A massive supply-chain attack has been uncovered in the OpenClaw ecosystem. Security researchers found 341 malicious skills on ClawHub distributing infostealing malware to developers.
Last updated: February 5, 2026
Key Takeaways
- 341 malicious skills identified on ClawHub marketplace
- Top downloaded "Twitter" skill contained staged malware delivery
- Attackers targeting developer credentials, crypto wallets, SSH keys
- AMOS (Atomic macOS Stealer) confirmed in payloads
- Campaign dubbed "ClawHavoc" appears to be organized operation
What Happened?
Security researchers from both 1Password and Koi Security have independently confirmed a major security incident affecting the OpenClaw ecosystem.
The attack specifically targets ClawHub, the central skill marketplace for OpenClaw bots. With over 2,800 skills available and minimal vetting processes, attackers found fertile ground for a supply-chain attack.
How the Attack Works
- Malicious skill uploaded to ClawHub with legitimate-looking description
- Prerequisites section instructs users to download a "required dependency"
- Links lead to staged payloads disguised as documentation
- Commands decode obfuscated payloads and execute them
- Final binary steals credentials, tokens, and sensitive data
The sophistication is notable: attackers even remove macOS Gatekeeper quarantine attributes to bypass built-in malware protection.
What Data is at Risk?
The AMOS (Atomic macOS Stealer) malware found in these skills can steal:
- 🔐 Keychain passwords and credentials
- 💰 Cryptocurrency wallet data (60+ wallets supported)
- 🌐 Browser profiles from all major browsers
- 💬 Telegram sessions
- 🔑 SSH keys and shell history
- 📁 Files from Desktop and Documents
- 🍪 Browser cookies and saved sessions
For developers, this is catastrophic. A single infected skill can compromise your GitHub tokens, AWS credentials, production database access, and more.
Categories Targeted
The ClawHavoc campaign impersonated high-demand utilities:
| Category | Malicious Skills | Examples |
|---|---|---|
| Crypto utilities | 111 | Solana trackers, Phantom wallet tools |
| YouTube tools | 57 | Video summarizers, downloaders |
| Prediction markets | 34 | Polymarket bots |
| Auto-updaters | 28 | System security tools (ironic) |
| Finance/Social | 51 | Yahoo Finance, X/Twitter trackers |
| Google Workspace | 17 | Docs and email integrations |
Attackers also deployed typosquatting with lookalike packages: clawhubb, clawhub-cli, cllawhub.
Why Skills Are Dangerous
As 1Password security researcher explained:
"Skills are just markdown files. That sounds harmless until you remember how agents actually consume documentation. Markdown is not content in an agent ecosystem. Markdown is an installer."
The danger is that skills can bypass Model Context Protocol (MCP) safety controls entirely. They can:
- Include shell commands directly in setup instructions
- Bundle executable scripts alongside documentation
- Route around tool permissions through social engineering
- Normalize risky behavior by presenting malware as "standard install steps"
What You Should Do Now
If You Use OpenClaw
- Do NOT run OpenClaw on company devices - there is no safe way to do this
- If you already did, treat it as a potential security incident
- Rotate all credentials immediately:
- Browser sessions
- Developer tokens (GitHub, AWS, etc.)
- SSH keys
- Cloud console sessions
- Review recent sign-ins for all accounts
- Use Koi Security Clawdex for skill scanning
Check Your Installed Skills
Review any skills you have installed. Look for:
- Prerequisites requiring downloads from non-official sources
- Password-protected ZIP files
- Obfuscated shell commands
- Links to
glot.ioor unfamiliar IPs
Safer Alternatives to Consider
If you need AI automation without the security risk of unvetted skill marketplaces:
| Solution | Security Model | Best For |
|---|---|---|
| Serenities AI | Cloud-based, no local execution | Teams needing secure automation |
| Claude Pro | Direct API access | Individual developers |
| Custom MCP servers | Self-hosted, vetted | Enterprise security needs |
Serenities AI in particular offers automation capabilities similar to OpenClaw but without requiring local system access or third-party skill installations. Your data stays in a controlled environment with enterprise-grade security.
Timeline
- January 27, 2026: OpenClaw/Clawdbot hits 100K GitHub stars
- January 28-30, 2026: Initial security concerns raised about exposed instances
- February 3, 2026: 1Password publishes initial warning about agent security
- February 5, 2026: Full scope revealed - 341 malicious skills confirmed
The Bigger Picture
This incident highlights a fundamental problem with AI agent ecosystems: the attack surface expands with every capability added.
When an AI agent can:
- Access your filesystem
- Execute shell commands
- Browse the web
- Manage your credentials
...every "skill" becomes a potential attack vector.
The solution is not to stop building agents. The solution is to build them with security-first architecture:
- Sandboxed execution environments
- Explicit permission models
- Auditable action logs
- Centralized credential management
Sources
- 1Password Security Blog - "From Magic to Malware"
- Koi Security - ClawHavoc Campaign Report
- CyberInsider - 341 Skills Distribution Analysis
- VirusTotal - Malware Confirmation
This article will be updated as more information becomes available. Follow us for the latest AI security news.