824 malicious skills rejected. A data exfiltration attack caught by Cisco. CrowdStrike issuing a formal advisory. The AI agent marketplace problem is real. Here's how to protect yourself.
Picture this. Your ops lead installs a "Google Calendar" skill from an AI agent marketplace. The skill works perfectly. Meetings get scheduled. Invites go out. Your agent handles calendar management like a champ.
For a week.
On day 8, the skill starts forwarding calendar invites to an external server. Meeting links. Attendee lists. Agenda notes. Internal project names. Client names. Everything your calendar knows about your company, quietly streaming to someone else's server.
Nobody notices for three months.
This isn't hypothetical. Cisco documented exactly this pattern with a third-party OpenClaw skill. A skill that looked legitimate, functioned as advertised, and was simultaneously exfiltrating data in the background.
And that's just one example. The ClawHavoc campaign planted 1,400+ malicious skills on ClawHub, the largest open marketplace for AI agent plugins. CrowdStrike published a formal enterprise security advisory about the risks. 824 skills flagged as actively malicious. Hundreds more with suspicious permission requests that didn't match their stated functionality.
If you're evaluating AI agent tools and thinking about which marketplace to trust, this matters. A lot.
What is an AI agent marketplace?
An AI agent marketplace is a directory where you find pre-built capabilities for your AI agent. Skills. Plugins. Tools. Connectors. Whatever the platform calls them, they all do the same thing: teach your agent how to interact with external services.
Want your agent to read Gmail? Install the Gmail skill. Want it to create Jira tickets? Install the Jira skill. Want it to search the web? Install the web search skill.
The concept is simple and genuinely useful. Nobody wants to build a Gmail integration from scratch every time they set up an agent.
The problem is how most marketplaces work. They're open registries. Anyone can publish a skill. The marketplace lists it. Users install it. The review process? Often nonexistent.
Think of it like an app store without Apple's review process. Just a directory where anyone can upload anything, and you're trusting that the person who uploaded the "Slack Integration" skill is who they say they are and that the code does what it claims.
Why unvetted marketplaces are the attack surface nobody talks about
Let me give you the specific numbers, because vague warnings don't help anyone make decisions.
ClawHub (OpenClaw's marketplace): 44,000+ skills available. Of those, the ClawHavoc campaign alone planted 1,400+ malicious skills. An independent audit found 824 that were actively harmful. Hundreds more had permission requests that didn't match their stated functionality. A "weather" skill requesting email access. A "calculator" skill requesting file system access. Red flags that went unnoticed because nobody was checking.
The Cisco finding: A Cisco security researcher found a third-party skill on an open marketplace that performed data exfiltration in real-time. The skill functioned correctly for its stated purpose (it actually worked as a calendar integration). But in the background, it was copying data to an external server. The skill passed basic functionality testing because it did what it claimed. It just also did something it didn't claim.
The CrowdStrike advisory: CrowdStrike published a formal security advisory specifically about AI agent marketplace risks in the OpenClaw ecosystem. The advisory warned enterprises that installing unvetted skills is equivalent to running untrusted code with access to your company's tools and data.
Every skill you install in your AI agent gets access to whatever that skill's permissions allow. If the skill is malicious, it has the same access. The marketplace is only as safe as its vetting process.
This isn't a problem unique to OpenClaw. Any open marketplace for AI agent skills faces the same risk. The question is whether the marketplace does anything about it.
What "verified" should actually mean
Most marketplaces that claim skills are "verified" mean one of two things: the skill installs without errors, or the developer provided their email address. Neither of those is security verification.
Here's what real verification looks like.
Code review. Does the skill actually do what it claims? Line by line. Not just "does it run," but "does it only do what the description says?" A Calendar skill should read and write calendar events. It should not make network requests to external servers that aren't Google's calendar API.
Permission audit. Does the skill request only the permissions it needs? A skill that manages your Google Calendar needs calendar access. It does not need access to your email, your file system, or your contacts. Excessive permission requests are the #1 indicator of malicious intent.
Network behavior analysis. When you run the skill in a sandboxed environment, where does it send data? A legitimate Gmail skill communicates with Google's API. If it's also sending data to a server in a different jurisdiction, that's exfiltration.
