824 Malicious Skills Found on ClawHub: The ClawHavoc Campaign Explained
1 in 5 skills on ClawHub is malicious.
That's not a typo. That's a real number from a real audit.
If you've installed any OpenClaw skills from ClawHub in the last 6 months, keep reading. Your API keys might already be in someone else's hands.
What Happened
In early March 2026, security firm Koi Security published an audit of ClawHub — the open marketplace where OpenClaw users download skills to extend their bots.
They scanned 2,857 skills.
341 came back flagged as malicious.
Of those, 335 traced back to a single coordinated operation. Koi Security named it ClawHavoc.
One threat actor. One campaign. 335 poisoned skills sitting in a public registry that anyone could install with a single command.
But it got worse.
Follow-up scans by independent researchers pushed the total count to 824+ malicious skills. That's roughly 20% of every skill on ClawHub.
The Register picked up the story. 1Password published an analysis showing how skills become attack surfaces. The OpenClaw community went into full damage-control mode. (This is one of six major security risks hitting OpenClaw in 2026.)
Here's what we know.
How the ClawHavoc Attack Works
The attacker wasn't dumb. They didn't name their skills "definitely-not-malware."
They used three tactics that made detection almost impossible for the average user.
1. Popular Disguises
Every malicious skill pretended to be something useful:
- Crypto wallets — MetaMask helpers, Phantom integrations
- Polymarket bots — prediction market automation
- YouTube utilities — download managers, analytics scrapers
- Google Workspace integrations — Sheets connectors, Gmail automations
- Auto-updaters — tools that promised to keep your bot current
These aren't random categories. They're the most-searched skill types on ClawHub.
2. Typosquatting
The oldest trick in the book. And it still works.
The attacker published skills with names like:
google-sheeets-sync(three e's)yt-download-manager(legit one isyoutube-dl-manager)metamask-walllet(double l)
One typo. That's all it takes.
You search ClawHub in a hurry. You grab the first result that looks right. You're infected before your coffee gets cold.
3. Delayed Payloads
Some skills worked perfectly for the first 48 hours. The malicious code only activated after a timer elapsed.
This beat most manual code reviews. You'd install it, test it, think "this works great," and move on. Two days later, it phones home.
The Damage
Here's what the malicious skills actually did once activated.
Credential Exfiltration
The primary target: your ~/.clawdbot/.env file.
That file holds your bot credentials. API keys. Tokens. Everything your OpenClaw instance needs to talk to services.
The malicious skills read that file and sent its contents to external webhooks controlled by the attacker. Silent. No error messages. No warnings.
Atomic Stealer Payload
Some skills carried a second-stage payload called Atomic Stealer.
This thing was nastier. It:
- Harvested API keys from environment variables (not just
.envfiles) - Injected a keylogger that captured everything you typed
- Persisted across reboots
Target Profile
The campaign focused on macOS and Windows machines. Specifically, always-on machines.
Mac minis are popular for self-hosted OpenClaw setups. They run 24/7. They hold API keys for every service the bot connects to. They're the perfect target.
If you're running OpenClaw on a Mac mini or a Windows desktop that stays on — you were in the crosshairs.
How to Check If You're Affected
Don't panic. But don't wait either.
Step 1: Run Clawdex
Koi Security released a free scanner called Clawdex specifically for this.
# Install Clawdex
npm install -g @koi-security/clawdex
# Scan your installed skills
clawdex scan --path ~/.clawdbot/skills
# Get a detailed report
clawdex scan --path ~/.clawdbot/skills --verbose --output report.json
Clawdex checks your installed skills against the known malicious skills database. It flags exact matches and fuzzy matches (for typosquatted variants).
Step 2: Manual .env Audit
Check if your credentials file was modified:
# Check last modified time
stat ~/.clawdbot/.env
# Look for unauthorized changes
git diff ~/.clawdbot/.env # if you version-control your config
If the file was modified at a time you didn't touch it — assume it was read.
Step 3: Check Outbound Connections
Look for suspicious network activity from your OpenClaw process:
# macOS
lsof -i -P | grep clawdbot
# Linux
ss -tunap | grep clawdbot
Any connections to unfamiliar IPs or domains? Flag them.
Step 4: Rotate Everything
If Clawdex flags a malicious skill — or if anything looks off in Steps 2-3:
- Rotate every API key in your
.envfile. All of them. Now. - Revoke OAuth tokens for any connected services.
- Remove the flagged skills from
~/.clawdbot/skills/. - Check your machines for persistence mechanisms (cron jobs, launch agents, startup scripts).
- Monitor your accounts for the next 30 days.
Do not skip the rotation step. If your keys were exfiltrated, changing them is the only fix. (More on this: Key Rotation for AI Agents.)
How to Protect Yourself Going Forward
The ClawHavoc campaign exposed a basic truth: open skill registries are supply chain attack surfaces.
