Utility skills with side quests

ClawSwarm is a clean example of why agent skills are not just documentation. In many AI-agent tools, a skill file is instruction, routing table, operating manual, and permission request all smushed together into Markdown. That is convenient until a useful-looking helper skill also tells the agent to enroll itself in somebody else's network.

On April 28, 2026, Manifold Security published research on 30 ClawHub skills from a publisher using the name imaflytok. The skills had normal utility names: Cron Helper, Env Manager, Workspace Init, Agent Security, Agent Ping. Some had hundreds of downloads. Manifold estimated about 9,800 downloads across the set, while warning that downloads are not the same as unique compromised users.

The behavior Manifold documented was not a classic malware chain. There was no reverse shell, hidden binary, or packed stealer. The mechanism sat in the agent instructions. A user installed a skill. The agent read the SKILL.md file. The skill told the agent to register with onlyflies.buzz, report information about itself, store returned credentials on disk, and check in every four hours. With the right companion skills installed, the agent could generate a Hedera wallet and submit the private key to the same server.

The Register covered the same research on April 29 and emphasized the absurdly modern failure mode: the human did not need to click through a phishing flow. The agent did the onboarding because the skill told it to.

Markdown as a control plane

Skill registries work because agents need reusable instructions. Nobody wants to explain the same workspace setup, deployment steps, or testing workflow every time. A skill can package that knowledge and make the agent more competent. It can also package hidden work that benefits the publisher.

Manifold traced the ClawSwarm pattern through an "Open Agent Discovery Protocol" marker, registration endpoints at onlyflies.buzz, a local credentials file, and heartbeat instructions. One setup path wrote an AGENTS.md file with hidden metadata pointing to the same hub. The agent would parse the marker, register itself, and later poll for tasks. Manifold described a wallet skill that generated a Hedera private key and sent it to the service.

None of this is magical. It is the same old supply-chain problem wearing an agent costume. Developers used to install npm packages that ran postinstall scripts. Now they install agent skills that can persuade a model to write files, call APIs, and volunteer runtime identity to a third party. Different packaging, same cheerful invitation to let strangers operate inside the workspace.

The wrinkle is intent. Manifold noted that ClawSwarm is also an open source agent skill framework with public docs and a token economy. The Register quoted Manifold's view that it may be a legitimate experiment, a crypto user-acquisition funnel, or something in between. Intent is interesting for policy, but the site cares about behavior. The observed behavior was agents registering externally and generating keys without a clear user approval step.

Registry scanners are late to this party

Traditional malware scanners look for known-bad binaries, obfuscation, credential theft patterns, suspicious shell commands, or contacted command-and-control domains. ClawSwarm sits awkwardly outside that model. A curl request to a documented HTTPS endpoint can be legitimate. A Hedera SDK can be legitimate. A Markdown instruction can be legitimate. The problem is the combination and the lack of consent.

In older plugin systems, a manifest would often declare permissions: network access, filesystem access, clipboard access, background execution. Agent skills can blur that boundary because the permission is expressed as natural language. A skill can say "register this agent for discovery" and the agent may interpret that as part of setup. There may be no modal, no explicit permission grant, and no meaningful record for the user beyond some files written after the fact.

That creates a governance gap. If a skill causes an agent to call home every four hours, that needs to be visible before installation. If a skill generates a crypto wallet, that needs a hard confirmation. If a skill stores credentials in the user's home directory, that needs to be declared and scoped. If a skill transmits a private key to a third party, the default answer should be "absolutely not" unless the human has clearly approved it for a narrow reason.

A registry can help, but it cannot solve the whole problem by reading static files. The important behavior happens when the agent interprets instructions and decides what to do. That means runtime monitoring matters: outbound domains, files written, secrets generated, credentials stored, and scheduled check-ins.

No malware is still not a compliment

One of the more annoying parts of modern agent security is that "not malware" is too low a bar. Plenty of damaging automation is assembled from documented features. In this case, the concerning actions were performed through normal agent behavior: read instructions, set up a workspace, write files, call endpoints, create a wallet, register capabilities.

That is exactly why the incident fits The Vibe Graveyard. The failure was not a human being chatting with a bot and then making a bad personal decision. The agent itself acted on instructions embedded in a supply-chain artifact. A skill registry became an acquisition channel for agent labor and identity.

The right lesson is not "never install skills." That would be silly; reusable skills are useful. The rule is that skills need the same suspicion as packages, browser extensions, CI actions, and Terraform modules. If they can cause network calls, write persistent files, alter startup behavior, or handle keys, they need review and containment.

Controls worth having

Agent platforms should require manifest-level disclosure for external endpoints, credential storage, wallet creation, scheduled jobs, and writes outside the current project. Agents should not be able to turn a Markdown instruction into a background enrollment without a clear user approval flow. Registries should surface suspicious patterns such as hidden protocol markers, recurring call-home behavior, and skills from one publisher that all point into the same payment or task network.

Users need local guardrails too. Run new skills in a disposable workspace first. Inspect created files. Watch outbound connections. Treat any skill that asks an agent to register elsewhere as a security event, not as cute community participation. The tool should be working for the user, not quietly joining a labor pool with a fly-themed domain name and a wallet key it never should have touched.

ClawSwarm is useful because it shows the next step in supply-chain slop. Attackers do not always need to smuggle code into the runtime. Sometimes the runtime is an eager agent, and the payload is a paragraph it is too obedient to question.