Ongoing monitoring. A skill that passes review today can be updated tomorrow with malicious code. Real verification includes monitoring for behavioral changes after updates. Not just checking once and calling it done.
Most marketplaces do zero of these four things. They're app stores without the review process.
How BetterClaw's 4-layer security audit works
We built BetterClaw's skills marketplace specifically because the open marketplace model scared us.
Here's exactly what happens before a skill reaches our users.
Layer 1: Automated code scanning. Every submitted skill runs through automated analysis checking for known malicious patterns. Obfuscated code. Hidden network calls. Known exploit signatures. Base64-encoded payloads. This catches the obvious attacks and about 60% of the malicious submissions we receive.
Layer 2: Permission scope review. We compare what the skill claims to do against what permissions it requests. A Calendar skill requesting only calendar.read and calendar.write? Normal. A Calendar skill also requesting email.read, contacts.list, and files.readwrite? Rejected. Permission creep is the clearest signal of malicious intent, and it's the check most open marketplaces skip entirely.
Layer 3: Network behavior analysis. The skill runs in a sandboxed environment. We monitor every network request it makes. Legitimate API calls to the declared service (Google, Slack, HubSpot)? Expected. Connections to unrelated external servers? Rejected and flagged for deeper investigation.
Layer 4: Human review. Our security team manually reviews the skill's code, behavior, and permissions. This catches the sophisticated attacks that automated tools miss. Social engineering in skill descriptions. Legitimate-looking code with subtle data collection. Time-delayed exfiltration that only activates after a waiting period.
The result: 200+ skills approved and available. 824 rejected. That rejection number isn't embarrassing. It's the point. Every rejected skill is one that would have reached users on an unvetted marketplace.
Even after approval, every skill runs inside an isolated Docker container per agent. Skills can't access other skills' data. They can't read the host filesystem. They can't communicate with other agents. If a skill somehow bypasses all four audit layers (hasn't happened yet, but we plan for it), the sandboxing limits the blast radius.
And here's the piece that ties everything together: secrets auto-purge. Any credentials your agent uses (API keys, OAuth tokens) are purged from agent memory after 5 minutes. AES-256 encryption while in memory. Even if a skill could somehow extract credentials, they expire before they're useful.
If you're an IT manager building the case for your CISO, those are the specifics you need. 4-layer audit. 824 rejected skills. Isolated Docker containers. Secrets auto-purge with AES-256. Full credential access logging with audit trails.
We wrote a deeper dive on the full AI agent security architecture if you want the complete picture.
How to evaluate any AI agent marketplace (the checklist)
Whether you choose BetterClaw or not, here's how to evaluate the safety of any AI agent marketplace. Print this out. Bring it to your vendor evaluation meeting.
1. Does the marketplace publish rejection statistics? If they won't tell you how many skills they've rejected, they're probably not rejecting any. BetterClaw: 824 rejected out of 1,024+ submissions.
2. Is there a documented security audit process? Not "we review skills" but specifically how. What layers? What checks? What tools? Vague answers mean vague security.
3. Can you see the permission scope before installing? Before you install a skill, can you see exactly what data it will access? If not, you're installing blind.
4. Is there a way to report suspicious skills? What happens when a user notices something wrong? Is there a process? A timeline for investigation?
5. Does the platform sandbox skill execution? Does each skill run in isolation? Can one skill access another skill's data? Can a skill access the host system?
If the answer to any of these is "no" or "I don't know," you're taking on risk you can't quantify. And "risk you can't quantify" is the phrase that makes CISOs say no.
BetterClaw answers yes to all five. The full skills marketplace is available for you to browse, including permission scopes, before you install anything.
If your organization is evaluating AI agent platforms and security is a priority (as it should be), BetterClaw's free plan gives you 1 agent, 100 tasks, and access to the entire verified skills marketplace. No credit card. $19/agent/month for Pro. Enterprise includes SSO, audit logs, and a dedicated CSM. Start here.
What's in BetterClaw's verified marketplace
200+ skills across major categories:
Productivity: Google Workspace (Gmail, Calendar, Drive, Docs), Microsoft 365, Notion, Todoist.
Development: GitHub, GitLab, Jira, Linear, Sentry.
