In This Article

  1. 01Introduction
  2. 02What Happened
  3. 03The Attack Vector
  4. 04Malicious Payloads
  5. 05Why It Worked
  6. 06SecureClaw: Auditing Tool
  7. 07Prevention Best Practices
  8. 08Foundation Response
  9. 09Conclusion

Introduction

The ClawHavoc campaign was a large-scale supply chain attack targeting the ClawHub skill registry in early 2026. Attackers uploaded hundreds of malicious "skills" — modular Markdown files that OpenClaw agents can download to gain new abilities. By early February, an estimated 12-20% of the ClawHub registry contained malicious skills designed to deliver infostealers like the Atomic macOS Stealer (AMOS).

ClawHavoc wasn't the first supply chain attack in software—npm, PyPI, and Docker Hub have all been targeted. But it was the first at scale in the agentic AI ecosystem. The attack surface was new: not the application code, but the "instructions" that extend the agent. The lessons apply to any agent framework with a skill or plugin marketplace.

What Happened

ClawHavoc marked a shift in threat actor behavior: instead of attacking the OpenClaw software directly, they attacked the "agentic instructions" — the skills that extend agent capabilities. A user might ask their agent to "install a news digest skill," which then silently exfiltrates browser cookies, email tokens, and OpenClaw configuration files.

Because skills run with the agent's permissions, a malicious skill has access to everything the agent can access: filesystem, browser data, API keys stored in memory. The attack surface is the skill marketplace itself. The agent trusts the skill—it was "approved" by the user. The skill abuses that trust.

The campaign was sophisticated. Attackers didn't upload obviously malicious code. They created skills that actually worked—a "Tech News Digest" skill might aggregate news—while running a parallel payload in the background. Users got value; they didn't notice the exfiltration. By the time security researchers identified the pattern, thousands of users had already installed compromised skills.

The Attack Vector

  1. Upload: Attacker creates a skill with appealing name/description ("Tech News Digest", "Productivity Booster", "Calendar Sync Pro"). The description promises useful functionality. The skill passes a casual code review—it has real logic.
  2. Discovery: User searches ClawHub or asks agent to "find a skill for X." The malicious skill appears in results. It might have fake positive reviews or download counts. Social proof is easy to fake in early marketplaces.
  3. Install: User approves skill installation; agent downloads and loads the skill. The user thinks they're adding capability. They're adding a backdoor.
  4. Execution: Skill runs with agent privileges; malicious code exfiltrates data. The exfiltration might happen immediately or after a delay (to avoid suspicion). Data goes to attacker-controlled servers. User is unaware.

The skill's Markdown/JavaScript appears legitimate — it may even provide the advertised functionality while performing hidden malicious actions in parallel. This "trojan" pattern—useful functionality masking malicious payload—is what made ClawHavoc so effective. Users had no reason to suspect a skill that "worked."

Malicious Payloads

Common payloads observed in ClawHavoc skills:

  • Atomic macOS Stealer (AMOS): Exfiltrates Keychain, browser cookies, crypto wallets. Commodity malware, easily integrated. Full compromise of macOS user. See AMOS deep dive.
  • Token harvesters: Extract OpenClaw config, API keys, messaging platform tokens. Attackers use these to impersonate the agent, consume API credits, or access connected services. A single config file can contain 10+ credentials.
  • Backdoors: Establish persistent access for follow-on attacks. The skill might open a reverse shell, install a C2 agent, or create a scheduled task that phones home. The initial skill is just the foothold.
  • Keyloggers: Capture keystrokes during agent interactions. When the user types sensitive information—passwords, API keys—the keylogger captures it. Particularly dangerous for shared machines.

Skills were often disguised as productivity tools, news aggregators, or calendar integrations — use cases that justify filesystem and network access. "This skill needs to read your calendar" — true, but it also reads your Documents folder. The requested permissions were a cover for broader abuse.

Why It Worked

Several factors enabled ClawHavoc's scale. First, trust: users trusted ClawHub as a community resource. The concept of "malicious skills" wasn't on their radar. Second, permissions: skills run with full agent privileges. There was no sandbox. Third, velocity: OpenClaw's viral growth meant thousands of new users installing skills daily. Attackers could cast a wide net. Fourth, discovery: identifying malicious skills required manual analysis. Automated scanning wasn't mature. By the time researchers found one, ten more had been uploaded.

The Foundation's response—VirusTotal integration, SecureClaw, Extension Marketplace roadmap—addresses these. But the fundamental tension remains: skills need permissions to be useful. The more powerful the skill, the more dangerous if compromised. Users must adopt a "verify before trust" mindset.

SecureClaw: Auditing Tool

SecureClaw is an open-source auditing tool developed in response to ClawHavoc. It runs 55 automated checks to identify:

  • Misconfigurations (exposed Gateway, weak auth, auth-none mode)
  • Malicious skill patterns (suspicious network calls, file exfiltration code, eval(), obfuscation)
  • Outdated dependencies with known CVEs
  • Insecure credential storage (plaintext keys, weak encryption)

Run SecureClaw before and after installing new skills. Integrate it into your deployment pipeline for continuous validation. A clean SecureClaw run doesn't guarantee safety—determined attackers can evade detection—but it catches the majority of known-bad patterns. See SecureClaw guide.

Prevention Best Practices

  • Install only verified skills: Prefer skills with many downloads, recent updates, and visible maintainers. Check the skill's GitHub repo. Is it actively maintained? Does the maintainer have a reputation?
  • Audit before install: Review skill source code; look for network requests, file access, eval() usage. If you can't read the code, don't install. "Trust but verify" is the wrong order—verify first.
  • Principle of least privilege: Run agents with minimal permissions; don't grant filesystem access unless the skill requires it. A news digest skill doesn't need Documents access. If it asks for it, be suspicious.
  • Use SecureClaw: Run regularly; treat findings as blocking for production. Fix misconfigurations before they're exploited.
  • Monitor ClawHub announcements: Foundation now works with VirusTotal for skill scanning; check for flagged packages. If a skill you use is flagged, remove it immediately and rotate credentials.

Foundation Response

The OpenClaw Foundation has responded with multiple initiatives. VirusTotal integration scans new skills before they're widely distributed. SecureClaw gives users a self-service audit tool. The Extension Marketplace roadmap includes formal review—skills will be vetted before listing. The days of "anyone can upload anything" are ending.

For now, the responsibility remains with users. The Foundation provides tools; users must use them. Assume risk until the Extension Marketplace launches. When it does, prefer marketplace skills over unvetted ClawHub packages.

Wrapping Up

ClawHavoc demonstrated that agentic supply chain attacks are real and scalable. The OpenClaw Foundation has responded with ClawHub scanning and SecureClaw tooling. Users must remain vigilant: verify skills before installation, run audits, and follow security best practices. OpenClaw Consult provides security assessments for enterprise deployments.

PreviousOpenClaw ClawdTalk: Phone-Based Voice AssistantNextOpenClaw Competitive Intelligence: 3-Agent Market Monitoring