Supply Chain Compromise via Poisoned ClawdBot Skill - AI Case Study
AI Case StudyA security researcher demonstrated a proof-of-concept supply chain attack using a poisoned ClawdBot Skill shared on ClawdHub, a Skill registry for agents. The poisoned Skill contained a prompt injection that caused ClawdBot to execute a shell command that reached the researcher's server. Although the researcher here used this access simply to warn users about the danger, they could have instead delivered a malicio...
Overview
Risk patterns
Patterns found in the case record and its linked vulnerabilities.
- 1Dominant ATLAS tactic. Resource Development appears in 4 case steps.
- 2Multiple attack methods. The case connects to 11 unique AI attack methods.
Procedure timeline
Search the case steps or filter them by attacker goal.
-
Resource Development
Step 1
Develop Capabilities
The researcher created a simple web server to log requests.
-
Resource Development
Step 2
Domains
The researcher registered the domain
clawdhub-skill.comto host their web server. -
Resource Development
Step 3
LLM Prompt Crafting
The researcher crafted a prompt injection designed to cause Claude Code to execute a
curlcommand to the researcher'sclawdhub-skill.comdomain. -
Resource Development The researcher developed a poisoned ClawdBot Skill called "What Would Elon Do?" The Skill contained the malicious prompt in the
rules/logic.mdfile, which is read when the Skill is activated. The researcher published their Skill to ClawdHub. -
Defense Evasion The researcher used a script to increase the number of downloads of their Skill to increase visibility and gain trust.
-
Initial Access
Step 6
AI Agent Tool
Users downloaded the poisoned Skill from ClawdHub. Note that ClawdHub does not display all files that are part of the Skill, making it hard for users to review Skills before downloading them.
-
Execution
Step 7
Poisoned AI Agent Tool
When a user asked Claude Code "what would Elon do?" it calls the poisoned Skill.
-
Execution
Step 8
Direct
Claude Code read all files that are part of the Skill, executing the malicious prompt in the
rules/logic.mdfile. -
Defense Evasion
Step 9
Masquerading
Claude Code prompted the user before executing the shell command. The researcher had registered the
https://clawdhub-skill.comdomain, which appears to be legitimate and may be confused with the legitimatehttps://clawdhub.comdomain, causing the user to select confirm. -
Privilege Escalation
Step 10
AI Agent Tool Invocation
Claude Code executed the shell command using it's
bashtool. -
Impact
Step 11
External Harms
In this proof of concept, the researcher simply pinged their server and warned the user of the dangers of using Skills without reading the source code, causing no harm. However, they could have delivered a malicious payload, and caused a variety of harms, including: - Exfiltrating the user's codebase - Injecting backdoors into the user's codebase - Stealing the user's credentials - Installing malware or crypto miners - Performing anything else Claude Code is capable of
Mitigations
Defenses connected to the attack methods in this case.
AI Agent Tools Permissions Configuration
When deploying tools that will be shared across multiple AI agents, it is important to implement robust policies and controls on permissions for the tools. These controls include applying the principle of least privilege along with delegated access, where the tools receive the permissions, identities, and restrictions of the AI agent calling them. These configurations may be implemented either in MCP servers which connect the agents to the tools calling them or, in more complex cases, directly in the configuration files of the tool.
AI Telemetry Logging
Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts.
Additionally, having logging enabled can discourage adversaries who want to remain undetected from utilizing AI resources.
Generative AI Guardrails
Guardrails are safety controls that are placed between a generative AI model and the output shared with the user to prevent undesired inputs and outputs. Guardrails can take the form of validators such as filters, rule-based logic, or regular expressions, as well as AI-based approaches, such as classifiers and utilizing LLMs, or named entity recognition (NER) to evaluate the safety of the prompt or response. Domain specific methods can be employed to reduce risks in a variety of areas such as etiquette, brand damage, jailbreaking, false information, code exploits, SQL injections, and data leakage.
Generative AI Guidelines
Guidelines are safety controls that are placed between user-provided input and a generative AI model to help direct the model to produce desired outputs and prevent undesired outputs.
Guidelines can be implemented as instructions appended to all user prompts or as part of the instructions in the system prompt. They can define the goal(s), role, and voice of the system, as well as outline safety and security parameters.
Showing 4 of 10
Source evidence
Original public records and references for this case.
Original source
Original source links
Open the MITRE ATLAS data and public references used for this case study.