Communication: Slack, Discord, Telegram, WhatsApp, Teams.
CRM and Sales: HubSpot, Salesforce, Pipedrive.
Research: Tavily Search, web scraping, content analysis.
Data: Airtable, Google Sheets, PostgreSQL connectors.
Every skill is one-click install. Every skill runs in an isolated Docker container. Every credential interaction is logged with a full audit trail. The best AI agent builders in 2026 cover how BetterClaw's marketplace compares to other platforms' integration approaches.
The marketplace problem is a trust problem
Here's the honest truth about AI agent marketplaces.
The technology for building AI agents is moving faster than the security practices around them. Open marketplaces are growing at a pace that makes thorough vetting nearly impossible without deliberate investment. ClawHub went from 10,000 to 44,000+ skills in months. The ClawHavoc campaign exploited that growth.
Gartner predicts 40% of enterprise applications will embed AI agents by end of 2026. That means millions of skills being installed across thousands of organizations. If even 1% of those skills are malicious (and ClawHub's rate was closer to 3%), the aggregate exposure is enormous.
The fix isn't avoiding AI agents. The fix is choosing marketplaces where someone is actually checking.
Not every marketplace needs to run a 4-layer audit like BetterClaw. But every marketplace needs to run something. And you, as the person evaluating these tools, need to ask what that something is.
Your CISO will thank you for asking before deployment, not after the incident report.
If your organization is exploring AI agents and security is a gating factor (as it should be), we offer a free AI readiness audit. We assess your use cases, identify the highest-impact agent opportunities, and show you exactly how the security architecture works for your specific scenario. No commitment. No sales pitch. If the audit is useful and BetterClaw fits, we implement it. If not, you still walk away with a clear picture of what to look for in any AI agent marketplace.
Frequently Asked Questions
What is an AI agent marketplace?
An AI agent marketplace is a directory of pre-built skills, plugins, and tools that extend what your AI agent can do. Install a Gmail skill and your agent can read and send email. Install a Slack skill and it can post messages. The quality and safety of these marketplaces varies dramatically. Open marketplaces (like ClawHub with 44,000+ skills) have minimal vetting. Verified marketplaces (like BetterClaw with 200+ skills and 824 rejected) run multi-layer security audits before skills reach users.
How do I know if an AI agent plugin is safe to install?
Check three things before installing any AI agent skill or plugin. First, look at the permission scope: does the skill request only the access it needs? A Calendar skill requesting email access is a red flag. Second, check whether the marketplace has a documented security audit process. Third, verify that skill execution is sandboxed (isolated from other skills and the host system). BetterClaw's 4-layer audit (automated scan, permission review, network analysis, human review) and isolated Docker containers per agent address all three.
How does BetterClaw's skills marketplace compare to other AI agent marketplaces?
BetterClaw's marketplace has 200+ verified skills that have passed a 4-layer security audit. 824 submissions have been rejected for malicious behavior or excessive permissions. Every skill runs in an isolated Docker container. Credentials auto-purge from agent memory after 5 minutes. By comparison, open marketplaces like ClawHub have 44,000+ skills but minimal vetting, and the ClawHavoc campaign planted 1,400+ malicious skills that went undetected for weeks.
How much does it cost to use BetterClaw's verified AI agent marketplace?
The entire verified skills marketplace is included at every pricing tier. Free plan: $0/month, 1 agent, 100 tasks, access to all 200+ verified skills. Pro: $19/agent/month, unlimited tasks, all channels. Enterprise: custom pricing with SSO, audit logs, and dedicated CSM. You also bring your own LLM API keys (BYOK) with zero markup. There's no additional cost for marketplace access or individual skill installation.
Are AI agent marketplaces secure enough for enterprise use?
It depends entirely on the marketplace's vetting process. Open marketplaces with no security audit are demonstrably unsafe for enterprise use (CrowdStrike, Cisco, and multiple security researchers have documented active threats). BetterClaw's verified marketplace is designed for enterprise: 4-layer security audit, 824 malicious skills rejected, isolated Docker containers, AES-256 secrets auto-purge, full credential access logging, and enterprise plan with SSO and audit logs. 50+ companies including Carelon, Grainger, and Robert Half use it.
