Thirty skills, one ClawHub author, around 9,800 downloads. That is the size of a campaign Manifold research lead Ax Sharma flagged this week: AI agents installing innocuous-looking helpers (a cron utility, an agent-security skill, a "whale watcher") and then quietly phoning home to a site called onlyflies.buzz, registering themselves, reporting their capabilities, and generating a Hedera wallet whose private key gets handed to the operator.
No malware. No exploit. No CVE coming.
How the recruitment works
The mechanic is almost boring once you trace it. A user installs one of the skills, published by a ClawHub account called "imaflytok." The agent reads the SKILL.md instructions, which tell it to register at the external endpoint, hand over its name and installed capabilities, write credentials to disk, and check back every four hours for new tasks. If the right Hedera skill is also installed, it spins up a wallet and ships the private key to the same server.
The human user signs off on none of this. They do not see it happening. The cURL calls are legitimate, the Hedera SDK is the official one, and the whole flow lives inside the natural-language instructions a skill is supposed to ship with.
That is the part worth sitting with. SKILL.md files exist so that agents can be told what to do without anyone writing a line of code. The Register, which broke the story Wednesday, called it a crypto swarm. Sharma will not quite call it that. He named the campaign ClawSwarm, but he is careful to say it is not a security disclosure either. There is nothing to patch.
Is this even a security problem?
Sharma's framing: the infrastructure is public. There is a GitHub org, a Telegram, a token on a public chain. Read it generously and it is a community experiment in agent economics. Read it less generously and it is a recruitment funnel for a speculative coin. The behavior is the same either way, which is the part Sharma keeps coming back to.
And that is the awkward bit for ClawHub's maintainers, who did not respond to The Register's questions. A static scanner finds nothing because there is nothing to find. The malicious payload, if you want to call it that, is an instruction in plain English telling an obliging language model to please register at this URL and please make a wallet.
"The registry layer is the wrong place to solve this," Sharma told The Register, which is a fairly bleak admission from someone whose job is finding things in registries. His suggestion: runtime visibility into what agents actually do, plus mandatory disclosure of network endpoints and wallet generation in skill manifests. A policy fix, not a patch.
One name, two things
Confusingly, ClawSwarm is also the name of an unrelated multi-agent framework on GitHub. The imaflytok skills are not part of that project. They tie back to the onlyflies.buzz "agent economy" site, which centers on a $FLY token and what its own homepage describes as provocative art.
Skills, not packages
The closest precedent is the Tea Protocol farming wave from late 2025, when more than 150,000 spammy packages flooded npm to harvest Tea points. Same playbook, different surface. Skills are smaller, lower friction, and a lot easier to publish: a one-week-old GitHub account is enough to ship one on ClawHub. And unlike npm packages, they do not have to do anything technically clever. They just have to ask the agent politely.
That is the unresolved bit. Earlier ClawHub research from Koi Security found 341 skills running classic supply-chain plays: Atomic Stealer payloads, reverse shells, credentials exfiltrated to webhook.site. Those at least look like attacks. ClawSwarm is harder to categorize because nothing is being stolen, exactly. The agent generates a brand-new wallet on its user's behalf and hands it off. The user loses nothing they had a minute ago. They have just been enrolled in something they did not agree to.
Whether that is enough to act on is now ClawHub's call. Manifold's disclosure went public Wednesday. As of Thursday morning the imaflytok skills are still listed.
