What is the ClawHavoc attack on ClawHub?

ClawHavoc is a coordinated supply chain attack that planted 1,184 malicious skills in OpenClaw's ClawHub marketplace—roughly 20% of all published skills—distributing infostealers, reverse shells, and the Atomic macOS Stealer.

How many malicious skills were found in ClawHub?

Initially 341 malicious skills were identified by Koi Security; this grew to 824 (Bitdefender) and later 1,184 as the marketplace expanded to 10,700+ skills.

How can I check if an OpenClaw skill is safe?

Use VirusTotal-integrated ClawHub scanning (now built-in), the clawvet CLI scanner, or SecureClaw's 55-check audit tool. Always install skills from trusted sources only.

What did ClawHavoc malicious skills do?

They distributed the AMOS macOS stealer, Vidar infostealer, GhostSocks proxy malware, and reverse shell backdoors. Some silently exfiltrated OpenClaw bot credentials to external webhook services.

OpenClaw integrated VirusTotal scanning for all new skill uploads in February 2026. However, the community recommends using additional scanners like SecureClaw and clawvet for defense-in-depth.

What is the ClawHavoc supply chain attack?

ClawHavoc is a persistent threat actor that systematically uploaded malicious OpenClaw skills across every ClawHub category, including fake productivity tools, browser automation agents, and PDF tools.

← Back to dashboard

clawsmith.com/signal/clawhavoc-1184-malicious-clawhub-skills

⚠ IssueCompetitiveClawHub SkillLive

ClawHavoc Campaign: 824+ Malicious ClawHub Skills, 12% of Marketplace Is Malware

Of 2,857 initial skills, 341 confirmed malicious (12%). Marketplace grew to 10,700+ skills, malicious count rose to 824 with 25 new attack types. Includes keyloggers, credential stealers, prompt injection payloads, crypto stealers.

Product Idea from this Signal

A security layer that vets ClawHub skills for malware and prompt injection before your agent installs them

133.9k ▲

ClawHub grew 380% to 13,729 skills in Q1 2026. Snyk found 36% contain prompt injection and 1,467 carry malicious payloads. The ClawHavoc campaign planted 1,184 weaponized skills in the marketplace. VirusTotal integration catches known malware but misses novel prompt injection, data exfiltration via tool outputs, and social engineering patterns unique to AI agent skills. This tool performs deep behavioral analysis of every skill before installation, catching threats that signature-based scanners miss.

SECURITYCLIDEVTOOLOPEN-SOURCE

CompetitiveView Opportunity →

Product Idea from this Signal

A pre-install verification gate that formally proves an AI agent skill cannot exceed its declared capabilities before allowing it onto your system

13.0k ▲

26.1% of agent skills across major registries have at least one security vulnerability according to a 42,447-skill empirical study. Snyk found 13.4% of ClawHub skills contain critical issues. Current scanners use pattern matching and heuristics, which miss novel attack vectors. This tool uses formal verification to mathematically prove that a skill's actual behavior matches its declared capability set, blocking installation if the proof fails. It sits as a pre-install gate in the OpenClaw skill lifecycle.

CLIOPEN-SOURCESECURITYDEVTOOLFORMAL-VERIFICATION

CompetitiveView Opportunity →

Product Idea from this Signal

A runtime behavioral sandbox that detects guidance injection attacks in OpenClaw skills by observing what agents actually do instead of scanning what skills say

17.6k ▲

Existing OpenClaw skill scanners use static analysis and LLM-based content scanning to flag malicious skills before installation. The Trojan's Whisper paper (March 2026) proved that 94% of guidance injection attacks evade both approaches because the malicious payload is disguised as routine operational guidance, not explicit instructions. Meanwhile 12% of ClawHub's skill registry has been compromised at some point in 2026. The gap is clear. Instead of scanning skill text, this product spins up an isolated OpenClaw instance, installs the skill, runs a battery of natural user prompts, and observes what the agent actually does. Credential access, file writes outside sandbox, network exfiltration, privilege escalation attempts all get flagged as behavioral anomalies regardless of how the skill's guidance file describes them.

CLIOPEN-SOURCESECURITYDEVTOOLRUNTIME-ANALYSIS

CompetitiveView Opportunity →