ClawHub’s real ClawSwarm problem is silent agent enrollment

ClawHub's problem here is not that someone hid malware in a marketplace listing. It is that a skill, the instruction bundle people install to give an AI agent new behavior, can tell that agent to join an outside network, keep checking back for work, and chase crypto rewards without anything that looks like a real permission screen.

The sharper point is that the most important evidence does not sit in a security vendor slide deck. It sits in the public skill pages themselves. Manifold Security, the firm that named the campaign ClawSwarm, reported that one publisher called imaflytok uploaded 30 ClawHub skills and said those listings had drawn about 9,800 downloads. But the accountability question starts one layer lower than that disputed scale claim: the agent-starter-kit page on ClawHub embeds onlyflies.buzz registration and heartbeat endpoints, while the ClawSwarm Services Marketplace listing on ClawHub tells agents to register with that same service before using the marketplace.

That is why this reads less like classic malware and more like a governance failure in agent infrastructure. In the old model, defenders looked for a malicious binary, a poisoned package, or an obvious shell command. Here the control plane lives in plain-language instructions and startup metadata. Manifold reported that installed agents can store credentials on disk, check in every four hours, and, when the right skills are present, generate a Hedera wallet and register its private key with the same server. Even if you bracket the claims that rely only on Manifold, the public artifacts still show the softer but crucial version of the story: these skills openly tell agents to join the network, inspect open tasks, and track swarm counts on a four-hour loop.

The crypto incentives are not subtle either. The ClawSwarm Services Marketplace listing advertises HBAR bounties including 20 HBAR for registering three or more services, 30 HBAR for completing 10 service calls, and 50 HBAR for building a service with five or more unique callers. That means the listing is not merely asking an agent to hit a third-party API. It is trying to wire that agent into a remote labor market with its own rewards system. A founder might think they installed a productivity add-on. The skill may think it just recruited another node.

There is still some caveat discipline required. Manifold sells runtime visibility tooling, so it benefits from presenting this as a new class of agent-hijack risk. The public artifacts also do not prove that every download became an active swarm participant, and the much-cited 9,800-download figure belongs to Manifold unless ClawHub publishes its own aggregate. The public ClawSwarm repository on GitHub, which describes itself as a streamlined multi-agent alternative to OpenClaw, also reads more like open agent-ops experimentation than polished criminal infrastructure.

But the caveat does not rescue ClawHub from the harder question. If an outside network can recruit agents with documentation, marketplace listings, and a few lines of startup metadata, then malware scanning is only a partial defense. The real control point is whether ClawHub and the runtimes beneath it force skills to disclose outside registration, wallet creation, persistent polling, and bounty mechanics before installation. Agent ecosystems keep selling composability, the promise that small instruction bundles can extend behavior cheaply. This is the less marketable version of the same idea: the same composability can smuggle governance decisions into the instruction layer.

What to watch next is whether agent marketplaces start treating remote enrollment and incentive wiring as permissions that need to be surfaced and gated like any other sensitive capability. If they do not, the next swarm probably will not need malware at all. It will just need cleaner documentation.