The ClawHub Incident: How 341 Malicious Skills Slipped Into the Largest Curated Registry
A postmortem of the ClawHavoc campaign — how attackers planted 341 malicious skills on ClawHub distributing Atomic macOS Stealer, bypassed curation with week-old GitHub accounts, and what the expanding 1,184+ skill breach means for trust in AI agent marketplaces.
12% of ClawHub Was Malware
On February 1, 2026, Koi Security researcher Oren Yomtov published findings from a complete audit of ClawHub, the official skill marketplace for the OpenClaw AI agent. Of 2,857 skills available at the time, 341 were malicious. That is 11.9% of the entire registry. Of those, 335 were traced to a single coordinated campaign now tracked as ClawHavoc.
The payload: Atomic macOS Stealer (AMOS), a commodity infostealer that harvests browser credentials, keychain passwords, cryptocurrency wallets, SSH keys, and Telegram session data. The campaign targeted an estimated 300,000 OpenClaw users. By February 16, a follow-up scan found the number had grown to 824 malicious skills across a registry that had itself expanded to 10,700+. Antiy Labs ultimately catalogued 1,184 malicious skills historically published to ClawHub.
This is the postmortem. What happened, how it happened, and what the broader agent skills ecosystem should learn from it.
Timeline
January 27, 2026 — The first malicious skill appears on ClawHub. It is not flagged.
January 31 — Upload volume surges. A single actor using the ID hightower6eu begins mass-uploading skills across every ClawHub category. This account will eventually publish 677 malicious packages — the most of any single attacker in the campaign. Seven threat actors collectively upload 386 coordinated skills in the initial wave.
February 1 — Koi Security names the campaign ClawHavoc. Yomtov's disclosure identifies 341 malicious skills. ClawHub begins removing flagged entries, though some linger due to manual review backlogs.
February 5 — Independent scanning confirms 341 malicious skills in the first systematic sweep.
February 7 — OpenClaw announces a partnership with VirusTotal to scan every skill published to ClawHub. Over 3,016 samples are analyzed. Confirmed malicious skills are removed. Daily re-scanning is introduced.
February 12 — OpenClaw releases version 2026.2.12, patching 40+ vulnerabilities including mandatory browser authentication and SSRF deny policies.
February 15 — A follow-up scan finds the malicious count has grown to 800+. The ClawHavoc campaign has expanded into approximately 25 new attack categories including browser automation agents, coding assistants, LinkedIn integrations, PDF tools, and fake security-scanning skills.
February 16 — Confirmed malicious skills reach 824 across a registry of 10,700+ skills. The contamination rate has dropped from 11.9% to approximately 7.7%, but the absolute number has more than doubled.
February 17 — Separately, the Cline CLI 2.3.0 supply chain attack is discovered, silently installing OpenClaw on approximately 4,000 developer machines during an eight-hour window. The two incidents are not directly linked but compound the trust crisis in the agent tooling ecosystem.
February 25 — Oasis Security discloses the ClawJacked flaw. OpenClaw patches it within 24 hours in version 2026.2.25.
What the Malicious Skills Did
The 335 ClawHavoc skills followed a consistent pattern. Each posed as a legitimate utility — names like solana-wallet-tracker, youtube-summarize-pro, calendar-sync-pro, file-manager-plus, and polymarket-trader. The names targeted what developers actually search for.
The skills used professional documentation. The SKILL.md files looked well-structured and harmless. The attack was in the Prerequisites section.
The ClickFix 2.0 Technique
ClawHavoc pioneered what researchers now call ClickFix 2.0 — a social engineering technique that exploits AI agents as trusted intermediaries. Traditional ClickFix attacks trick users into copying and executing commands from a web page. ClickFix 2.0 fabricates "prerequisite installation requirements" inside SKILL.md, so the AI agent itself presents the fake setup dialog to the user.
The user trusts the agent. The agent trusts the skill. The skill says: "This skill requires a runtime component. Please run the following command to install it." The command downloads and executes AMOS.
On macOS, the payload snatched browser credentials, keychains, Telegram data, SSH keys, and crypto wallet files, compressed them, and exfiltrated them to attacker-controlled servers. The hightower6eu account alone accumulated nearly 7,000 downloads across its 677 malicious skills.
Three Payload Delivery Methods
Beyond the ClickFix 2.0 approach, Antiy Labs identified three distinct embedding techniques:
- Staged downloads — The SKILL.md instructs the agent to download and execute a secondary payload. The initial skill contains no overtly malicious code.
