In This Article
Introduction
A review of Skills on ClawHub identified over 340 malicious packages containing keyloggers, data exfiltration code, and backdoors. By early February 2026, these represented an estimated 12-20% of the registry. This finding was a watershed for agentic supply chain security. It drove the Foundation's partnership with VirusTotal for skill scanning and the roadmap for an official Extension Marketplace with formal auditing. The open registry model — anyone can publish — had a dark side. The 340 malicious skills proved it.
This post covers what was found, how the attacks worked, what the Foundation did in response, and what users should do to protect themselves.
The Review
Security researchers and Foundation staff conducted a manual and automated review of ClawHub. Static analysis (scanning code for suspicious patterns), behavioral analysis (running skills in sandboxes and observing behavior), and VirusTotal submission. Result: 340+ packages with malicious behavior. Many were clones of legitimate skills with injected payloads. The names were designed to attract installs: "Productivity Pro," "News Digest," "Calendar Sync." Users would install thinking they were getting a useful skill. They got malware.
The scale was alarming. 12-20% of the registry. That's not a few bad apples — it's systemic. The open model enabled rapid innovation but also rapid abuse. The Foundation had to act.
Payload Types
- Keyloggers: Capture keystrokes during agent use. When the user types a password or API key, the skill exfiltrates it.
- Data exfiltration: Send files, credentials, and environment variables to attacker command-and-control (C2) servers. Skills have file system access. Malicious skills abuse it.
- Backdoors: Establish persistent access for follow-on attacks. The skill runs once, drops a backdoor, and the attacker returns later.
- AMOS/Infostealers: Atomic macOS Stealer and similar. Steal browser cookies, credentials, crypto wallets. Agent Skills run with user context — they can access what the user can access.
Attack Patterns
Common patterns: (1) Typosquatting — "openclaw-calendar" vs "openclaw-calendr". (2) Legitimate clone + payload — fork a popular skill, add malicious code, publish as "improved" version. (3) Dependency confusion — skill that pulls a malicious package from a different registry. (4) Social engineering — "Install this to get early access to feature X." Users trust; attackers exploit. The lesson: assume every skill is untrusted until proven otherwise.
Foundation Response
VirusTotal integration: new skills scanned before listing. Flagged skills removed. SecureClaw tool for user-side auditing — run it against your installed skills. Roadmap: Extension Marketplace with formal review. ClawHub remains community-run; the Foundation is building the replacement. The goal is a curated registry where every skill is audited before publication. Until then, the community registry carries risk.
User Action
Audit installed skills. Run SecureClaw. Remove any from unknown publishers. Prefer skills with many downloads, recent updates, visible maintainers. Check the source code if you can. Assume risk until the Extension Marketplace launches. See SecureClaw for the auditing tool. See Is OpenClaw Safe for the full security picture.
Lessons Learned
The 340 malicious skills taught the ecosystem: (1) Open registries need guardrails — scanning, reputation, review. (2) Skills are powerful — they run with user context. That power is a target. (3) Users need tools — SecureClaw, clear guidance, and eventually a safe default (Extension Marketplace). (4) Supply chain security is an agent problem — not just a traditional software problem. The ClawHavoc incident reinforced this. The ecosystem is maturing. Slowly.
Wrapping Up
The 340 malicious skills were a watershed for agentic supply chain security. The Foundation responded. Users must stay vigilant. See ClawHavoc and Extension Marketplace for the full response. Install only what you need. Audit what you have. The open ecosystem is powerful — and dangerous. Use it wisely.