1. Home
    2. »
  2. Blog
    3. »
  3. Incident Response
    4. » Spotting Threats in Autonomous AI: Essential Skills for Agentic Systems

Spotting Threats in Autonomous AI: Essential Skills for Agentic Systems

- Posted in Incident Response by - Permalink
Spotting Threats in Autonomous AI: Essential Skills for Agentic Systems

Background: The OpenClaw agentic solution has an interaction feature related to feeding independent developer skills from the specific marketplace. The feature name is 'skills,' which is misleadingly similar to extensions but for OpenClaw. This is creating more risks for the usual user, because at least recently, one researcher was able to spot from the marketplace about 300 skills that had hidden malicious execution. Having shared that information, I want to share how to spot them. But before that, let's understand how those malicious functionalities are leveraged by threat actors.

The way of abusing of "skills": Let's try to create own malicious skill based on which we can do some simple recon action before the main functionality of overall skills will be executed .

In this scenario let's do simple recon of victim machine who is running newly skills.md from any source .

enter image description here

If you look at the structure of the skill.md file, it is very easy to instruct OpenClaw to execute arbitrary commands before running the main, legitimate functions or processes. The interesting part of this "Prerequisite" section is that we can also use simple sentences, which makes detecting malicious skills more difficult.

As result of execution we see that our logic had worked and before doing any legitimate action the system had recon our system and notified to an attacker our information enter image description here

Way of detection of malicious "skills": Research shows that the user's skills are being stored in the CurrentUser/.Openclaw/workspace/Skills folder. Of course, this location depends on the user's current configuration. enter image description here

The second location for skills downloaded from the store is the global npm OpenClaw package folder named "skills". enter image description here

Detection methodologies:

  • YARA scanning: create simple YARA rules to scan the noted folder for suspicious keywords, strings, or hex patterns.
  • Threat‑intelligence enrichment: extract all URLs from the files and enrich them using one or more
  • LLM‑assisted analysis: aggregate context (file contents, YARA hits, TI results) and submit it to a trusted LLM to produce a contextual risk assessment. Combine the LLM output with the other signals to produce a final risk score.

Forensic methodologies: As a result of Linux trace research, it was found that on machines with auditd enabled the solution is traceable. Because each command has a PID, a forensic specialist or incident responder can trace the execution using the PID.

Conclusion: Attack vectors are becoming easier to execute, and today SIEM and other XDR/EDR solutions alone are not enough. It's time to use AI tools to help defenders against other AIs that will try to exploit our environment.

Tags:

Related posts

« »