Full Report
A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security, exposing users to new supply chain risks. ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills. It's an extension to the OpenClaw project, a self-hosted artificial intelligence (AI) assistant
Analysis Summary
# Incident Report: ClawHub Malicious Skills Campaign (ClawHavoc)
## Executive Summary
Security researchers from Koi Security discovered a large-scale supply chain risk on the ClawHub marketplace, identifying 341 malicious third-party "skills" targeting users of the self-hosted AI assistant, OpenClaw. The primary malicious campaign, dubbed "ClawHavoc," utilized sophisticated social engineering via fake prerequisites to deploy the Atomic Stealer (AMOS) malware, primarily targeting macOS users to harvest credentials and crypto assets.
## Incident Details
- **Discovery Date:** Approximately February 2, 2026 (Date of Koi Security publication).
- **Incident Date:** Ongoing campaign prior to detection/analysis.
- **Affected Organization:** Users of the OpenClaw AI assistant utilizing the ClawHub skill marketplace.
- **Sector:** Technology/Software (AI Assistant Ecosystem).
- **Geography:** Global (affecting users employing OpenClaw installations, noted focus on macOS users who are reportedly using Mac Minis for 24x7 operation).
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-publication of findings (Ongoing prior to detection).
- **Vector:** Social engineering via malicious functions within seemingly legitimate ClawHub skills.
- **Details:** Attackers uploaded 335 skills masquerading as tools (e.g., crypto trackers, YouTube utilities, typosquats). Installation required users to follow instructions listed under a "Prerequisites" section, which involved downloading files from GitHub or executing obfuscated shell commands from `glot[.]io`.
### Lateral Movement
- **Date/Time:** Post-initial execution on the victim host.
- **Vector:** Execution of fetched payloads from attacker infrastructure (`91.92.242[.]30`).
- **Details:** The execution chain led to retrieval of a Mach-O binary (for macOS) consistent with Atomic Stealer, which performs data collection on the host system.
### Data Exfiltration/Impact
- **Date/Time:** Upon successful malware execution.
- **Vector:** Information theft via Atomic Stealer and potentially webhook exfiltration.
- **Details:** Harvested data included API keys, credentials, passwords, and potentially crypto assets. One subset of malicious skills exfiltrated bot credentials (`~/.clawdbot/.env`) directly to a `webhook[.]site`.
### Detection & Response
- **Date/Time:** Ongoing analysis by Koi Security, aided by an OpenClaw bot named Alex.
- **Vector:** Proactive security audit of the ClawHub repository.
- **Details:** Koi Security disclosed findings, including infrastructure details, leading to awareness across the OpenClaw ecosystem (OpenSourceMalware also flagged the campaign). Official response actions from ClawHub management (like adding a reporting option) are mentioned as emerging steps.
## Attack Methodology
- **Initial Access:** Social engineering via fake skill prerequisites instructing users to run external commands or download archives.
- **Persistence:** Not explicitly detailed for the stealer payload, but the initial skill execution serves as the trigger for the secondary payload delivery.
- **Privilege Escalation:** Not explicitly detailed, but execution of system-level commands (especially on macOS via Terminal paste) suggests reliance on user trust/sufficient local permissions.
- **Defense Evasion:** Payloads were fetched dynamically, and the delivery script on macOS used obfuscated shell commands.
- **Credential Access:** Direct harvesting of API keys, credentials, browser passwords, and crypto wallet private keys via Atomic Stealer.
- **Discovery:** Unknown specific reconnaissance, though the malware focuses on data collection on the compromised host.
- **Lateral Movement:** Movement occurred between initial user execution, subsequent download from external infrastructure, and final payload execution.
- **Collection:** Keylogging (via the Windows archive payload) and general information theft via Atomic Stealer.
- **Exfiltration:** To attacker-controlled servers (implied for the main stealer) and explicitly to a `webhook[.]site` for secondary backdoor/credential skills.
- **Impact:** Theft of sensitive information, especially cryptocurrency-related secrets.
## Impact Assessment
- **Financial:** High potential for direct loss of cryptocurrency assets, API key compromise, and infrastructure compromise due to stolen SSH credentials.
- **Data Breach:** Sensitive credentials, API keys, and private wallet keys from affected OpenClaw users.
- **Operational:** Low direct impact on the ClawHub/OpenClaw platform itself, but significant risk and trust disruption for end-users relying on third-party skills.
- **Reputational:** Significant negative impact on trust in the ClawHub ecosystem and the perceived security of self-hosted AI assistants.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- Malicious C2 IP: `91.92.242[.]30`
- Exfiltration endpoint: `webhook[.]site` (used by specific skills)
- Delivery source: `glot[.]io` (for macOS scripts)
- **File Indicators:**
- Windows payload archive: `openclaw-agent.zip` (From GitHub)
- macOS execution: Obfuscated shell commands intended to fetch Mach-O binary.
- **Behavioral Indicators:**
- Skills using obvious typosquats of "ClawHub".
- Skills requiring installation via external prerequisite commands executed directly in the terminal.
- Skills requesting unusual permissions or claiming unrelated functionalities (e.g., finance tools delivering malware).
## Response Actions
- **Containment Measures:** Identification and likely delisting/removal of the 341 malicious skills from the ClawHub repository (implied requirement following audit disclosure).
- **Eradication Steps:** Users must manually verify and clean their systems if they executed the prerequisites, particularly macOS users running shell commands. Remediation requires changing all credentials/keys harvested.
- **Recovery Actions:** Users need to secure their OpenClaw environments and change credentials exposed by the malware.
## Lessons Learned
- **Supply Chain Trust:** Trusting third-party "skills" in a self-hosted AI ecosystem introduces critical supply chain vulnerabilities similar to those found in traditional software repositories.
- **Malware Distribution Vectors:** Attackers successfully leveraged the "Prerequisites" section in skill documentation as a mechanism for social engineering users into running dangerous external commands.
- **Ecosystem Openness:** The platform's open nature, where anyone can upload a skill with minimal checks, is a critical flaw enabling mass distribution of malware.
## Recommendations
- Implement robust pre-publication security scanning and vetting for all skills uploaded to ClawHub.
- Remove the reliance on external, user-executed prerequisite commands; all necessary components should ideally be self-contained or installed via trusted mechanisms within the platform.
- Enhance user warnings when a skill installation requires executing raw code or downloading binaries from external sites (GitHub or third-party URL shorteners/hosting).
- Develop automated monitoring to detect skills exfiltrating credentials to known public endpoints (like public webhook services).