OpenClaw's official marketplace, ClawHub, was the target of a massive supply chain poisoning campaign called ClawHavoc, which disseminated 1,184 malicious "Skills" intended to steal data and create backdoor access on compromised systems. Users can install plugin-like Skills from ClawHub using OpenClaw, a rapidly expanding open-source AI agent platform. Several threat actors registered as marketplace developers in late January 2026.

They started posting trojanized skills in large quantities under the guise of social media tools, productivity tools, and cryptocurrency trading bots. On February 1, 2026, Koi Security first revealed the campaign, naming it "ClawHavoc." The malware was later categorized by Antiy CERT as belonging to the TrojanOpenClaw PolySkill family. By February 5, Antiy researchers had found 1,184 malicious packages connected to 12 publisher accounts, 677 of which were from a single uploader.

Encrypted Data and Associated Decryption Code (Source:antiy) The attackers took advantage of ClawHub's permissive upload policy, which permitted Skills to be published by any GitHub account that was more than a week old. Seven accounts pushed 386 malicious skills on January 31 following rogue uploads on January 27–29; dozens of these remained live with thousands of downloads, even after removals. Data Theft and Backdoor Strategies With the payload hidden in helper code or documentation, each malicious skill was distributed as a ZIP archive with scripts and configuration files.

Three dominant behaviors were identified by Antiy: Description of Behavior Principal Danger ClickFix-style Those who download Under the pretense of updates or fixes, it asks users to download and run external binaries. Malware executed by the user, compromising the entire system. Droppers with a reverse shell releases payloads that connect to servers under the control of the attacker using a reverse shell.

permits ongoing unauthorized access and remote command execution. Direct Scripts for Data Theft runs programs made to instantly gather and steal private information. theft of financial information, tokens, credentials, and other private data.

In one instance, a skill led users to password-protected malware archives and asked them to manually install a component. The victims downloaded a version of Atomic macOS Stealer on macOS, which exfiltrated keychains, crypto wallets, Telegram sessions, SSH keys, and browser credentials to servers under the attacker's control. Upon startup, a fake password input box appears (Source: antiy). Other Skills used Python scripts to retrieve more malware and open reverse shells, or they extracted API keys from local environment files.

These ostensibly innocuous plugins allowed for complete system compromise because AI agents frequently work with elevated privileges, file system access, shell execution, and stored credentials. In order to fool technically proficient users into carrying out commands, ClawHavoc used "ClickFix" social engineering, which involves inserting malicious instructions into extensive documentation files. The campaign revealed flaws in new AI markets, such as quick development cycles and little screening.

Thousands of systems had probably been impacted by the time patches and removals started. Security teams recommend evaluating installed skills, eliminating questionable entries, changing credentials, and implementing endpoint protection that can keep an eye on agent-level activity. Download Remote Control Trojan with Reverse Shell Connection Capability (Source:antiy). These days, ClawHavoc is a prime illustration of AI supply-chain poisoning and the pressing need for more robust market regulation.

X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.