ClawHavoc Poisons OpenClaw’s ClawHub With 1,184 Malicious Skills
Researchers uncovered at least 1,184 malicious “Skills” plugin-style packages that extend the agent’s capabilities through scripts, configs, and resources.
Attackers registered as developers and flooded the platform with these poisoned uploads, turning a fast-growing AI ecosystem into a malware distribution hub.
OpenClaw lets users enhance AI agents easily, but this openness backfired. Malicious authors hid threats in seemingly legitimate Skills, using social engineering tricks like “ClickFix” prompts.
Victims saw a long, credible README or SKILL.md files with “Prerequisites” sections urging them to copy-paste terminal commands or download “helper tools” from shady sites.
This self-execution dodged traditional exploit detection, as users ran the code themselves.
Antiy classified the malware as Trojan/OpenClaw.PolySkill, detectable via their updated AVL SDK. Key metrics reveal the scale:
| Metric | Reported Detail |
|---|---|
| Malicious Skills identified (historical) | 1,184 |
| Malicious author IDs | 12 |
| Top uploader | hightower6eu (677 packages) |
| Platform size after removals | 3,498 Skills |
| Still-accessible set | 60 packages tied to moonshine-100rze (14,285 downloads) |
The campaign kicked off with the first malicious Skill on January 27, 2026, surging on January 31.
Koi Security named it ClawHavoc on February 1, prompting removals, though some packages lingered.
According to Antiy CERT, Attackers embedded payloads in three main ways: staged downloads pulling extra malware, reverse shells via Python system calls, and direct data grabs.
A fake “weather assistant” Skill, for instance, stole OpenClaw’s /.clawdbot/.env file, potentially exposing API keys for paid AI services.
On macOS, one payload tied to the upgraded Atomic macOS Stealer (AMOS) snatched browser credentials, keychains, Telegram data, SSH keys, and crypto wallets, compressing and exfiltrating them to attacker servers.
Encrypted data blobs came with decryption code, while others launched fake password boxes or remote control Trojans with reverse shells. This granted backdoor access, data theft, and persistence.
Users face real risks from broad agent permissions. OpenClaw operators should scan for suspicious Skills, rotate API keys and wallet credentials, and check for odd binaries, scripts, or webhook traffic. Avoid copy-pasted commands, password-protected zips, or downloads from file-sharing sites.
Platform defenses need more than user reports. Experts recommend automated static analysis for packages and docs scanning URLs and commands, plus sandbox testing, publisher reputation scores, and quick takedowns per MITRE ATT&CK T1195 (Supply Chain Compromise).
This incident spotlights AI agent vulnerabilities. As ecosystems boom, easy publishing meets lax review, amplifying threats.
ClawHub shrank to 3,498 Skills post-cleanup, but remnants like moonshine-100rze’s 60 packages with 14,285 downloads show ongoing dangers. Stay vigilant: treat Skills like untrusted installers.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post ClawHavoc Poisons OpenClaw’s ClawHub With 1,184 Malicious Skills appeared first on Cyber Security News.
The list of nominees for the 2026 Will Eisner Comic Industry Awards has been revealed.…
A newly uncovered malware framework is raising serious alarms across the cybersecurity community. Researchers have…
A widely used JavaScript inter-process communication library has been weaponized again. Socket and Stepsecurity have…
Security researchers at Calif, a Palo Alto-based cybersecurity firm, have used techniques derived from an…
A sprawling supply chain attack has put software developers worldwide on high alert after hackers…
Enterprise email infrastructure remains one of the most critical and vulnerable targets for cybercriminals. A…
This website uses cookies.