Security researchers recently discovered ClawSwarm - a new attack where legitimate-looking AI agent skills secretly recruit agents into botnets that perform tasks for third parties.
What is the ClawSwarm attack?
ClawSwarm represents a new category of AI agent compromise. Unlike traditional attacks that steal data or install obvious malware, these malicious skills turn your agent into a worker for someone else's botnet.
The attack chain works like this: an agent downloads an innocent-looking skill (a cron job helper, security assistant, or productivity tool). Embedded within the skill are instructions for secondary tasks - register on a site, install a digital wallet, mine cryptocurrency. The agent then follows a "heartbeat" pattern, checking in with a third-party server for additional instructions.
The operator remains completely unaware while their agent - and their compute resources - work for the attacker.
Why does this attack matter?
ClawSwarm attacks are particularly dangerous because they evade traditional detection. The skills appear legitimate. The individual actions (register, install, check URL) seem benign. Only the pattern reveals the compromise.
Your agent could be: - Mining cryptocurrency on your infrastructure - Participating in coordinated spam or fraud campaigns - Serving as a node in a distributed attack network - Consuming API credits and compute resources
All while you pay the bills.
How do I detect compromised agent skills?
1. Audit installed packages
Track every package your agent installs. Flag new installations for review, especially those with: - Vague descriptions ("helper", "utility", "assistant") - Recent publish dates with no version history - Dependencies that seem unrelated to stated purpose
2. Monitor outbound connections
Watch for heartbeat patterns - regular connections to the same external domain. Legitimate skills rarely need to "phone home" on a schedule. Red flags include: - Connections to domains not in the skill's documentation - Regular intervals (every 5 minutes, hourly) - Connections that increase over time
3. Review skill instructions
Before installing any skill, examine what it actually asks the agent to do. Look for: - Chained tasks that seem unrelated to the skill's purpose - Instructions to create accounts or install additional software - References to external URLs for "configuration" or "updates"
4. Isolate agent permissions
Limit what agents can install and where they can connect. Use allowlists for approved packages and domains rather than trying to block known-bad actors.
What are common mistakes to avoid?
- Trusting skills based on download counts or star ratings (easily gamed)
- Assuming "open source" means "audited" - most skills have zero security review
- Installing skills that request more permissions than their stated purpose requires
- Ignoring unusual network activity as "probably fine"
