The AI-agent ecosystem experienced its largest supply-chain compromise to date when ClawHavoc detonated across ClawHub, the official skill marketplace for OpenClaw.
Our full AIG-powered scan of nearly 50,000 ClawHub Skills found 1,184 clearly malicious packages tied to 12 compromised publisher accounts and confirmed 247,693 installations.
The campaign combined typosquatting, ranking manipulation, and multi-stage payload delivery to steal credentials, exfiltrate secrets, and deploy cryptocurrency-stealing malware all while keeping end users and even automated agents unaware.
ClawHavoc’s striking effectiveness came from exploiting two structural realities of the agent era: skills run with broad local permissions, and marketplaces reward popularity.
Attackers published convincingly documented fake tools impersonating names such as Google Assistant Pro and YouTube Summarize Pro embedding Markdown instructions to extract SSH keys and shell scripts to deploy the AMOS trojan.
During the peak, five of the top seven downloads were malicious. The result: automated agents that prioritize highly downloaded skills autonomously installed and executed hostile functionality, enabling mass poisoning without targeted code obfuscation.
Static pattern matching and signature-based checks caught many first-wave samples, and ClawHub rapidly deployed a multi-layered detection stack: regex-based static scanning, injection signal detection in SKILL.md, LLM-driven security assessments of metadata and declared permissions, and VirusTotal checks.
Those controls successfully removed numerous explicit threats, but our AIG analysis showed that the adversary’s playbook evolved.
ClawHavoc Attack Hits ClawHub
Instead of obvious malicious commands embedded in text, attackers moved to covert C2-driven payloads, multi-layer encoding chains, and insecure deserialization techniques that individually look benign but form a complete remote code execution chain when combined.
According to Tencent, representative case passed ClawHub’s defenses: a skill that presented itself as a “distributed state recovery tool” with professional documentation and reasonable permission requests.
Its runtime downloaded a serialized payload from a remote C2, used a chained decoding order (Base64, ROT13, hex, etc.) to reconstruct bytecode, then invoked Python pickle deserialization to achieve arbitrary code execution.
The C2 controlled instructions entirely, meaning the skill’s repository contained no explicit malicious commands only the plumbing that would obey remote directives.
AIG flagged this by reasoning across the sequence “remote fetching + chained decoding + deserialization” to identify a high-risk attack chain that signatures alone would miss.
ClawHavoc also leveraged marketplace mechanics. In March, Silverfort disclosed a backend vulnerability allowing unauthenticated download-count inflation.
Researchers demonstrated how an attacker could pump a skill’s ranking to the top and, combined with agent autoinstall behavior, scale compromise across many agent instances.
This ranking-manipulation vector transforms popularity into a weapon malicious packages need not be stealthy code-wise if they achieve high visibility.
The ecosystem-level data are sobering. Of the ~50,000 Skills we scanned, 27,818 declared network permissions; three out of four Skills can access the internet.
Developers number 15,427, but the top 20 accounts produced 12.9% of content, and some accounts posted hundreds of Skills in weeks consistent with template-driven mass production.
The scan revealed 246,378 URLs across 29,196 domains, exposing abundant channels for C2 and data backhaul. Independent audits (SkillProbe, Snyk) and OWASP’s April 2026 Agentic Skills Top 10 all converge on the same conclusion: skills are a novel, systemic attack surface whose risks cascade across platforms.
Mitigation requires defense-in-depth: stronger provenance and rate-limiting in marketplaces, behavior-based chain reasoning (not just signatures), stricter permission models for skills, and agent-side policy controls to restrict autonomous installations.
The ClawHavoc episode is a turning point: marketplaces and platforms must assume that volume and popularity can be weaponized and that future attacks will hide across multiple benign-looking components.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