- Reverse shells via Python system calls — Auxiliary scripts in the skill package open a reverse shell to attacker infrastructure. The SKILL.md merely triggers execution of these scripts.
- Direct data grabs — The skill instructs the agent to read sensitive files (
~/.ssh/id_rsa,~/.aws/credentials,.env) and include the contents in output or POST them to an external URL.
Additionally, some ClawHavoc skills targeted persistence — modifying OpenClaw's SOUL.md and MEMORY.md configuration files to plant instructions for future sessions, a technique that survives skill removal.
How They Bypassed Curation
The core problem: ClawHub was not curated. Despite branding itself as a marketplace, the only requirement to publish a skill was a GitHub account at least one week old.
No code review. No automated scanning. No behavioral analysis. No manual approval queue. The "curation" was the GitHub account age requirement — a barrier that costs an attacker seven days of patience and nothing else.
The attackers exploited this in several ways:
Volume flooding. Seven accounts uploaded 386 skills in the initial wave. By spreading across every category, they ensured that anyone browsing ClawHub for any purpose would encounter malicious options.
Name squatting. Skills were named after popular tools and use cases — crypto trading, YouTube summarization, calendar management. They ranked well in ClawHub searches because ClawHub's ranking algorithm weighted recency and category coverage.
Professional presentation. Each SKILL.md had clean formatting, structured sections, and plausible descriptions. The malicious payload was embedded in a "Prerequisites" section that blended naturally with legitimate setup instructions.
Comment-based pivots. After the initial SKILL.md campaign was flagged, attackers pivoted to posting malicious commands in ClawHub skill-page comments, disguised as "update service" instructions. This bypassed SKILL.md-focused scanning.
The gap between "curated marketplace" branding and actual security infrastructure was the root vulnerability. Users assumed curation meant safety. It did not.
The Parallel: Cline CLI 2.3.0
Ten days after the ClawHavoc disclosure, a separate supply chain attack hit the broader agent ecosystem. On February 17, 2026, a malicious version of the Cline CLI — cline@2.3.0 — was published to npm. It silently installed OpenClaw on every machine that updated during an eight-hour window.
The attack chain, dubbed Clinejection by researcher Adnan Khan, is worth examining because it demonstrates a different class of supply chain risk: AI agents attacking AI agents.
Khan discovered that Cline's GitHub Actions workflow used Claude to triage incoming issues. A prompt injection in an issue title could trick Claude into running npm install from an attacker-controlled commit. The malicious preinstall script deployed a cache-poisoning tool called Cacheract, which eventually exfiltrated NPM_RELEASE_TOKEN and VSCE_PAT credentials from the CI pipeline. The attacker used these to publish cline@2.3.0.
Khan had responsibly disclosed this vulnerability on January 1, 2026 — 47 days before exploitation. Cline did not patch until after public disclosure and active exploitation.
The Cline incident and ClawHavoc are not directly connected, but they share a common failure mode: the AI agent tooling ecosystem moved faster than its security infrastructure. ClawHub launched a marketplace without scanning. Cline gave an AI agent CI/CD credentials without hardened guardrails. Both assumptions — "the marketplace is safe" and "the CI bot is safe" — collapsed within the same month.
OpenClaw's Response
Credit where due: OpenClaw's response, once triggered, was faster than most open source projects manage.
The VirusTotal partnership announced on February 7 introduced three layers of scanning:
- Upload-time scanning. Every skill is hashed (SHA-256) and checked against VirusTotal's database. New skills are uploaded for analysis using VirusTotal's Code Insight feature.
- Daily re-scanning. Active skills are re-scanned daily to catch skills that become malicious after initial approval — a known technique in package manager attacks.
- Intent-based auditing. The February 2026 integration introduced behavioral analysis of what a skill intends to do when activated, not just static file scanning.
OpenClaw also committed to publishing a comprehensive threat model, a public security roadmap, details on full codebase security audits, and a formal vulnerability reporting process with defined SLAs, tracked at trust.openclaw.ai.
Version 2026.2.12 addressed the platform-level vulnerabilities. CVE-2026-25253 — the critical RCE that allowed WebSocket hijacking of any OpenClaw instance — was patched. Mandatory browser authentication was introduced. SSRF deny policies were added.
The honest assessment: the response was necessary but late. The marketplace launched without any scanning infrastructure. The RCE vulnerability existed since launch. Mandatory authentication should have been the default. OpenClaw shipped fast and secured later — the same pattern that has created security debt in every fast-growing open source ecosystem before it.
