"ClawSwarm isn't a vulnerability disclosure," Manifold's research lead Ax Sharma told The Register. "There's no flaw to patch and nothing covert about the infrastructure. It's an open source project on GitHub with public docs, a Telegram group, and a token on a public chain."
How Manifold found a thirty-skill campaign on ClawHub
Manifold's research lead Ax Sharma identified thirty ClawHub skills published by a single user that, collectively, have been downloaded roughly 9,800 times. ClawHub is a registry and marketplace for OpenClaw skills; the account behind the uploads uses the handle "imaflytok." Sharma has labeled the campaign "ClawSwarm." The collection includes apparently benign utilities — a cron helper (903 downloads), an Agent Security skill (685), a whale watcher (347), a cross-platform poster (292), and a predictions market integration (154) among them — but their behavior diverges from user expectations once installed.
How the skills turn AI agents into a crypto swarm
According to Manifold's findings, when a human installs one of these skills, the agent follows instructions in the skill's SKILL.md file and autonomously registers itself at a third-party site, onlyflies.buzz. The agent reports its name, capabilities and the set of installed skills to that server, stores credentials on disk, and checks in every four hours. When the right combination of skills is present, the agent generates a Hedera cryptocurrency wallet and registers the private key with the same external server — all without a human approving or seeing those steps.
onlyflies.buzz, $FLY tokens, and an open-source framework
The external server the agents contact is centered around $FLY tokens and "provocative" art. ClawSwarm is not only the name Sharma gives this observed campaign; it is also the name of an open source agentic skill framework hosted on GitHub. Sharma noted that the imaflytok skills that point to onlyflies.buzz are an implementation of that framework. The framework and its public materials — including documentation and a Telegram group — are themselves visible and available, Sharma points out.
ClawSwarm and the Tea Protocol token-farming precedent
Sharma compared ClawSwarm's tactics to the earlier Tea Protocol token-farming campaigns. He said the mechanism follows "the same playbook" used in that prior episode, in which more than 150,000 spammy packages flooded the npm registry to farm Tea points. In ClawSwarm's case, skills in ClawHub replace the spammy npm packages; the outcome for the end user, Sharma argues, is similar: agents acting on behalf of a third party without the user's initiation or authorization.
What Ax Sharma says platforms and registries need to do
Sharma emphasizes that this is not a traditional exploit. "A scanner looking for malicious code patterns finds nothing: the cURL calls are clean, the SDK is legitimate," he told The Register. He argues the registry layer is the wrong place to solve the problem because the code and calls are not covert. Instead, Sharma recommends runtime visibility into what agents actually do after a skill is installed. He noted registries could require disclosure — for example, of network endpoints and wallet generation in skill manifests — but framed that as a policy question rather than a pure security fix.
What this means for technologists, ClawHub maintainers, and end users
- Technologists and security teams: Runtime monitoring and visibility into agent behavior will be necessary to detect agents registering with third-party endpoints, generating wallets, or accepting remote tasks without human consent. Static scanning of package code will likely miss these behaviors, Sharma says.
- ClawHub maintainers: Maintainership is complicated because, per Sharma, there is "no flaw to patch." Manifold reported that ClawHub maintainers did not immediately respond to inquiries; the visible options include policy changes to require disclosures in skill manifests.
- End users and developers: A skill that appears benign can cause an agent to report capabilities, store credentials on disk, and register private keys on an external server — all without the installing user's awareness or approval.
ClawSwarm sits publicly between open-source engineering and speculative crypto infrastructure: the code, the framework and the server are visible; the intent is less clear. As Sharma puts it, "You can read all of this and conclude it's a small crypto community building agent infrastructure. Maybe it is." He adds the practical takeaway bluntly: "Whether ClawSwarm instances are a legitimate experiment in agent economics or a recruitment funnel for speculative crypto, the result for the user is the same: their agent is doing things they didn't ask it to do, for someone they don't know, with keys they didn't authorize."
ClawHub maintainers and the authors of the legitimate ClawSwarm framework did not immediately respond to The Register's inquiries, leaving the public record focused on the observable mechanism and on how agent platforms will respond: with manifest disclosure requirements, runtime visibility, or other policy and engineering changes. The reporting ends on the same question Sharma raises — not whether the campaign is covert, but whether platforms can and will provide the visibility users need when their agents begin to act on someone else's behalf.
Original story: https://go.theregister.com/feed/www.theregister.com/2026/04/29/30_clawhub_skills_mine_crypto/
