Massive ClawHavoc Attack Compromises OpenClaw’s ClawHub with Over 1,100 Malicious Skills
In a significant cybersecurity incident, the ClawHavoc campaign has infiltrated OpenClaw’s official marketplace, ClawHub, by distributing 1,184 malicious Skills. These compromised plugins are designed to steal sensitive data and establish unauthorized backdoor access on affected systems.
Understanding OpenClaw and ClawHub
OpenClaw is an emerging open-source AI agent platform that allows users to enhance functionality by installing plugin-like Skills from its marketplace, ClawHub. This ecosystem enables users to integrate various tools and utilities seamlessly.
The Onset of ClawHavoc
In late January 2026, multiple threat actors registered as developers on ClawHub. They began mass-uploading trojanized Skills disguised as crypto trading bots, productivity tools, and social media utilities. This large-scale supply chain poisoning campaign was first disclosed by Koi Security on February 1, 2026, and was subsequently named ClawHavoc. Antiy CERT later classified the malware associated with this campaign as the TrojanOpenClaw PolySkill family.
By February 5, Antiy researchers identified 1,184 malicious packages linked to 12 publisher accounts, with one uploader responsible for 677 packages alone. The attackers exploited ClawHub’s permissive upload model, which allowed any GitHub account older than one week to publish Skills. Following rogue uploads on January 27–29, seven accounts pushed 386 malicious Skills on January 31. Despite efforts to remove these malicious entries, dozens remained live, accumulating thousands of downloads.
Mechanisms of Data Theft and Backdoor Access
Each malicious Skill was delivered as a ZIP archive containing configuration files and scripts, with the payload concealed within documentation or helper code. Antiy identified three primary behaviors exhibited by these malicious Skills:
1. ClickFix-style Downloaders: These prompt users to download and execute external binaries under the guise of fixes or updates, leading to user-initiated malware execution and potential full system compromise.
2. Reverse-Shell Droppers: These deploy payloads that establish reverse shell connections to attacker-controlled servers, enabling remote command execution and persistent unauthorized access.
3. Direct Data-Stealing Scripts: These execute scripts designed to immediately collect and exfiltrate sensitive data, resulting in the theft of credentials, tokens, financial data, and other confidential information.
In one instance, a Skill instructed users to manually install a component, redirecting them to password-protected malware archives. On macOS systems, victims downloaded a variant of Atomic macOS Stealer, which exfiltrated browser credentials, SSH keys, Telegram sessions, cryptocurrency wallets, and keychains to attacker-controlled servers.
Other Skills harvested API keys from local environment files or executed Python scripts to fetch additional malware and open reverse shells. Given that AI agents often operate with elevated privileges, file system access, shell execution capabilities, and stored credentials, these seemingly harmless plugins enabled full system compromise.
Exploitation of Social Engineering Tactics
ClawHavoc leveraged ClickFix social engineering techniques by embedding malicious instructions within lengthy documentation files. This approach tricked technically skilled users into executing commands, thereby facilitating the installation of malware. The campaign exposed significant weaknesses in emerging AI marketplaces, including minimal vetting processes and rapid development cycles. By the time patches and removals were initiated, thousands of systems had likely been affected.
Recommendations for Mitigation
Security teams advise users to review installed Skills, remove any suspicious entries, rotate credentials, and deploy endpoint protection solutions capable of monitoring agent-level activity. The ClawHavoc incident serves as a stark reminder of the vulnerabilities inherent in AI supply chains and underscores the urgent need for stronger marketplace governance and security measures.
