824 Malicious Skills Found on ClawHub. Here's What They Stole.
You installed a skill from ClawHub last week.
Maybe it was a Solana tracker. Maybe a code reviewer. Maybe something that sounded useful and had decent documentation.
There's a 12% chance it was malware.
The Numbers Are Ugly
Security researchers combed through ClawHub — OpenClaw's public skill marketplace. Out of 2,857 skills listed, 341 were confirmed malicious. Another 483 were flagged as suspicious.
That's not a rounding error. That's one in eight.
The skills looked professional. Clean READMEs. Proper formatting. Names like solana-wallet-tracker and code-review-assistant — things you'd actually want to install.
Behind the curtain? Keyloggers on Windows. Atomic Stealer malware on macOS. Credential harvesting scripts that phoned home before you noticed anything was wrong.
How It Worked
The attack was simple. Almost boring.
Step one: create a skill with a useful-sounding name.
Step two: write good documentation. Better than most legitimate skills.
Step three: game the download count. A few hundred installs makes anything look trusted.
Step four: bury the payload in a post-install script. The skill does what it promises. It also does what you didn't ask for.
One researcher proved the concept by uploading a backdoored skill with a harmless payload. Within hours, dozens of developers had installed it.
His conclusion:
"Had I been malicious, those users would have had their SSH keys, AWS credentials, and entire codebases exfiltrated before they knew anything was wrong."
Why ClawHub Was Vulnerable
No code signing. No vetting process. No automated scanning.
ClawHub is basically npm circa 2018 — before the industry learned that open package registries need guardrails.
Anyone could publish anything. And they did.
The OpenClaw team has since added basic scanning. But the gap between "basic scanning" and "actually secure" is where attackers live.
Reddit's r/cybersecurity didn't hold back. One of the top comments: "So tired of these bullshit articles being shared here. This OpenClaw thing is a shit show. Stay secure by not using it."
Harsh. But the frustration is understandable.
What Got Stolen
The malicious skills targeted three things:
1. API keys. OpenAI, Anthropic, AWS, Stripe. Anything stored in environment variables or config files. One compromised key can burn through thousands of dollars in hours.
2. SSH keys and credentials. Full access to your servers, your repos, your infrastructure. The kind of access that makes a breach catastrophic instead of annoying.
3. Chat history and business data. Everything your agent has seen. Customer conversations. Internal documents. Strategy discussions you had with your AI assistant.
The payloads were designed to exfiltrate silently. No obvious network spikes. No error messages. Just a quiet POST to an attacker-controlled endpoint every few minutes.
The Real Problem
Skills run with the same permissions as your OpenClaw instance.
There's no sandbox. No permission boundary. No "this skill can read files but not make network calls."
When you install a skill, you're giving it everything. Your file system. Your network. Your credentials. Your agent's full context.
That's the architectural flaw nobody wants to talk about.
As one r/OpenClawCentral commenter put it: "The moment you let agents install skills with broad permissions, you basically hand over the keys."
What You Should Do Right Now
Audit your installed skills. Check every skill against known malicious lists. The OpenClaw Carapace scanner can help — it was built specifically for this.
Don't install skills from ClawHub without reviewing the source. If you wouldn't run an npm package without checking it, don't run an OpenClaw skill without checking it either.
Rotate your credentials. If you've installed any skill in the past 90 days, assume your API keys and tokens may be compromised. Rotate them. All of them.
Use a managed deployment. Clawctl sandboxes skill execution by default. Skills can't access your host file system, can't make arbitrary network calls, and can't exfiltrate credentials. The architecture prevents it — not a policy, not a scanner, the actual runtime.
The Bigger Picture
This isn't just an OpenClaw problem. It's an agent ecosystem problem.
Every platform that lets users install community extensions faces this. The difference is maturity. Browser extensions went through this. npm went through this. Docker Hub went through this.
OpenClaw is going through it right now.
The question isn't whether the marketplace will get better. It will. The question is how many people get burned in the meantime.
The bottom line: 12% of ClawHub was compromised. If you're running OpenClaw in production with community skills, you're gambling with your credentials, your data, and your customers' trust.