Malicious Code in Skill Package - ATR-2026-00121 (62170b00-729f-5a19-a079-62c51137c832)
Detects malicious code patterns in SKILL.md files and associated scripts. 100% of confirmed malicious skills contain malicious code patterns (Snyk ToxicSkills, Feb 2026). Real campaigns: ClawHavoc delivered AMOS infostealer via base64-obfuscated payloads; threat actor "zaycv" published 40+ skills with automated malware generation; password-protected ZIP evasion bypasses static analysis. CVE-2026-25253 (CVSS 8.8): OpenClaw RCE via auth token exfiltration affecting 40,000+ instances.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Malicious Code in Skill Package - ATR-2026-00121 (62170b00-729f-5a19-a079-62c51137c832) | Agent Threat Rules | ML Supply Chain Compromise (d2cf31e0-a550-4fe0-8fdb-8941b3ac00d9) | MITRE ATLAS Attack Pattern | 1 |