ClawHub, the official skill marketplace for OpenClaw, an open-source AI agent formerly known as ClawdBot and Moltbot, has been compromised by a massive supply chain attack known as ClawHavoc This article explores malware openclaw. . At least 1,184 malicious "Skills" plugin-style packages that increase the agent's functionality through scripts, configurations, and resources were discovered by researchers.

By posing as developers and flooding the platform with these tainted uploads, attackers transformed a rapidly expanding AI ecosystem into a hub for the spread of malware. Although OpenClaw makes it simple for users to improve AI agents, this transparency backfired. Using social engineering techniques like "ClickFix" prompts, malicious authors concealed threats in skills that appeared to be legitimate. The victims saw lengthy, believable README or SKILL.md files with "Prerequisites" sections that encouraged them to download "helper tools" from dubious websites or copy-paste terminal commands.

Because users executed the code themselves, this self-execution evaded detection by conventional exploit detection. The malware was categorized by Antiy as Trojan/OpenClaw.PolySkill, which can be found using their updated AVL SDK. The scale is revealed by key metrics: Report on Metrics Specifics 1,184 malicious skills were found in the past.

Top uploader hightower6eu (677 packages) has 12 malicious author IDs. 3,498 is the platform size after removals. Ability 60 packages linked to moonshine-100rze are still available (14,285 downloads). On January 27, 2026, the campaign began with the first malicious skill, and on January 31, it took off.

On February 1, Koi Security gave it the name ClawHavoc, which led to its removal, though some packages persisted. Impacts and Attack Mechanisms Attackers used three primary methods to embed payloads, according to Antiy CERT: direct data grabs, reverse shells using Python system calls, and staged downloads that pulled additional malware.

Starting an Input Box with a False Password (Source:antiy) For example, OpenClaw's /.clawdbot/.env file was stolen by a phony "weather assistant" Skill, which may have revealed API keys for premium AI services. One payload connected to the updated Atomic macOS Stealer (AMOS) on macOS stole crypto wallets, SSH keys, Telegram data, browser credentials, and keychains before compressing and transferring them to the attacker's servers. Some launched remote control Trojans with reverse shells or phony password boxes, while encrypted data blobs included a decryption code.

This made persistence, data theft, and backdoor access possible. Get the Reverse Shell Connection Capable Remote Control Trojan (Source: antiy). Wide-ranging agent permissions put users at serious risk.

OpenClaw operators should rotate wallet credentials and API keys, look for unusual binaries, scripts, or webhook traffic, and scan for suspicious Skills. Steer clear of password-protected zip files, copy-pasted commands, and file-sharing website downloads. User reports are not enough for platform defenses.

According to MITRE ATT&CK T1195 (Supply Chain Compromise), experts advise automated static analysis for packages and documents scanning URLs and commands, as well as sandbox testing, publisher reputation scores, and fast takedowns. The vulnerabilities of AI agents are highlighted by this incident. Lax review and easy publishing combine to increase risks as ecosystems grow. ClawHub decreased to 3,498 Skills after cleanup, but traces such as moonshine-100rze's 60 packages with 14,285 downloads indicate persistent risks.

Keep an eye out and treat Skills like unreliable installers. Make ZeroOwl a Google Preferred Source.