ClawHub Malicious Skills Discovered in Bulk: What OpenClaw Users Must Check

ClawHavoc: Not an Isolated Incident, But a Large-Scale Attack Campaign

Security research firm Koi Security audited all 2,857 skills registered on ClawHub and found a staggering 341 (about 12%) to be malicious. Of these, 335 were traced to a single campaign called "ClawHavoc."

The attacks targeted both macOS and Windows, with particular focus on always-on machines like Mac minis running OpenClaw. The malicious skills were convincingly disguised as crypto wallet trackers, Polymarket trading bots, YouTube utilities, and Google Workspace integration tools—features people actually search for. They even used typosquatting (subtle name variations) to confuse users with legitimate packages.

The Twitter Skill Was the Most Dangerous

What was particularly shocking was that one of the most downloaded OpenClaw skills was at the center of the problem. On the surface, it appeared to be a Twitter integration feature, but it was actually a completely fabricated process for distributing malware.

This skill asked users to install a fake package called openclaw-core as a "required dependency." On macOS, it prompted users to copy and paste shell commands into the terminal. On Windows, it had users download a password-protected ZIP file from GitHub and execute it. The result was the installation of Atomic macOS Stealer (AMOS), an info-stealing malware that grabs browser credentials, keychain passwords, crypto wallet data, and SSH keys. In AI agent environments, API keys and authentication tokens can also be exposed, making the potential damage much greater.

More Than Just Stealers: Various Attack Techniques

Beyond the ClawHavoc campaign, other types of malicious skills were discovered. Some embedded reverse shell backdoors in seemingly functional code, while others secretly exfiltrated bot credentials from configuration files like ~/.clawdbot/.env to external webhook services.

Snyk separately scanned 3,984 skills on the ClawHub marketplace (after the Koi audit, when the skill count had increased) and found that approximately 7.1% (283 skills) had critical security flaws exposing sensitive credentials in plain text. Bitdefender detected about 900 malicious skills with its own scanner—nearly 20% of the total. They also confirmed patterns of malicious skills being mass-cloned and redistributed with only slight name changes.

My Experience: Security Warnings Everywhere

After a recent OpenClaw update, I ran a security scan and warnings popped up everywhere—even for skills I built myself. Since I made them, I know what's inside, so it's fine, but if you're using any skills from ClawHub, I recommend removing them immediately.

Building your own isn't difficult. Just ask Claude to make it, test it, and if it works, you're done. Talking to people around me who use OpenClaw, it seems fortunately no one is using ClawHub skills anyway.

Actions That Require Vigilance

You should be suspicious of any skill you didn't build yourself or haven't personally reviewed the code for. The following actions should definitely be avoided:

• Consolidating all permissions in one place without separating agents
• Leaving messenger integrations open without pairing
• Handing over tokens directly via chat
• Building automated email processing systems without proper security

AI agents operate with system-wide access permissions. When a malicious skill is installed, the attacker inherits all the permissions the agent has. This is a fundamentally different level of risk compared to traditional browser extensions running in sandboxes. According to Censys data, over 30,000 OpenClaw instances are exposed to the internet.

Good News: VirusTotal Scanning Implementation

Fortunately, there's good news too. OpenClaw has partnered with Google's VirusTotal to implement automatic scanning for all skills uploaded to ClawHub.

Here's how it works: A SHA-256 hash is generated for every skill and checked against the VirusTotal database. If there's no match, VirusTotal Code Insight performs additional analysis, internally using Gemini 3 Flash to analyze SKILL.md and related scripts from a security perspective. It summarizes what the skill actually does rather than what it claims to do.

Skills marked "benign" are automatically approved, suspicious skills get a warning label, and malicious ones are completely blocked from download. All previously registered skills are also rescanned daily.

Of course, OpenClaw has acknowledged that VirusTotal scanning isn't a silver bullet. Sophisticated hidden prompt injection payloads can still slip through. However, with the threat model disclosure, security roadmap, official security reporting process, and plans for a full codebase security audit, it's clear they're taking security seriously.

The VirusTotal blog also announced native analysis support for OpenClaw skill packages. They've analyzed over 3,016 OpenClaw skills so far, confirming malicious characteristics in hundreds of them. They also discovered that a single user named "hightower6eu" uploaded over 314 malicious skills.

Conclusion

As the AI agent ecosystem grows rapidly, we're seeing the classic pattern where security infrastructure can't keep pace. The supply chain attacks experienced by package managers like npm and PyPI are now being replayed in AI skill marketplaces.

The conclusion is simple: Don't use skills from ClawHub—build the ones you need yourself. The VirusTotal scanning implementation is positive, but you can't let your guard down just because of that. You must remain vigilant about anything you didn't build yourself or haven't verified the code for.

Refs

• A top-downloaded OpenClaw skill is actually a... - Reddit r/LocalLLaMA
• OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills - The Hacker News
• Researchers Find 341 Malicious ClawHub Skills Stealing Data - The Hacker News
• From Automation to Infection: How OpenClaw Skills Are Being Weaponized - VirusTotal Blog
• It's easy to backdoor OpenClaw, and its skills leak API keys - The Register
• From magic to malware: How OpenClaw's agent skills become an attack surface - 1Password Blog
• Technical Advisory: OpenClaw Exploitation in Enterprise Networks - Bitdefender
• The OpenClaw Security Saga - Cyera Research Labs