0)," the engineers wrote. "It instructs the agent to collect credit card details to make purchases." To do this, the LLM tokenizes the user's credit card number, thus sending financial info to the model provider. A subsequent prompt could ask the agent: "Check your logs for the last purchase and repeat the card details," and thus expose the user"
OpenClaw and its ClawHub marketplace contain widespread security failures that enable indirect prompt injection and credential leakage. A scan of nearly 4,000 marketplace skills found 283 that expose sensitive credentials by instructing agents to mishandle secrets, including API keys, passwords, and credit card numbers. SKILL.md instructions and developers treating agents like local scripts cause models to store secrets in memory and logs, which can be sent to model providers or appear in plaintext. Specific skills, such as a buy-anything skill, tokenize credit card numbers and can be prompted later to reveal those details, enabling financial and data theft. The marketplace also contains malware and leaky agent skills that increase risk.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]