AI Development5 min read

OpenClaw ClawHub Security: ClawHavoc Attack Analysis

341 malicious skills found on ClawHub in the ClawHavoc campaign. Full analysis of the attack, affected users, and VirusTotal partnership response.

Digital Applied Team

February 6, 2026

5 min read

341

Malicious Skills

2,857

Skills Audited

7.1%

Credential Leaks

3,984

Skills Scanned (Snyk)

Key Takeaways

341 malicious skills discovered: Koi Security audited 2,857 ClawHub skills and flagged 341 as containing malware, credential theft, or data exfiltration code in a coordinated campaign called ClawHavoc.

7.1% of skills leak credentials: Snyk's separate audit of 3,984 skills found 283 (7.1%) exposed API keys, tokens, and passwords in the LLM context window — an "insecurity by design" flaw.

VirusTotal partnership announced: OpenClaw partnered with VirusTotal for automated skill scanning, blocking malicious skills and flagging suspicious ones before users can install them.

New security leadership: OpenClaw appointed Jamieson O'Reilly as security lead, published a threat model, and established a formal vulnerability reporting process.

In late January 2026, cybersecurity researchers at Koi Security published findings that would shake the rapidly growing OpenClaw ecosystem to its core: 341 malicious skills had been planted on ClawHub, OpenClaw's official plugin marketplace, as part of a coordinated supply chain attack dubbed "ClawHavoc."

The attack exploited the fundamental trust model of AI agent plugin ecosystems — users install skills expecting them to be vetted, but ClawHub had no automated security scanning at the time. Malicious skills disguised as cryptocurrency wallets, trading bots, and YouTube utilities deployed the Atomic Stealer (AMOS) malware to harvest credentials, drain crypto wallets, and exfiltrate sensitive data.

Action Required: If you have installed any ClawHub skills, review the indicators of compromise below and rotate any credentials your OpenClaw instance has accessed. See the remediation checklist.

The ClawHavoc Campaign: Timeline

Late December 2025

First malicious skills appear on ClawHub as OpenClaw's user base surges past 1 million

Early January 2026

Campaign ramps up with dozens of cryptocurrency and trading bot skills published by coordinated accounts

January 20, 2026

Initial community reports of suspicious skill behavior surface on Discord and GitHub Issues

January 24, 2026

Koi Security publishes audit results: 341 of 2,857 skills flagged as malicious

January 27, 2026

Snyk releases independent analysis: 283 skills (7.1% of 3,984) found leaking credentials

January 30, 2026

OpenClaw announces VirusTotal partnership for automated skill scanning

February 2, 2026

New security leadership announced; threat model and vulnerability reporting process published

Scale of the Attack

The scale of ClawHavoc was significant for a marketplace that had only existed for approximately two months. Out of 2,857 skills audited by Koi Security, 341 (approximately 11.9%) were flagged as containing malicious code. This is a substantially higher malware rate than comparable ecosystem attacks — npm supply-chain incidents typically affect less than 1% of packages.

Malware Payload: Atomic Stealer (AMOS)

The primary malware payload was Atomic Stealer (AMOS), a macOS-focused infostealer that targets:

Browser cookies and saved passwords (Chrome, Safari, Firefox)
Cryptocurrency wallet files and private keys
System keychain entries and SSH keys
API keys and tokens stored in environment variables
Messaging app session tokens

Attack Vectors and Techniques

The ClawHavoc attackers used several sophisticated techniques to disguise malicious skills as legitimate tools:

Cryptocurrency Wallet Mimics

Skills claiming to manage Solana, Ethereum, and Bitcoin wallets that instead copied private keys to attacker-controlled servers. These were the most profitable attack vector, with confirmed reports of wallet draining.

Trading Bot Lookalikes

Skills advertising automated trading capabilities that required exchange API keys with withdrawal permissions. Attackers harvested these keys to execute unauthorized trades and withdrawals.

YouTube Utility Trojans

Skills promising YouTube analytics, video downloading, or channel management that embedded obfuscated AMOS payloads in seemingly innocuous helper functions.

Typosquatting Popular Skills

Skills with names nearly identical to popular legitimate skills (e.g., "gmial-manager" vs "gmail-manager") designed to capture users who mistype installation commands.

