Introduction
ClawHavoc malicious skills were designed to deliver infostealers like the Atomic macOS Stealer (AMOS). AMOS exfiltrates Keychain credentials, browser cookies, crypto wallets, and other sensitive data. When a user installed a malicious "productivity" or "news" skill from ClawHub, the skill ran AMOS in the background — silently stealing data while the agent appeared to function normally. This attack vector is why skill auditing is critical. The 340 malicious skills discovery included AMOS payloads. This post explains what AMOS is, how it was delivered via OpenClaw, and how to protect yourself.
The ClawHavoc campaign represented a new class of threat for the agentic ecosystem. Unlike traditional malware that relies on user error (clicking a link, opening an attachment), ClawHavoc exploited trust in the Skills supply chain. Users expected that skills from ClawHub would be vetted. They weren't — not initially. The result was a supply chain attack that delivered one of the most effective macOS infostealers to users who thought they were installing a productivity tool. The incident forced a reckoning: how do we secure an open ecosystem of user-installable extensions? The answer involves auditing, tooling, and a shift toward curated marketplaces. But first, understand the threat.
Imagine installing a "productivity booster" that actually boosts your productivity. It summarizes your emails. It syncs your calendar. It works. You're happy. Meanwhile, in the background, it's stealing your Keychain. Your browser cookies. Your crypto wallet files. You don't notice. The skill does what it promised. The theft is silent. That's the ClawHavoc pattern. The Trojan horse that actually delivers the horse. The malicious payload is the stowaway.
What Is AMOS?
Atomic macOS Stealer: commodity malware targeting macOS. Harvests: Keychain (passwords, tokens, API keys), Safari/Chrome cookies (session hijacking), crypto wallet files, SSH keys. Sends to attacker command-and-control (C2). Sold on dark web; used in multiple campaigns. AMOS is not OpenClaw-specific — it's a general infostealer. The ClawHavoc attackers used it as the payload for OpenClaw skills because Skills run with user privileges. Install a malicious skill, and it can run AMOS with full access to your Keychain and browser data.
AMOS is well-engineered. It targets the data that matters: credentials (Keychain, browser passwords), session tokens (cookies for Gmail, banking, social media), crypto (wallet files, seed phrases), and access keys (SSH, API keys). Once harvested, data is exfiltrated to the attacker's C2 server. The victim may not notice for days or weeks. By then, accounts may be compromised, crypto stolen, and infrastructure accessed. AMOS has been used in phishing campaigns, malvertising, and — as with ClawHavoc — supply chain attacks. It's a mature, widely-available threat.
Why OpenClaw skills? Because skills execute with the same privileges as the agent. If the agent has access to the user's filesystem (which it typically does, for reading documents and writing outputs), a malicious skill can access everything the user can access. Keychain. Browser profiles. SSH keys. The skill doesn't need to escalate privileges — it inherits them. ClawHavoc packaged AMOS inside skills that provided legitimate functionality. The user got a working news summarizer or calendar sync. They also got a silent infostealer. The Trojan horse pattern: useful on the surface, malicious underneath.
How It Was Delivered
Malicious skill: legitimate-looking Markdown/JS. User installs from ClawHub. Skill runs with agent privileges. Hidden payload fetches AMOS, executes. Agent continues to provide advertised functionality — maybe it summarizes news or syncs calendars. User unaware. Data exfiltrated over days or weeks. The skill was a Trojan: useful on the surface, malicious underneath. See 340 malicious skills for the scale of the problem.
The delivery mechanism was sophisticated. Skills are typically JavaScript or TypeScript with a Markdown manifest. The malicious skills contained obfuscated code that ran on load. The code would fetch the AMOS payload from a remote server (often a compromised CDN or a throwaway domain), write it to disk, and execute it. The execution happened asynchronously — the skill would continue to provide its advertised functionality while AMOS ran in the background. A user testing the skill would see it work. They wouldn't see the data exfiltration. The skill passed casual inspection. It took dedicated analysis to uncover the payload.
The ClawHavoc campaign used multiple skill names and descriptions. "Productivity booster," "News digest," "Calendar optimizer." The names were generic enough to attract installs. The skills were published by accounts that appeared legitimate — some had other, non-malicious skills. The attack relied on volume: publish many skills, get installs from users who didn't audit. By the time the security community identified the pattern, thousands of users had installed at least one ClawHavoc skill. The 340 malicious skills count included AMOS and other payloads. The scale was unprecedented for the agentic ecosystem.
Impact
Full compromise of macOS user: accounts, crypto, SSH access. ClawHavoc affected 12–20% of ClawHub skills at peak. Thousands of users potentially impacted. Foundation responded with VirusTotal scanning, SecureClaw, and roadmap for Extension Marketplace with formal review. If you installed a skill from an unknown publisher before February 2026, assume compromise. Rotate credentials. Check for unauthorized access.
The impact varied by user. Developers lost GitHub tokens, AWS keys, and SSH access. Crypto holders lost wallet files and seed phrases. Business users lost access to email, CRM, and cloud services. The common thread: the agent had access, and the malicious skill used that access to exfiltrate. Recovery required credential rotation across every service the user had used. For some, that was dozens of accounts. For others, it included infrastructure access — SSH keys that could be used for lateral movement. The Foundation's response was swift: VirusTotal integration for skill scanning, SecureClaw for local auditing, and a commitment to a curated Extension Marketplace. But for affected users, the damage was done.
Prevention
Audit skills before install. Run SecureClaw. Install only from verified publishers. Principle of least privilege: don't grant agent access to sensitive paths unless the skill genuinely needs it. The Extension Marketplace (when it launches) will provide vetted skills. Until then, treat every skill as suspicious. See ClawHavoc and SecureClaw. See OpenClaw security for the full best practices.
Concrete steps: (1) Run SecureClaw before and after installing any skill. Compare the output. New suspicious patterns? Don't install, or remove the skill. (2) Read the skill source code. If you can't understand it, don't install it. (3) Prefer skills from publishers with a track record. (4) Use principle of least privilege. Does the skill need filesystem access? Restrict it to specific paths. Does it need network access? Consider whether that's necessary. (5) Keep OpenClaw and skills updated. The Foundation and community patch vulnerabilities. Old versions are targets. (6) When the Extension Marketplace launches, prefer vetted skills. Until then, assume every skill could be malicious. Verify before you trust.
Wrapping Up
AMOS via ClawHavoc was a wake-up call for agentic supply chain security. Skills have power. Malicious skills abuse it. Audit before you install. The ecosystem is maturing — SecureClaw, VirusTotal, Extension Marketplace — but vigilance remains essential. See OpenClaw security for the full hardening guide.