ClawHub Security Incident - Analysis of 341 Malicious Skills

Basic Information

• Incident Name: ClawHavoc - ClawHub Malicious Skill Supply Chain Attack
• Discovery Time: February 2026
• Discoverer: Koi Security
• Affected Platform: OpenClaw ClawHub Skill Marketplace
• Type: Supply Chain Security Incident/Malware Analysis
• Reference Sources: The Hacker News, eSecurity Planet, PointGuard AI

Incident Description

Koi Security conducted a comprehensive audit of all 2,857 skills on ClawHub and identified 341 malicious entries. Among these, 335 were traced back to a coordinated attack campaign named ClawHavoc. Subsequent scans reported that the number of malicious skills had exceeded 800, accounting for approximately 20% of the entire registered library. Attackers meticulously disguised malicious skills as popular tools, including cryptocurrency wallets, Polymarket trading bots, YouTube tools, auto-updaters, and Google Workspace integrations.

Attack Details

• Attack Scale: Initially discovered 341 malicious skills, later expanded to over 1,184
• Attack Targets: macOS and Windows systems, focusing on users running OpenClaw continuously (e.g., Mac mini dedicated servers)
• Attack Methods:
• Stealing OpenClaw bot credentials (from configuration files such as ~/.clawdbot/.env)
• Exfiltrating data via external Webhook services
• Disguising Polymarket tools to execute hidden commands, opening reverse shells
• Gaining full remote control of victim systems
• Deploying malware such as Atomic macOS Stealer
• Intrusion Threshold: ClawHub defaults to open uploads, only requiring publishers to have a GitHub account older than one week

Key Findings

• 12% of ClawHub marketplace skills were malware (initial scan)
• Subsequent scans showed the proportion rising to approximately 20%
• Malicious skills primarily delivered Atomic macOS Stealer
• Attackers could gain full control of victim systems via reverse shells
• A compromised agent could serve as a pivot point for full account takeover and long-term analysis

Response Measures

• OpenClaw team issued a ClawHavoc security alert (GitHub Discussion #7606)
• OpenClawd introduced a Verified Skill Screening mechanism
• OpenClaw integrated VirusTotal malware scanning
• Community called for enhanced skill review and publisher verification

Industry Impact

• Gartner classified OpenClaw as an "unacceptable cybersecurity liability"
• Recommended enterprises "immediately block OpenClaw downloads and traffic"
• 53% of enterprise customers granted OpenClaw privileged access within one weekend (Noma report)
• Sparked widespread discussion on AI agent supply chain security

Relationship with the OpenClaw Ecosystem

This incident represents one of the most severe security threats faced by the OpenClaw ecosystem, directly exposing the fundamental security flaws of ClawHub's open marketplace model. The event accelerated the deployment of security measures such as skill verification mechanisms and malware scanning, prompting the industry to re-examine the supply chain security models of AI agent platforms.