A large-scale supply chain poisoning campaign that targeted OpenClaw’s official marketplace, ClawHub, distributing 1,184 malicious “Skills” designed to steal data and establish backdoor access on compromised systems.
OpenClaw, a fast-growing open-source AI agent platform, enables users to install plugin-like Skills from ClawHub.
In late January 2026, multiple threat actors registered as marketplace developers. They began mass-uploading trojanized Skills disguised as crypto trading bots, productivity tools, and social media utilities.
The campaign was first disclosed by Koi Security on February 1, 2026, which named it “ClawHavoc.” Antiy CERT later classified the malware as the TrojanOpenClaw PolySkill family.
By February 5, Antiy researchers identified 1,184 malicious packages linked to 12 publisher accounts, with one uploader responsible for 677 packages alone.
Attackers exploited ClawHub’s permissive upload model, which allowed any GitHub account older than one week to publish Skills.
After rogue uploads on January 27–29, seven accounts pushed 386 malicious Skills on January 31, despite removals, dozens stayed live with thousands of downloads.
Data Theft and Backdoor Tactics
Each malicious Skill was delivered as a ZIP archive containing configuration files and scripts, with the payload concealed in documentation or helper code.
Antiy identified three dominant behaviors:
| Behavior | Description | Primary Risk |
|---|---|---|
| ClickFix-style Downloaders | Prompts users to download and execute external binaries under the guise of fixes or updates. | User-initiated malware execution leading to full system compromise. |
| Reverse-Shell Droppers | Deploys payloads that establish reverse shell connections to attacker-controlled servers. | Enables remote command execution and persistent unauthorized access. |
| Direct Data-Stealing Scripts | Executes scripts designed to immediately collect and exfiltrate sensitive data. | Theft of credentials, tokens, financial data, and other confidential information. |
In one case, a Skill instructed users to manually install a component, redirecting them to password-protected malware archives.
On macOS, victims downloaded a variant of Atomic macOS Stealer that exfiltrated browser credentials, SSH keys, Telegram sessions, crypto wallets, and keychains to attacker-controlled servers.
Other Skills harvested API keys from local environment files or executed Python scripts to fetch additional malware and open reverse shells.
Because AI agents often operate with elevated privileges, file system access, shell execution, and stored credentials, these seemingly harmless plugins enabled full system compromise.
ClawHavoc leveraged “ClickFix” social engineering, embedding malicious instructions within lengthy documentation files to trick technically skilled users into executing commands.
The campaign exposed weaknesses in emerging AI marketplaces, including minimal vetting and rapid development cycles. By the time patches and removals began, thousands of systems had likely been affected.
Security teams advise reviewing installed Skills, removing suspicious entries, rotating credentials, and deploying endpoint protection that can monitor agent-level activity.
ClawHavoc now stands as a clear example of AI supply-chain poisoning and the urgent need for stronger marketplace governance.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
