336 Malicious Skills Found on ClawHub: How the ClawHavoc Campaign Hit OpenClaw Users in 2026

If you've installed any skills from ClawHub — OpenClaw's official marketplace — stop and read this. Security researchers uncovered a large-scale supply chain attack that planted hundreds of malicious skills on the platform, and some of them are actively stealing cryptocurrency wallet data, passwords, and cloud credentials.

What Happened: The ClawHavoc Campaign

Researcher Oren Yomtov from Koi Security examined all 2,857 skills available on ClawHub and found 341 malicious entries — roughly a 12% infection rate. Of those 341, 335 belonged to a single coordinated campaign that researchers are calling ClawHavoc.

These malicious skills didn't look suspicious at first glance. They masqueraded as:

• Trading bots — promising automated crypto trading
• Financial assistants — offering portfolio tracking and market alerts
• Utility tools — presenting themselves as productivity helpers

Once installed, they deployed infostealers that silently exfiltrated:

• Cryptocurrency wallet data (seed phrases, private keys)
• macOS Keychain credentials (passwords stored by your Mac)
• Browser passwords (Chrome, Safari, Firefox)
• Cloud service tokens (AWS, Google Cloud, Azure)

The attack used a technique called ClickFix social engineering — a method that tricks users into triggering malicious actions by disguising them as ordinary UI interactions. Across multiple campaign waves, ClawHavoc has published at least 1,184 malicious skills on the platform.

Why AI Skill Marketplaces Are Especially Vulnerable

Unlike traditional software, AI agent skills operate with deep system access by design. A skill that can browse the web, read files, and execute code is extraordinarily powerful — and that's exactly why attackers are targeting them.

The risk profile is different from installing a bad browser extension. A compromised OpenClaw skill can:

• Read every file your agent has access to
• Exfiltrate memory and session data containing private conversations
• Make outbound network requests to attacker-controlled servers
• Access stored credentials from other tools and services

Palo Alto Networks has described OpenClaw as presenting a "lethal trifecta" of risk: access to private data, exposure to untrusted content from the web, and the ability to perform external communications — all while retaining memory across sessions. India's growing community of OpenClaw users — many running the agent on personal MacBooks or Mac Minis — are just as exposed as users anywhere else.

How to Check If You're Affected

Step 1: Audit your installed skills

Open OpenClaw and navigate to your skills list. Look for anything related to trading, financial analysis, portfolio management, or crypto tools that you didn't personally verify. If you don't remember installing something, remove it.

Step 2: Check for suspicious activity

• Review your crypto wallets for unauthorized transactions
• Check your macOS Keychain for unexpected app access
• Review cloud provider access logs (AWS CloudTrail, Google Cloud Audit Logs)
• Change browser-stored passwords if you have any crypto or financial logins saved

Step 3: Update to the latest version immediately

OpenClaw's most recent releases include security hardening. They've also announced a partnership with VirusTotal to scan skills uploaded to ClawHub going forward. The new scanning pipeline should catch these attacks before they reach users.

If you're running OpenClaw on a budget Mac or a cloud server in India, check out the Apple MacBook Neo review — it covers machines available from ₹49,900 that are well-suited for self-hosted AI agent setups.

The Bigger Picture: 67 Vulnerabilities in OpenClaw

This isn't just about ClawHub skills. Germany's CERT Bund (BSI) published a full disclosure listing 67 security vulnerabilities in OpenClaw, the majority classified as "high" severity with several marked "critical." Recent releases address many of these.

The OpenClaw v2026.2.6 security update was specifically released to close critical security gaps — including URL allowlists for web_search and web_fetch that limit where your agent can reach out.

For anyone building serious setups, why AI agents aren't scaling in enterprise yet covers exactly why security holes like this are one of the core barriers to broader business adoption in 2026.

What OpenClaw Is Doing About It in 2026

The OpenClaw team has rolled out several concrete responses:

1. VirusTotal integration — All new ClawHub skills are now scanned before listing
2. Threat model documentation — Published to help users understand risk exposure
3. Misconfiguration auditing — New tooling to flag dangerous agent configurations
4. URL allowlists — Restricts which domains your agent can reach via web tools
5. Skill verification badges — Community-reviewed skills display trust indicators

The OpenClaw creator's move to OpenAI in early 2026 raised questions about the project's long-term security investment, but the current maintainers have continued active patching.

What Indian OpenClaw Users Should Do Right Now

India has one of the fastest-growing OpenClaw communities, with users running everything from personal productivity agents to small business automation tools. Here's the priority checklist:

1. Update OpenClaw to the latest release — check the GitHub releases page
2. Remove any trading or financial skills you don't fully trust
3. Only install skills from verified developers — check GitHub stars, commit history, and community reviews on the OpenClaw Discord
4. Enable URL allowlists to restrict your agent's web access
5. Rotate your cloud credentials if your agent had access to AWS, GCP, or Azure tokens
6. Run a Keychain audit on macOS — check System Preferences > Privacy & Security
7. Back up skill configs before removing suspicious skills so you can recreate legitimate ones

If you're evaluating AI agent platforms for the first time, the OpenClaw viral growth story gives useful context on how quickly the ecosystem expanded — and why security standards are still catching up.

The Real Cost of a ClawHavoc Compromise

The financial damage from a successful ClawHavoc infection is real and often irreversible. Crypto wallet theft means immediate loss with no recourse. Cloud credential theft can result in unauthorized compute charges that pile up before you notice.

In India, where many developers use international cloud accounts billed in USD, an AWS credential leak can result in surprise bills of ₹50,000 to ₹5,00,000 before you catch it. This isn't theoretical — infostealer campaigns targeting developer tools have cost Indian tech workers real money in 2025 and 2026.

The lesson: treat your AI agent's skill marketplace like you'd treat npm or pip — with healthy skepticism about third-party code, even from an "official" source.

FAQ

Q: How do I know if I installed a ClawHavoc skill?

Check your installed skills list for anything crypto- or finance-related that you don't remember adding. Cross-reference against the known malicious skill names published by Koi Security on their GitHub. If you find a match, remove it immediately and rotate any credentials your agent had access to.

Q: Is ClawHub safe to use now in 2026?

OpenClaw has added VirusTotal scanning for all new skill uploads, which significantly reduces the risk. However, older skills uploaded before the scanning pipeline was in place have not all been re-reviewed. Stick to skills with community trust badges or high star counts from known developers.

Q: What's the difference between ClawHavoc and other AI malware campaigns?

ClawHavoc specifically targets OpenClaw's skill marketplace (ClawHub) and uses ClickFix social engineering to trick users into activating the malicious payload. It's more targeted than general infostealers because it exploits the trust users place in the official marketplace — similar to how supply chain attacks on npm packages exploit developer trust in the npm registry.