A recent security audit conducted by Koi Security has uncovered 341 malicious skills within ClawHub, a marketplace designed to facilitate the installation of third-party skills for OpenClaw users. This discovery exposes significant supply chain vulnerabilities within the OpenClaw ecosystem, a self-hosted artificial intelligence (AI) assistant formerly known as Clawdbot and Moltbot.
The ClawHavoc Campaign
The analysis, assisted by an OpenClaw bot named Alex, revealed that 335 of these malicious skills employ deceptive prerequisites to install the Atomic Stealer (AMOS), a notorious macOS-targeting malware. This campaign has been aptly named ClawHavoc. Users are lured into installing seemingly legitimate skills—such as solana-wallet-tracker or youtube-summarize-pro—which present professional documentation. However, these documents include a Prerequisites section that instructs users to install additional software, which is, in reality, the AMOS malware.
Diverse Malicious Skill Categories
The malicious skills identified span various categories, including:
– ClawHub Typosquats: Skills with names resembling ClawHub, such as clawhub, clawhub1, clawhubb, clawhubcli, clawwhub, and cllawhub.
– Cryptocurrency Tools: Including Solana wallets and wallet trackers.
– Polymarket Bots: Such as polymarket-trader, polymarket-pro, and polytrading.
– YouTube Utilities: Like youtube-summarize, youtube-thumbnail-grabber, and youtube-video-downloader.
– Auto-Updaters: Including auto-updater-agent, update, and updater.
– Finance and Social Media Tools: Such as yahoo-finance-pro and x-trends-tracker.
– Google Workspace Tools: Claiming integrations with Gmail, Calendar, Sheets, and Drive.
– Ethereum Gas Trackers
– Lost Bitcoin Finders
Additionally, some skills conceal reverse shell backdoors within functional code (e.g., better-polymarket and polymarket-all-in-one) or exfiltrate bot credentials from the ~/.clawdbot/.env file to external webhooks (e.g., rankaj).
Broader Implications and Responses
This development aligns with findings from OpenSourceMalware, which also identified the ClawHavoc campaign targeting OpenClaw users. These malicious skills masquerade as cryptocurrency trading automation tools, delivering information-stealing malware to both macOS and Windows systems. They share a common command-and-control infrastructure and employ sophisticated social engineering tactics to deceive users into executing malicious commands, leading to the theft of crypto assets, exchange API keys, wallet private keys, SSH credentials, and browser passwords.
The root of this issue lies in ClawHub’s open nature, allowing anyone to upload skills with minimal restrictions—currently, only requiring a GitHub account at least one week old. In response, OpenClaw’s creator, Peter Steinberger, has introduced a reporting feature enabling signed-in users to flag suspicious skills. Each user can have up to 20 active reports at a time, aiming to enhance the platform’s security and protect its user base.
Conclusion
The discovery of these 341 malicious skills within ClawHub underscores the critical need for vigilance and robust security measures in open-source platforms. Users are advised to exercise caution when installing third-party skills, thoroughly verifying their legitimacy, and staying informed about potential threats. The proactive steps taken by OpenClaw’s development team to implement reporting mechanisms are commendable, but continuous efforts are essential to safeguard the community against evolving cyber threats.
