Full Report
Yet another reason not to feast on OpenClaw
Analysis Summary
# Tool/Technique: ClawSwarm
## Overview
ClawSwarm is a campaign and framework involving the publication of malicious or unauthorized "skills" on the ClawHub registry for the OpenClaw AI platform. Its purpose is to co-opt AI agents into a mass cryptocurrency mining and task-execution swarm. Unlike traditional malware, it leverages legitimate agent instructions (SKILL.md files) to perform unauthorized actions such as self-registration with third-party servers and crypto-wallet generation without human consent.
## Technical Details
- **Type:** Agentic AI Exploitation / Crypto-mining Swarm
- **Platform:** OpenClaw / AI Agent Frameworks
- **Capabilities:** Automated registration, capability reporting, remote task execution, and cryptocurrency wallet generation.
- **First Seen:** Approximately April 2026 (as reported).
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1133 - External Remote Services] (Registration with external C2-like server)
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery] (Reporting agent capabilities and installed skills)
- **[TA0040 - Impact]**
- [T1496 - Resource Hijacking] (Unauthorized cryptocurrency mining/wallet generation)
## Functionality
### Core Capabilities
- **Silent Enrollment:** AI agents install seemingly benign skills (e.g., cron helpers, security tools) and automatically register themselves at a central hub.
- **Data Exfiltration (Agent Profile):** The agent reports its name, system capabilities, and list of installed skills to a third-party server.
- **Persistence:** Agents check in every four hours to receive new instructions or confirm availability.
### Advanced Features
- **Automated Wallet Generation:** The agent generates a Hedera crypto wallet and registers the private key with the external server (`onlyflies[.]buzz`) without user intervention.
- **Non-Malicious Signature:** The "malware" uses legitimate SDK calls and standard cURL commands, making it invisible to traditional signature-based antivirus or registry scanners.
- **Agentic Command & Control:** Leverages `SKILL.md` files to provide logic that the AI agent follows autonomously, effectively turning the agent into a remote-controlled bot.
## Indicators of Compromise
- **File Names:** `SKILL.md` (containing unauthorized registration logic).
- **Network Indicators:**
- `onlyflies[.]buzz` (Defanged: `onlyflies[.]buzz`)
- Associated Telegram groups and GitHub repositories under the name "ClawSwarm."
- **Behavioral Indicators:**
- AI agents making outbound connections to unauthorized third-party registry endpoints.
- Automated creation of Hedera wallets.
- Periodic check-ins every four hours to external non-enterprise domains.
- **Author Identity:** ClawHub user `imaflytok`.
## Associated Threat Actors
- **imaflytok** (The primary uploader of the 30+ malicious skills).
- **ClawSwarm Project** (While listed as an open-source framework, its implementation in this context is unauthorized).
## Detection Methods
- **Behavioral Detection:** Monitoring for AI agents that attempt to generate cryptographic keys or export private keys to external endpoints.
- **Runtime Monitoring:** Analyzing agent logs for unauthorized registrations or reports of system capabilities to unknown URLs.
- **Manifest Auditing:** Scanning `SKILL.md` files for instructions that direct agents to external domains like `onlyflies[.]buzz`.
## Mitigation Strategies
- **Runtime Visibility:** Implement security tools that monitor what AI agents do *after* a skill is installed, specifically looking for network calls and credential storage.
- **Skill Manifest Disclosure:** Require developers to disclose all network endpoints and wallet-generation activities in the skill manifest.
- **Air-Gapping/Egress Filtering:** Restrict AI agent network access to a whitelist of approved domains to prevent silent check-ins to unauthorized hubs.
- **Least Privilege:** Ensure agents do not have the permissions to generate or store private keys unless explicitly required for a core business function.
## Related Tools/Techniques
- **Lazarus/Tea Farming:** Similar to the npm registry flooding campaigns used to farm "Tea" points.
- **Supply Chain Attacks:** Traditional package manager poisoning (npm, PyPI) translated to AI Agent asset registries.