Back to all articles

ClawHavoc: Mapping the Malicious Skill Wave on ClawHub

The OpenClaw ecosystem is currently facing its most significant security challenge to date. A coordinated campaign, dubbed "ClawHavoc", has flooded ClawHub—the official marketplace for OpenClaw skills—with over a thousand malicious plugins designed to exfiltrate sensitive user data.

If you are an OpenClaw user who frequently installs third-party skills, this is a critical update you cannot afford to ignore.

What is the ClawHavoc Campaign?

Starting in late January 2026 and peaking in early February, threat actors began a massive effort to "poison" the ClawHub marketplace. Security researchers have identified hundreds of malicious skills that masquerade as legitimate automation tools.

Unlike traditional exploits that rely on code vulnerabilities, ClawHavoc primarily uses social engineering. The skills are designed to look useful, often promising:

  • Advanced Cryptocurrency Trading Automation
  • YouTube Content Summarizers & Utilities
  • Auto-Updaters for OpenClaw Core
  • Enhanced Multi-Platform Messaging Hooks

The Mechanics of the Attack

The attack typically follows a sophisticated pattern:

  1. Installation: A user finds a popular-sounding skill on ClawHub and installs it.
  2. The "Prerequisite" Trick: Once installed, the skill informs the user that they need to install "prerequisites" or "drivers."
  3. User Execution: The user is guided to download a password-protected ZIP file or execute a shell command from an untrusted URL.
  4. Malware Deployment: This "prerequisite" is actually a variant of the Atomic Stealer (AMOS) malware, which is capable of infecting both macOS and Windows systems.

By tricking the user into manually running the malicious code, the attackers bypass most traditional sandbox protections.

What is at Risk?

The primary objective of the ClawHavoc campaign is credential harvesting and asset theft. The malware specifically targets:

  • OpenClaw API Keys: This allows attackers to take control of your agent and its connected accounts.
  • Cryptocurrency Assets: The stealer scans for wallet private keys, mnemonic phrases, and exchange API keys.
  • Browser Metadata: Cookies, saved passwords, and credit card details are scooped up from Chrome, Safari, and Firefox.
  • Messaging Data: Credentials and session logs for Telegram, Discord, and Slack are high-priority targets.
  • SSH Keys: Access to your servers and development machines.

OpenClaw’s Response: Partnership with VirusTotal

In response to the crisis, the OpenClaw team has taken aggressive steps to clean up ClawHub. The most significant development is a new partnership with VirusTotal.

Every skill published to ClawHub is now automatically scanned using VirusTotal's advanced threat intelligence and "Code Insight" capabilities. This layer of security is designed to flag malicious behavior before a skill ever reaches the end-user.

Additionally, a new "Report Skill" feature has been implemented, allowing the community to crowdsource the identification of suspicious behavior.

How to Stay Safe

While the platform is becoming more secure, the fundamental nature of the OpenClaw "skill" system requires user vigilance. We recommend the following:

  1. Isolated Environments: Run your OpenClaw instances in an isolated VM or a hardened Docker container. Never run your agent on your primary machine with access to your root filesystem.
  2. Dedicated Credentials: Use dedicated API keys and credentials for your AI agent that are separate from your personal or business accounts.
  3. Vetting is Mandatory: Review the permissions requested by a skill before installing it. If a "YouTube Summarizer" asks for permission to execute shell scripts, it is a major red flag.
  4. Trust Verified Publishers: Prioritize skills from developers with a long-standing history and verified GitHub profiles.
  5. Clean Scan != Safe: Remember that a "Clean" scan from an automated tool is not a 100% guarantee of safety. Social engineering tactics are evolved specifically to bypass these scans.

Conclusion

The ClawHavoc campaign is a reminder that the power of local AI agents comes with the responsibility of robust security management. As the ecosystem matures, the focus must shift from "what can I automate?" to "how can I automate securely?"

For a detailed comparison of wrappers that offer built-in security and managed sandboxing, visit our Wrapper Comparison Page.

By CompareClaw TeamUpdated Mar 2026