A massive supply chain attack dubbed ClawHavoc has compromised ClawHub, the official skill marketplace for OpenClaw, an open-source AI agent platform formerly known as ClawdBot and Moltbot. Researchers have uncovered at least 1,184 malicious “Skills”—plugin-style packages that extend the agent’s capabilities—turning a rapidly growing AI ecosystem into an active malware distribution hub.
The Attack at a Glance
According to Antiy CERT analysis, attackers registered as legitimate developers and systematically flooded the platform with poisoned uploads. The campaign kicked off on January 27, 2026, with activity surging on January 31st. Koi Security officially named the campaign “ClawHavoc” on February 1st, prompting removal efforts—though some malicious packages persisted.
Key metrics reveal the scale of the operation:
- 1,184 malicious Skills identified historically
- 12 malicious author IDs detected
- hightower6eu: Top malicious uploader with 677 packages
- 3,498 Skills remain on the platform after removals
- 60 packages from author “moonshine-100rze” still accessible (14,285 downloads)
Social Engineering: The ClickFix Technique
OpenClaw allows users to enhance AI agents through third-party Skills, but this openness became a vulnerability. Malicious authors disguised threats within seemingly legitimate Skills, employing social engineering tricks like “ClickFix” prompts.
Victims encountered detailed README or SKILL.md files with convincing “Prerequisites” sections that urged them to copy-paste terminal commands or download “helper tools” from malicious sites. By tricking users into self-executing the payload, attackers bypassed traditional exploit detection entirely.
Payload Delivery Methods
Antiy classified the malware family as Trojan/OpenClaw.PolySkill. Attackers embedded payloads through three primary vectors:
- Staged downloads: Initial Skills pulled additional malware from external servers
- Reverse shells: Python system calls establishing persistent backdoor access
- Direct data exfiltration: Immediate theft of sensitive files and credentials
One example involved a fake “weather assistant” Skill that stole OpenClaw’s /.clawdbot/.env file—potentially exposing API keys for paid AI services and cloud platforms.
macOS Users Hit by AMOS Stealer
On macOS systems, researchers identified payloads linked to an upgraded version of the Atomic macOS Stealer (AMOS). This infostealer targeted:
- Browser credentials and cookies
- macOS Keychain data
- Telegram session files
- SSH keys
- Cryptocurrency wallet files
Stolen data was compressed and exfiltrated to attacker-controlled servers, with some payloads including encrypted data blobs alongside decryption routines.
Why It Matters
This incident highlights a critical vulnerability in the rapidly expanding AI agent ecosystem. As platforms like OpenClaw prioritize ease of publishing and installation, the lack of rigorous review processes creates fertile ground for supply chain attacks.
The broad permissions granted to AI agents amplify the risk—once installed, a malicious Skill can access sensitive environment variables, execute arbitrary code, establish persistent backdoors, and exfiltrate data before users realize anything is wrong.
Recommendations
For OpenClaw Users:
- Audit installed Skills for suspicious code or behaviors
- Rotate API keys and wallet credentials immediately
- Monitor for unusual binaries, scripts, or outbound webhook traffic
- Avoid copy-pasted terminal commands from documentation
- Be wary of password-protected archives and file-sharing downloads
For Platform Operators:
- Implement automated static analysis for uploaded packages
- Scan documentation for malicious URLs and commands
- Deploy sandbox testing for new Skills
- Establish publisher reputation scoring systems
- Enable rapid takedown capabilities per MITRE ATT&CK T1195 (Supply Chain Compromise)
The Bottom Line
While ClawHub has shrunk to 3,498 Skills following cleanup efforts, remnants of the campaign persist. The moonshine-100rze author’s 60 remaining packages with over 14,000 downloads demonstrate ongoing dangers. Treat third-party AI Skills with the same caution as untrusted software installers—because that’s exactly what they are.
Source: Cyber Press
