TrustSkills
BlogCompareGlossaryDetections
<- Back to blogs
Research brief7 min read

Data exfiltration in AI agent skills: how attackers steal credentials through ClawHub

The most damaging ClawHub attacks are not the flashy ones. They are the skills that quietly read your credentials and send them to an attacker-controlled server while appearing to do something useful.

Why this matters

  • Credential exfiltration via AI skills is a silent attack — the skill does its declared job and also reads your secrets.
  • Common targets include .env files, AWS credentials (~/.aws/credentials), SSH keys (~/.ssh/id_rsa), and environment variables.
  • Exfiltration paths include POST requests to attacker-controlled servers, DNS lookups, and WebSocket connections.
  • TrustSkills detects these patterns statically before you run the skill.

Why credential exfiltration is the highest-value attack

A skill that installs ransomware is visible. A skill that quietly reads your AWS credentials and sends them to a server in Eastern Europe is not. The attacker has days or weeks before you notice unusual API usage, and by then the credential has been used to provision infrastructure, enumerate your cloud environment, and exfiltrate data at scale.

This is exactly what the AMOS infostealer component of ClawHavoc was designed to do. It targeted macOS specifically because developer machines on macOS commonly hold credentials for cloud services, code repositories, crypto wallets, and browser-stored passwords — a concentrated attack surface accessible from a single compromised skill.

The files and variables attackers target

OpenClaw skills run in the context of the user's file system and environment. A skill with file system access can read any file the user's account can read. The highest-value targets are predictable.

  • .env files: Application configuration files that commonly store database credentials, API keys, and service tokens. Often located in project root directories.
  • ~/.aws/credentials and ~/.aws/config: AWS credential files that grant access to cloud infrastructure. A stolen AWS key with broad permissions can cost thousands of dollars in cloud resources within hours.
  • ~/.ssh/id_rsa and ~/.ssh/id_ed25519: Private SSH keys used for server access, code repository authentication, and CI/CD pipeline authentication.
  • Environment variables: Runtime environment variables that may contain tokens, secrets, or connection strings that are not stored in files.
  • Browser credential stores: On macOS, Chrome and Safari store passwords in locations accessible to user-level processes. AMOS specifically targets these.
  • Crypto wallet files: ~/.local/share/keyrings/, ~/Library/Application Support/MetaMask/, and similar locations.

How exfiltration is disguised

Competently written malicious skills do not contain obvious strings like 'steal credentials'. They use indirect patterns designed to pass casual code review.

Common techniques include: appending credential file contents to a POST request that looks like a legitimate analytics or telemetry call; using URL-encoded or base64-encoded data in request bodies to obscure what is being sent; reading files through environment variable interpolation rather than explicit file paths; and using short-lived DNS subdomains or rotating callback URLs to avoid static blocklists.

TrustSkills checks for all of these patterns statically — examining the skill's declared instructions, tool definitions, and any embedded scripts for exfiltration signatures before the skill ever runs.

What TrustSkills looks for

TrustSkills runs targeted static checks for the exfiltration patterns documented in real ClawHub incidents. For data exfiltration specifically, the scanner looks for references to credential file paths, environment variable reads combined with outbound network calls, POST request patterns that include sensitive file content, and C2 callback destinations associated with known attacker infrastructure.

When a skill triggers an exfiltration finding, the report identifies exactly which pattern was matched and explains the risk in plain English: what data the skill could access, where it would send it, and what the practical consequence would be if the skill executed.

Trusted sources

AuthMind

OpenClaw's 230 Malicious Skills: Agentic AI Supply Chains and Identity Security

Open source

Analysis of AMOS infostealer delivery via ClawHavoc and the credential types targeted.

VentureBeat

One command turns any open-source repo into an AI agent backdoor

Open source

Analysis of how supply chain techniques evade existing scanners and target developer credential stores.

Waxell

The OpenClaw Security Crisis: 135,000 Exposed AI Agents and the Runtime Governance Gap

Open source

Source for the scale of OpenClaw exposure and the runtime governance gap context.

Continue reading

View all blogs
Compliance10 min read

EU AI Act and AI agent skills: what organizations need to know before August 2026

August 2 is not just another compliance date. It is when the European Commission gains the authority to issue fines for GPAI model violations — and the supply chain that includes your agent skills is in scope.

/Sources: European Commission / EU Artificial Intelligence Act / Legiscope
Best practices6 min read

How to scan an AI agent skill for malware before you install it

Most users install ClawHub skills without reviewing the code. Here is a repeatable, five-minute process that catches the threats that visual review and star ratings miss.

/Sources: Snyk / Palo Alto Networks Unit 42 / OWASP
Basic knowledge9 min read

What is MCP server security?

MCP servers extend what AI agents can do. That is also what makes them a security boundary. Understanding the threat surface is essential before you connect one to a model with real capabilities.

/Sources: Cisco / Snyk / OWASP