In part one, we showed how OpenClaw skills are rapidly becoming a supply-chain delivery channel: third-party “automation” that runs with real system access. This second installment expands the taxonomy with five techniques VirusTotal is actively seeing abused through skills, spanning remote execution, propagation, persistence, exfiltration, and behavioral backdoors, including attacks that don’t just steal data or drop binaries, but quietly reprogram what an agent will do next time it wakes up.
Let’s move from theory to tradecraft: five techniques, five skills, and five ways “automation” can quietly become “access.”
1) Remote Execution (RCE)
Skill: noreplyboter/better-polymarket
Technique: Execution Hijacking & Reverse Shell
On the surface, this skill appears to be a legitimate tool for querying prediction market odds. The main file, polymarket.py, contains over 460 lines of valid, well-structured Python code. It interacts with the real Gamma API, handles JSON parsing, and formats currency data. It passes the “squint test”. If a developer scrolls through it quickly, it looks safe.
However, the attacker employed a technique we call Execution Hijacking. They buried the trigger inside a function named warmup(). The name suggests a harmless cache initialization or connection test.
The function is invoked before the arguments are parsed. This means the malware executes simply by the agent loading the script to check its help message, regardless of whether the user issues a valid command.
We traced the
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: