A large-scale supply chain poisoning campaign dubbed ClawHavoc has hit OpenClaw’s official skill marketplace, ClawHub, with at least 1,184 malicious “Skills” historically published on the platform.
The incident highlights how fast-growing AI agent ecosystems can become high-value malware distribution channels when plugins are easy to publish and users routinely grant agents broad system access.
OpenClaw (previously known as ClawdBot and Moltbot) is an open-source, cross-platform AI agent that extends capabilities through Skills plugin-style packages that can include configuration, scripts, resources, and documentation.
Attackers exploited this model by registering as ClawHub developers and mass-uploading Skills that appeared legitimate, then using “ClickFix”-style social engineering to persuade victims into running dangerous commands or downloading additional payloads, according to Antiy CERT.
Antiy classified these poisoned packages as Trojan/OpenClaw.PolySkill and noted that products using the Antiy AVL SDK can detect and remove related samples after updates.
| Metric | Reported detail |
|---|---|
| Malicious Skills identified (historical) | 1,184 |
| Malicious author IDs | 12 |
| Top uploader | hightower6eu (677 packages) |
| Platform size after removals | 3,498 Skills (at publication time) |
| Still-accessible set noted by Antiy | 60 packages tied to moonshine-100rze (14,285 downloads) |
How the attack worked
The most effective trick was hiding malicious instructions inside long, credible-looking SKILL.md/README documentation, often hundreds of lines, where “Prerequisites” or “Setup” sections instructed users to “fix” dependencies by copying terminal commands or downloading “helper tools.”
This approach can bypass traditional exploit detection because the victim performs the execution themselves, not via a software vulnerability.
Antiy’s sample analysis describes three common outcomes: staged downloads that fetch and run additional malware, reverse shell behavior embedded in scripts (for example, Python code using system command execution), and direct data theft.
One example disguised as a “weather assistant” allegedly exfiltrated the local OpenClaw configuration file /.clawdbot/.env, which may store API keys for paid AI services.
For macOS, Antiy also linked an observed payload to Atomic macOS Stealer (AMOS), which can steal browser credentials, keychain data, Telegram artefacts, SSH keys, and crypto wallet assets, then compress and send the data to attacker infrastructure.
The published timeline shows the first known malicious Skill appearing on January 27, 2026, followed by a major surge on January 31.
Koi Security publicly disclosed the campaign on February 1, 2026, naming it ClawHavoc, while community and platform responses began removing and hiding Skills, though Antiy warns some packages remained accessible.
OpenClaw users should treat Skills like software installers: remove suspicious Skills, rotate exposed secrets (API keys, tokens, wallet credentials), and review systems for unexpected binaries, scripts, or outbound webhook traffic.
Extra caution is warranted when documentation asks you to run copy-pasted commands, install password-protected archives, or fetch “helpers” from file-sharing and paste sites.
For platform operators, user-reporting is a start, but store-scale defense typically needs layered review: automated static analysis of packages and docs (including URL/command detection), sandbox execution for suspicious Skills, publisher reputation controls, and rapid takedown workflows aligned to supply chain threats (MITRE ATT&CK T1195).
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
