A Fake Polymarket Skill Stole Solana Wallets: Inside the bob-p2p Attack

A ClawHub skill posing as a decentralized API marketplace tricked AI agents into storing wallet private keys in plaintext and purchasing worthless tokens. Here's how it worked.

TL;DR

• Threat actor 26medias published bob-p2p-beta on ClawHub, claiming to be a decentralized API marketplace
• The skill instructed AI agents to store Solana wallet private keys in plaintext
• It directed agents to purchase the worthless $BOB token on pump.fun
• All payments were routed through attacker-controlled aggregator infrastructure
• On-chain analysis confirms: aggregator wallet was funded directly by the $BOB token creator

The Setup: Two Skills, One Actor

The attacker published two skills under the same ClawHub account. The first, runware, was a legitimate-looking image generation tool — a credibility anchor. It worked as advertised, generating images via an API. Nothing malicious.

The second skill, bob-p2p-beta, arrived shortly after. It described itself as:

Professional README. Clean documentation. An NPM package. To a user — or an AI agent — it looked legitimate.

The Attack: What the Skill Actually Did

Step 1: Private Key Storage in Plaintext

The skill's SKILL.md contained instructions that told the AI agent to store the user's Solana wallet private key in a local configuration file — in plaintext. No encryption. No keychain integration. Just raw private key bytes sitting in a JSON file.

Step 2: Forced Token Purchase

Once the wallet was configured, the skill directed the agent to purchase $BOB tokens on pump.fun as "required collateral for the marketplace." The token had zero utility. Birdeye's risk assessment flagged it at 100% scam/rug probability.

Step 3: Attacker-Controlled Payment Routing

All API payments were routed through an "aggregator" wallet controlled by the attacker. On-chain forensics confirmed:

• The aggregator wallet received a 0.25 SOL transfer directly from the $BOB token creator wallet
• The two wallets shared transaction patterns consistent with single-entity control
• No legitimate marketplace infrastructure existed — the "API marketplace" was entirely fictitious

Why This Attack Worked

This attack is a masterclass in exploiting the Agent-Native trust chain:

The user never directly interacted with the malicious instructions. The AI agent read the SKILL.md, interpreted it as legitimate setup requirements, and presented them to the user as normal configuration steps.

IOC (Indicators of Compromise)

What ClawSafety Would Have Caught

• CS-SEC-001: Private key storage pattern in SKILL.md instructions
• CS-CFG-004: Prompt injection patterns directing agent to handle credentials
• CS-PRM-001: Skill requesting wallet/financial permissions for an "API marketplace"
• AI Analysis: Intent mismatch — skill claims to be an API marketplace but primary behavior involves wallet key management and token purchases

Lessons

1. Never trust a skill that asks for private keys. No legitimate skill needs your wallet private key in plaintext.
2. Credibility anchors are real. Attackers publish benign skills first to build trust before deploying the payload.
3. On-chain forensics matter. The wallet connection between the aggregator and token creator was the smoking gun.
4. AI agents need financial guardrails. An agent should never be able to initiate token purchases without explicit, out-of-band user confirmation.