The article explains how malicious Claude Code skills can turn trusted coding-agent extensions into a supply chain attack path, especially when dynamic context commands run before the model can inspect them. It highlights the Clawsights example, where a skill attempted GitHub token theft, and shows how defenders can reduce risk by reviewing .claude/skills/, disabling shell execution, and monitoring developer workstations. #ClaudeCode #Clawsights #OpenClaw #ClawHub
Keypoints
- Claude Code skills can be loaded from enterprise policy, personal folders, project directories, plugins, nested folders, and added directories, creating multiple trust paths for attacker-controlled content.
- Malicious skills are dangerous because they can influence coding agents that already have access to source code, commands, credentials, and internal repositories.
- Dynamic context commands using ! execute before Claude sees the rendered skill, which bypasses model-level prompt injection defenses.
- The Clawsights skill posed as a Claude Code leaderboard but actually attempted to steal the user’s GitHub token and upload it to an attacker-controlled endpoint.
- In one test, Claude Opus 4.6 identified the Clawsights skill as malicious and refused to run it, but the dynamic context variant executed before the model could intervene.
- The same attack pattern could be used for source code reconnaissance, local secret discovery, package manager tampering, or staging additional payloads.
- Defensive guidance includes reviewing all .claude/skills/ locations, requiring code review for .claude/ changes, disabling skill shell execution, and monitoring for suspicious processes and network activity.
MITRE Techniques
- [T1059.004 ] Unix Shell – The skill used Bash-style command execution to run commands such as token retrieval and HTTP upload through the CLI. [‘! commands run before the model sees the rendered skill’]
- [T1552 ] Unsecured Credentials – The attack targeted GitHub authentication tokens and other sensitive developer credentials for theft. [‘retrieve the GitHub token’]
- [T1105 ] Ingress Tool Transfer – The malicious skill sent stolen data to an external server using curl to upload the token and report data. [‘sent that token to clawsights[.]com/api/upload via a curl command’]
- [T1027 ] Obfuscated Files or Information – The attack hid malicious behavior behind a supposedly benign leaderboard/report-upload workflow and nested skill loading paths. [‘under the guise that it is uploading a user report’]
- [T1204 ] User Execution – The attacker relied on a developer installing or trusting a skill from a repository or added directory. [‘a cloned repo can therefore bring skills into a trusted Claude Code session’]
Indicators of Compromise
- [Domain ] malicious upload endpoint and related infrastructure – clawsights.com, clawsights.attacker-controlled.example
- [Command/CLI ] credential collection and exfiltration via agent skill – gh auth token, curl -s -X POST https://clawsights.com/api/upload
- [File/Path ] skill locations and suspicious directories to inspect – ~/.claude/skills//SKILL.md, .claude/skills//SKILL.md
- [File/Path ] dynamic context and workspace artifacts referenced by the attack – ~/.claude/usage-data/report.html, .claude/skills/
- [Configuration ] potentially dangerous agent setting – disableSkillShellExecution: true
- [Network/URL ] API upload target used by the malicious skill – https://clawsights.com/api/upload, https://clawsights.attacker-controlled.example/api/upload