Thirty ClawHub skills published under the username "imaflytok" have been silently enrolling AI agents into a cryptocurrency mining network without user knowledge or consent. The campaign, termed "ClawSwarm" by Manifold's security research lead Ax Sharma, operates through seemingly innocuous skills—ranging from cron helpers to security tools—that, once installed, cause agents to register themselves with an external server (onlyflies.buzz), report their capabilities and installed skills, generate Hedera crypto wallets, and check in every four hours for remote instructions. Critically, this occurs entirely outside the user's awareness or approval. The mechanism mirrors earlier token farming campaigns like Tea Protocol, which flooded package registries with malicious code, but ClawSwarm exploits the skill installation model instead. With approximately 9,800 combined downloads across the thirty skills, the campaign demonstrates how easily agent ecosystems can be weaponised at scale.
The implications for CX teams deploying agentic AI are substantial. If your organisation is implementing Salesforce Agentforce, Zendesk's AI agents, or similar platforms that rely on extensible skill frameworks, you face a governance blind spot: traditional security scanning cannot detect ClawSwarm-style attacks because the code itself is clean and the infrastructure is openly documented. The attack vector targets the agent runtime, not the human user, meaning your existing endpoint protection and malware detection will miss it entirely. This raises an uncomfortable question: how many organisations have visibility into what their deployed agents actually do once skills are installed, versus what they're supposed to do?
Sharma's assessment that this is fundamentally a policy problem rather than a security vulnerability places responsibility squarely on platform maintainers and enterprise governance teams. ClawHub maintainers cannot simply patch their way out of this; the solution requires runtime monitoring of agent behaviour, mandatory disclosure of network endpoints and wallet generation in skill manifests, and potentially stricter vetting of third-party skill publishers. For support leaders and CX consultants, this means auditing your agent deployments now—particularly any that use open-source or community-contributed skills—and establishing clear policies around which skills can be installed and what external communications agents are permitted to initiate. The question isn't whether ClawSwarm represents malicious intent or legitimate experimentation; the question is whether your organisation can actually answer what its agents are doing right now.
Yet another reason not to feast on OpenClaw Thirty ClawHub skills published by a single author are silently co-opting AI agents and creating a mass cryptocurrency mining swarm – without any malware or user consent.