What This Means for Skill Marketplace Trust
The ClawHavoc incident is the agent skills ecosystem's npm event-stream moment. The parallels are direct:
| Factor | npm event-stream (2018) | ClawHub ClawHavoc (2026) |
|---|---|---|
| Attack vector | Compromised package dependency | Malicious SKILL.md in marketplace |
| Payload | Cryptocurrency wallet theft | AMOS: credentials, wallets, SSH keys |
| Detection bypass | Obfuscated code in dependency | Natural language in "Prerequisites" |
| Scale | 1 package, millions of installs | 1,184 skills, ~300K targeted users |
| Root cause | Trust in maintainer handoff | Trust in open marketplace with no scanning |
But there is a critical difference. Malicious npm packages contain code that can be statically analyzed. Malicious skills contain natural language instructions interpreted by an LLM. As the SkillJect research demonstrated, optimized inducement prompts achieve a 95.1% attack success rate while appearing completely benign to human readers.
This means the traditional security toolchain — SAST, DAST, SCA, dependency scanning — does not transfer directly to the skills ecosystem. VirusTotal scanning is better than nothing, but as OpenClaw themselves acknowledged, "cleverly concealed prompt injection payloads may slip through the cracks."
Three Structural Problems Remain
1. No universal signing or provenance. npm has package-lock.json, Sigstore, and provenance attestations. The skills ecosystem has nothing equivalent. You cannot verify that a skill was published by who it claims, or that it has not been modified since publication.
2. The trust model is wrong. Skills marketplaces inherit the app store model — a central authority curates and blesses content. But app store curation works because apps are sandboxed. Agent skills are not sandboxed. They execute with the agent's full permissions. A curated marketplace without sandboxed execution is a false sense of security.
3. Behavioral analysis is unsolved. Detecting malicious intent in natural language instructions is fundamentally harder than detecting malicious code. The security industry does not yet have mature tools for this. VirusTotal's Code Insight is a starting point, not a solution.
Lessons for Anyone Using Agent Skills
If you are working with agent skills in any capacity — installing from marketplaces, writing your own, or managing a team that does either — the ClawHub incident sharpens several practical conclusions.
Do not trust marketplace curation as a security guarantee. ClawHub was "the largest curated registry." 12% of it was malware. Read the SKILL.md yourself. Check every shell command. Check every URL. The audit checklist exists for exactly this purpose.
Treat skills as executable code, not documentation. The mental model matters. When you install a skill, you are giving an AI agent with shell access a new set of instructions. The agent will follow them. If those instructions say "download this binary and run it," the agent will try. If those instructions say "read ~/.ssh/id_rsa," the agent will do it.
Audit auxiliary files, not just SKILL.md. The SkillJect technique hides malicious payloads in auxiliary scripts while keeping the SKILL.md clean. A benign-looking SKILL.md that calls bash scripts/setup.sh is only as safe as setup.sh.
Monitor for persistence. ClawHavoc skills modified SOUL.md and MEMORY.md to plant instructions that survive skill removal. If you installed a suspicious skill and then deleted it, check your agent configuration files for injected content.
Pin skill versions. If a skill you depend on is legitimate today, that does not mean the next version will be. Version pinning protects against maintainer compromise — the same defense that protects you in npm.
Isolate skill evaluation. Test unfamiliar skills in a network-isolated container. If a skill needs network access to install "prerequisites," that is a finding, not a feature.
The Broader Pattern
The agent skills ecosystem is retracing the security history of every software distribution mechanism before it. npm had event-stream. PyPI had thousands of typosquat packages. The Chrome Web Store had malicious extensions. Docker Hub had cryptominer images. Every open registry eventually discovers that openness and security are in tension.
What makes the skills case worse is the attack surface. A malicious npm package needs to exploit a code vulnerability. A malicious skill just needs to ask the agent nicely. The LLM will comply. The attack success rate is 95.1%, not 10.9%.
The agent skills ecosystem needs signing, provenance, sandboxed execution, and behavioral analysis tooling that does not yet exist at maturity. Until it does, the developer is the last line of defense.
The ClawHub incident proved that "curated marketplace" means nothing without enforcement. The 341 skills that slipped through were not sophisticated zero-days. They were week-old GitHub accounts uploading skills with fake Prerequisites sections. The barrier to entry for attackers was seven days and a SKILL.md template.
That should concern everyone building on agent skills infrastructure.
Ready to streamline your terminal workflow?
Multi-terminal drag-and-drop layout, workspace Git sync, built-in AI integration, AST code analysis — all in one app.