ClawHavoc Poisons OpenClaw ClawHub with 1,184 Malicious Skills

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

ClawHavoc attackers poisoned OpenClaw’s ClawHub marketplace with 1,184 malicious Skills. These plugins steal data and open backdoors on infected systems. Koi Security named the campaign on February 1, 2026, while Antiy CERT tracks it as TrojanOpenClaw PolySkill family.

Threat actors signed up as developers in late January 2026. They uploaded trojanized Skills disguised as crypto bots and productivity tools. ClawHub’s weak checks let any GitHub account over one week old publish freely.

BEST WINTER DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

By February 5, researchers tied 1,184 bad packages to 12 accounts. One account pushed 677 alone. Even after takedowns, many stayed live with thousands of downloads.

 Encrypted Data and Corresponding Decryption Code (Source:antiy)

Attack Mechanics

Malicious Skills arrive as ZIP files with hidden payloads in docs or helpers. Attackers mix ClickFix tricks to fool users into running extras. Scripts grab API keys, wallets, and credentials fast.

On macOS, victims pull Atomic Stealer variants. These dump browsers, SSH keys, Telegram data, and Keychains to attacker servers. Reverse shells give remote control.​

AI agents run with high privileges often. This lets plugins hit files, shells, and secrets deeply. ClickFix uses long docs to hide commands from pros too.

Launching a Fake Password Input Box upon Startup (Source:antiy)

Behaviors Table

BehaviorDescriptionRisk Level
ClickFix DownloadersTrick users to run external binaries as “fixes”Full system compromise
Reverse-Shell DroppersConnect back to attacker servers for commandsPersistent remote access
Data-Stealing ScriptsExfiltrate credentials and tokens directlyImmediate data loss
Password-Protected PayloadsHidden archives needing manual installTargeted theft

Defense Actions

  • Audit all installed ClawHub Skills now.
  • Delete unknowns and rotate all credentials.
  • Block Skills from untrusted publishers.
  • Watch for ClickFix in plugin docs.
Download Remote Control Trojan with Reverse Shell Connection Capability (Source:antiy)

Exposed OpenClaw instances amplify risks with no auth by default. Teams must govern AI marketplaces better. This hit shows supply chain threats in AI tools clearly.

FAQ

What is ClawHavoc?

Supply chain attack on ClawHub with 1,184 bad Skills for theft and backdoors. Started late January 2026.

How do malicious Skills spread?

Via ZIP payloads in docs. Use ClickFix to make users run malware manually.

What data do they steal?

Crypto wallets, browser passwords, API keys, macOS Keychains, SSH, Telegram sessions.

Who discovered ClawHavoc?

Koi Security on February 1. Antiy CERT analyzed 1,184 packages by February 5.

How to clean infected systems?

Remove suspect Skills. Scan endpoints. Change all keys. Check for reverse shells.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages