Researchers uncovered more than 400 malicious skills for the OpenClaw AI agent platform published on ClawHub and GitHub between late January and early February 2026. The packages use ClickFix-style social engineering to trick users into installing Atomic Stealer (AMOS) and other info-stealing malware targeting crypto wallets, passwords, and developer credentials.
Incident overview
| Attribute | Details |
|---|---|
| Campaign name | ClawHavoc |
| Malicious skills identified | 400+ |
| Primary malware | Atomic Stealer (AMOS) |
| Target OS | macOS (primary), Windows (secondary) |
| Attack method | ClickFix-style fake prerequisites |
| Distribution | ClawHub marketplace, GitHub |
| Discovery | Koi Security (Oren Yomtov) |
| Verification | VirusTotal Code Insight |
What is OpenClaw and ClawHub?
OpenClaw (formerly Clawdbot and Moltbot) is a self-hosted AI agent that runs on your machine and executes real actions on your behalf: shell commands, file operations, network requests.
ClawHub is the marketplace for finding and installing third-party OpenClaw skills—extensions that add capabilities to the AI agent.
| Component | Risk level |
|---|---|
| OpenClaw agent | High—executes code with user privileges |
| ClawHub marketplace | Critical—minimal vetting of uploads |
| Third-party skills | Variable—depends on publisher |
Attack timeline
| Date Range | Event |
|---|---|
| January 27-29, 2026 | Initial batch of 28 malicious skills published |
| January 31 - February 2, 2026 | Second wave of 386 skills deployed |
| February 2, 2026 | VirusTotal Code Insight identifies hundreds of malicious packages |
| February 2, 2026 | Koi Security publishes full analysis |
Campaign discovery
The discovery was led by Koi Security researcher Oren Yomtov and his AI assistant “Alex,” an OpenClaw bot configured for threat analysis. Suspicious of the rapidly growing volume of skills available on ClawHub (over 2,800 at the time), Alex flagged concerns about the lack of vetting in the ecosystem.
This prompted a full audit of the marketplace, revealing the highly organized ClawHavoc campaign.
Infection rate
| Metric | Value |
|---|---|
| Total skills audited | 2,857 |
| Malicious skills identified | 341 |
| Infection rate | 11.9% |
| Single campaign attribution | 335 skills (98%) |
| Campaign window | January 27-29, 2026 |
The 11.9% malicious skill rate—nearly 1 in 8 packages—demonstrates that the week-old GitHub account requirement provides virtually no barrier to malicious actors.
The hightower6eu threat actor
One account dominated the campaign. The ClawHub user hightower6eu uploaded dozens of near-identical skills that became some of the most downloaded on the platform.
| Metric | Value |
|---|---|
| Skills analyzed from hightower6eu | 314 |
| Malicious percentage | 100% |
| Download rank | Among most downloaded on platform |
| Documentation quality | Extensive (to appear legitimate) |
The skills appear legitimate on the surface, with extensive documentation and real-seeming functionality, but each directs users to execute malicious commands as “prerequisites.”
Attack methodology
The malicious skills use a consistent pattern:
| Phase | Action |
|---|---|
| 1 | User discovers skill offering useful functionality |
| 2 | Skill README prominently mentions “AuthTool” or similar as critical dependency |
| 3 | Installation instructions direct user to download password-protected ZIP |
| 4 | Alternatively, user instructed to run obfuscated shell script |
| 5 | ”Prerequisite” installs Atomic Stealer or Windows infostealer |
| 6 | Malware runs silently, exfiltrating credentials |
This follows the ClickFix attack pattern: tricking users into executing malicious commands by framing them as necessary setup steps.
Malicious skill categories
| Category | Count | Notes |
|---|---|---|
| Crypto utilities | 111 | Solana/Phantom wallet trackers |
| YouTube tools | 57 | Video summarizers, downloaders |
| Finance/social trends | 51 | Yahoo Finance, X/Twitter trackers |
| Prediction market bots | 34 | Targeting Polymarket users |
| Auto-updaters | 28 | Fake update mechanisms |
| Google Workspace integrations | 17 | Productivity tool mimics |
Cryptocurrency-related skills were the most common, aligning with the malware’s focus on stealing crypto wallet credentials.
Typosquatting campaign
Beyond the hightower6eu account, attackers deployed an extensive typosquatting strategy:
| Target | Typosquats registered |
|---|---|
| clawhub | clawhubb, cllawhub, clawhub-cli |
| Core ClawHub tools | 24+ lookalike packages |
These typosquatted names catch users who mistype package names during installation.
Atomic Stealer (AMOS) payload
Analysis found 335 skills install Atomic Stealer on macOS. AMOS is a well-established macOS stealer designed to harvest:
| Data type | Targeted |
|---|---|
| System passwords | Yes |
| Application passwords | Yes |
| Browser cookies | Yes |
| Browser stored credentials | Yes |
| Cryptocurrency wallet files | Yes |
| Crypto exchange API keys | Yes |
| SSH credentials | Yes |
| Browser extension data | Yes (especially crypto wallets) |
The malware runs stealthily in the background, systematically exfiltrating sensitive data.
Memory poisoning attack
Perhaps most concerning, attackers specifically targeted OpenClaw’s memory files:
| Target file | Purpose | Attack impact |
|---|---|---|
| SOUL.md | AI agent personality/instructions | Permanently alter agent behavior |
| MEMORY.md | Persistent conversation context | Inject malicious instructions |
By accessing these files, attackers can execute memory poisoning attacks that permanently alter the AI’s behavior—potentially causing it to exfiltrate data, execute commands, or behave maliciously in future interactions without user awareness.
Windows payloads
Six skills delivered Windows-specific infostealers with similar credential-harvesting capabilities.
Technical indicators
| Indicator | Value |
|---|---|
| C2 Server | 91.92.242[.]30 |
| Primary Malware | Atomic Stealer (AMOS) |
| Platform | macOS (primary), Windows (secondary) |
| Distribution | ClawHub, GitHub |
| Indicator pattern | All skills share same C2 infrastructure |
All malicious skills share the same C2 infrastructure, indicating a single coordinated campaign rather than multiple independent actors.
Detection indicators
| Indicator | Meaning |
|---|---|
| Connections to 91.92.242[.]30 | Active C2 communication |
| Unexpected LaunchAgent entries | macOS persistence |
| New LaunchDaemon entries | System-level persistence |
| Processes accessing browser credential stores | Credential theft |
| Outbound data transfers post-skill installation | Exfiltration |
Platform security failure
The problem stems from ClawHub’s permissive design:
| Issue | Impact |
|---|---|
| Open by default | Anyone can upload skills |
| Minimal verification | Only requires 1-week-old GitHub account |
| No code review | Skills aren’t analyzed before publication |
| Reactive removal | Malware distributed during detection gap |
| No sandboxing | Skills execute with full user privileges |
Despite being notified, ClawHub’s maintainer admitted the registry cannot be secured. Most malicious skills remain online as of publication.
Defensive tool: Clawdex
To help users protect themselves, Koi Security published a skill called Clawdex that:
| Feature | Function |
|---|---|
| Pre-installation scanning | Checks skills against known malicious database |
| Retroactive scanning | Audits already-installed skills |
| Real-time updates | Receives new threat intelligence |
| Publisher verification | Flags suspicious account patterns |
While not a complete solution, Clawdex provides a layer of defense for users who continue to use ClawHub.
Separate from CVE-2026-25253
This supply chain attack is distinct from the recently patched CVE-2026-25253, a WebSocket hijacking vulnerability in OpenClaw itself that enabled one-click RCE through malicious links.
| Threat | Vector | Status |
|---|---|---|
| CVE-2026-25253 | Malicious link → WebSocket hijack → RCE | Patched in 2026.1.29 |
| ClawHavoc campaign | Malicious skills → Social engineering → Malware | Ongoing |
Users face risks from both the platform vulnerability and the malicious skill ecosystem.
Recommendations
For OpenClaw users
| Priority | Action |
|---|---|
| Critical | Audit installed skills—remove anything from untrusted publishers |
| Critical | Remove anything from hightower6eu |
| Critical | Never run “prerequisite” commands that download external executables |
| High | Avoid anything requiring “AuthTool” |
| High | Verify publishers—check GitHub account age, other projects, reputation |
| High | Rotate credentials if suspicious skills were installed |
For security teams
| Priority | Action |
|---|---|
| High | Block C2 IP 91.92.242[.]30 |
| High | Monitor for unexpected LaunchAgent/LaunchDaemon creation |
| High | Alert on processes accessing browser credential stores |
| Medium | Inventory AI agent deployments and their skill ecosystems |
| Ongoing | Include AI agent marketplaces in supply chain risk assessments |
For AI platform developers
| Priority | Action |
|---|---|
| Critical | Implement mandatory code review for skill submissions |
| High | Require verified publisher identities |
| High | Sandbox skill execution from sensitive data |
| Medium | Automated malware scanning of skill packages |
| Ongoing | Security audits of skill ecosystem |
Context
The OpenClaw ecosystem represents a new category of supply chain attack surface: AI agent skill marketplaces. As autonomous AI assistants gain popularity, their extension ecosystems inherit the same risks that have plagued browser extensions, npm packages, and VS Code extensions—with the added danger that AI agents may execute malicious code with less user oversight.
The combination of an insecurable skill registry, high-value crypto-targeting payloads, and sophisticated social engineering makes this campaign a preview of AI agent security challenges to come.
For organizations deploying AI agents, treat skill/plugin ecosystems as untrusted code and apply the same rigor used for any third-party software.
Atomic Stealer (AMOS) background
AMOS is a commodity macOS information stealer sold as malware-as-a-service:
| Attribute | Details |
|---|---|
| Pricing | $500-$1,000/month subscription |
| First observed | 2023 |
| Distribution model | MaaS (Malware-as-a-Service) |
| Primary targets | Cryptocurrency users, developers |
| Delivery methods | Fake apps, malvertising, supply chain |
The ClawHavoc campaign represents AMOS operators expanding into AI agent ecosystems—a natural evolution given the overlap between OpenClaw’s developer user base and cryptocurrency enthusiasts.