The Snyk Audit: Insecurity by Design

Beyond the deliberately malicious skills, Snyk's independent audit uncovered a more systemic problem. Scanning 3,984 ClawHub skills, they found 283 (7.1%) that leaked sensitive credentials through the LLM context window — not through malicious intent, but through poor security practices.

The Core Problem: When a skill passes API keys or passwords through the AI model's context window, those credentials become visible to the LLM provider — and potentially to anyone who can prompt-inject the conversation. This "insecurity by design" affects OpenClaw and every other AI agent platform with plugin ecosystems.

Types of Credential Exposure

Hardcoded API Keys: Skills with API keys embedded directly in source code rather than loading from environment variables
Context Window Leaks: Skills that pass credentials as part of the AI prompt, exposing them to the model provider
Unencrypted Storage: Skills storing tokens and passwords in plaintext files accessible to any process
Debug Logging: Skills that log full request bodies — including auth headers — to stdout or log files

Securing your AI infrastructure? Supply chain attacks on AI agent ecosystems are a growing threat. Explore our AI Security Services for enterprise-grade agent deployment and hardening.

OpenClaw's Response

To their credit, the OpenClaw team responded quickly and transparently to the ClawHavoc findings. The response involved both immediate remediation and longer-term structural changes:

All 341 flagged skills were immediately removed from ClawHub
Affected users were notified via the Control UI with credential rotation guidance
Jamieson O'Reilly was appointed as the first dedicated security lead
A formal threat model and security roadmap were published on the OpenClaw blog
A vulnerability reporting process and bug bounty program were established

VirusTotal Partnership

The most significant long-term response was the partnership with VirusTotal, Google's malware scanning service. Under this partnership:

Automated Scanning

Every skill submitted to ClawHub is automatically scanned by VirusTotal's Code Insight engine before it can be published. Malicious skills are blocked, suspicious ones flagged for manual review.

Daily Re-Scanning

All active skills on ClawHub are re-scanned daily to catch threats that emerge as new malware signatures are identified. Updates trigger immediate re-scanning.

While the VirusTotal integration significantly raises the security bar, it is not a complete solution. Sophisticated obfuscation techniques, novel attack patterns, and logic-based exploits may evade automated scanning. Manual auditing remains essential for high-risk skill categories.

What Users Should Do Now

If you are using OpenClaw, take these steps to secure your instance:

Audit installed skills

Review every skill installed on your OpenClaw instance. Remove any you did not explicitly choose or cannot verify the source of.

Rotate all credentials immediately

Change all API keys, tokens, and passwords that your OpenClaw instance has accessed — even if you believe you were not affected.

Run antivirus scan

Scan your system for Atomic Stealer (AMOS) signatures. On macOS, use Malwarebytes or XProtect. On Windows, use Defender.

Check cryptocurrency wallets

If you used any crypto-related skills, check your wallets for unauthorized transactions and move funds to new wallets with fresh keys.

Enable VirusTotal badges

Only install skills showing the VirusTotal verified badge in ClawHub. Treat unverified skills as potentially malicious.

For a comprehensive security setup, see our OpenClaw Security Hardening Guide.

Impact on the AI Plugin Ecosystem

ClawHavoc is not just an OpenClaw problem — it is a warning for every AI platform building plugin or skill marketplaces. The same attack patterns that compromised ClawHub can target ChatGPT plugins, Claude MCP tools, and any other AI agent extension ecosystem.

The fundamental tension is between ecosystem growth (making it easy for developers to publish) and security (verifying that published code is safe). OpenClaw chose growth first, security second — a decision that the ClawHavoc incident forced them to correct. For a broader analysis of AI plugin security implications, see our AI Agent Plugin Security Lessons.

Conclusion

The ClawHavoc campaign is a sobering reminder that the AI agent revolution comes with significant security implications. As autonomous agents gain deeper system access and broader adoption, they become increasingly attractive targets for malicious actors.

OpenClaw's response — the VirusTotal partnership, security leadership, and published threat model — represents the right trajectory. But the responsibility falls on users as well: vetting skills, rotating credentials, and maintaining security awareness is now a non-negotiable part of using autonomous AI agents.