Here's how to reduce your risk.
Use a Skill Allowlist
Don't install skills freely from ClawHub. Maintain a list of approved skills and stick to it.
# ~/.clawdbot/config.yaml
skills:
allowlist:
- @verified/google-sheets
- @verified/discord-tools
- @verified/telegram-bridge
block_unverified: true
Only install skills from verified publishers. Treat unverified skills like email attachments from strangers.
Scan Before Installing
Run every new skill through Clawdex before you install it:
clawdex check <skill-name> --registry clawhub
This checks the skill against the malicious database before it touches your machine.
Read the Code
Yes. Actually read it.
Skills are just code. Before installing, look at the source. Search for:
- Outbound HTTP requests (
fetch,axios,http.request) - File reads targeting
.env, credentials, or config files eval()or dynamic code execution- Obfuscated strings (Base64-encoded URLs are a red flag)
If the skill is minified and you can't read the source — don't install it.
Pin Versions
Never let skills auto-update without review. Pin your skill versions:
skills:
versions:
google-sheets: "2.1.0" # audited
discord-tools: "1.4.2" # audited
An update could introduce malicious code that wasn't in the version you reviewed.
What OpenClaw Is Doing About It
Credit where it's due. The OpenClaw team moved fast.
VirusTotal Partnership
OpenClaw partnered with VirusTotal to scan all ClawHub submissions. Every new skill goes through VirusTotal's malware database before it's listed.
This is a solid first step. But it has limits. VirusTotal catches known signatures. Novel payloads with no signatures can still slip through.
Community Response
The broader community stepped up:
- Koi Security continues maintaining the Clawdex scanner and malicious skills database
- 1Password published a detailed analysis of how skills become attack surfaces — required reading for anyone running OpenClaw in production
- The Register reported on API key leakage, bringing mainstream attention to ClawHub security
What's Still Missing
A few gaps remain:
- No retroactive scan. Skills published before the VirusTotal partnership haven't been scanned unless manually reported.
- No code signing. There's no way to verify a skill hasn't been tampered with after publication.
- No permission model. Skills get full access to your OpenClaw instance. There's no way to restrict a skill to only the APIs it needs.
These are hard problems. They won't be solved overnight.
The Bigger Picture
This isn't just an OpenClaw problem.
Every plugin ecosystem eventually faces this. npm had event-stream. PyPI had typosquatting campaigns. VS Code extensions had data exfiltration.
Open registries trade security for convenience. That trade-off works when the ecosystem is small. At scale, it becomes a target.
824 malicious skills out of ~4,100 total. That's a 20% infection rate.
For context, npm's worst typosquatting incidents affected fractions of a percent of packages. ClawHub's ratio is orders of magnitude worse.
The registry is small enough that a single motivated attacker can poison a significant portion of it. And that's exactly what happened.
FAQ
How many malicious skills are on ClawHub?
As of March 2026, Koi Security has identified 824+ malicious skills on ClawHub. That's roughly 20% of all skills in the registry. 335 of these trace back to the coordinated ClawHavoc operation.
What is the ClawHavoc campaign?
ClawHavoc is a supply chain attack discovered by Koi Security. A single threat actor published 335 malicious skills disguised as popular utilities — crypto wallets, Polymarket bots, Google Workspace integrations. The skills steal bot credentials, API keys, and install keyloggers.
How do I check if I installed a malicious OpenClaw skill?
Download Clawdex, the free scanner from Koi Security. Run clawdex scan --path ~/.clawdbot/skills to check your installed skills. Also check ~/.clawdbot/.env for unauthorized modifications and review outbound network connections from your OpenClaw process.
What data do malicious ClawHub skills steal?
They target bot credentials in ~/.clawdbot/.env, sending them to attacker-controlled webhooks. The Atomic Stealer payload also harvests API keys from environment variables and injects keyloggers.
Is OpenClaw doing anything about malicious skills on ClawHub?
Yes. OpenClaw partnered with VirusTotal to scan new ClawHub submissions. Koi Security maintains the Clawdex scanner. But skills published before the partnership haven't been retroactively scanned, and there's no code signing or permission model yet.
Skip the Risk Entirely
If managing skill security sounds like a full-time job — it kind of is.
Clawctl is managed OpenClaw hosting built around the assumption that things will go wrong.
Every tenant runs in its own Docker-isolated container with a socket proxy sidecar. Egress is deny-all by default — your agent can only reach domains you approve. 50+ high-risk actions require human approval before they execute. And every action gets logged to a searchable audit trail.
Your API keys stay where they belong — encrypted at rest, never sitting in a plaintext config file waiting to be exfiltrated.
It won't stop you from installing a bad skill. But it will stop that skill from phoning home, touching your filesystem, or running shell commands without your say-so.
Check out Clawctl — managed OpenClaw with security that actually works.
Related reading: