The OpenClaw skills marketplace got owned. That's the simplest way to put it. From late January through February 2026, attackers uploaded somewhere between 341 and 1,184 malicious "skills" (extension packages that add functionality to an OpenClaw agent) to ClawHub, the official marketplace. Estimates vary because researchers from different firms counted at different points in the campaign, but the directional number is settled: a meaningful percentage of the catalog was malicious for several weeks, and roughly 300,000 OpenClaw users were affected before the bad packages were taken down.1

This article is the post-mortem version of the warning I wrote in March about OpenClaw security risks. That piece told you the marketplace was a problem in waiting. ClawHavoc is what happened when the wait ended. The technical details are worth understanding, but the broader story is the structural one: the AI agent ecosystem is reproducing every problem the package-manager ecosystems already learned the hard way, faster, and with higher-trust execution than any traditional package gets.

The timeline

The first malicious skill landed on ClawHub on January 27, 2026. Uploads surged on January 31. Koi Security named the campaign ClawHavoc on February 1 after their detection bot ironically caught the packages it was being targeted by. Koi initially identified 341 malicious skills.2

Antiy CERT followed with a broader scan and reported at least 1,184 malicious skill packages, with later estimates suggesting the number rose into 800-plus distinct active skills at peak (about 20% of the registry at the time).3 Trend Micro published technical analysis confirming the payload was Atomic macOS Stealer (AMOS), a commodity malware-as-a-service variant they had previously tracked under the detection name Trojan.MacOS.Amos.4

By the time the takedown work caught up, the campaign had reached an estimated 300,000-plus AI agent users.1 Subsequent broader audits put the surrounding landscape in starker terms: 7.6% of ClawHub's 31,000-plus skills contain patterns classified as dangerous (credential exfiltration, outbound data transfer to unknown endpoints, obfuscated shell commands), and the malicious-skill universe across GitHub more broadly is now estimated at 2,200-plus packages. ClawHavoc was the cluster that got named. It is not the only one.5

What the malicious skills did

The packages used three attack patterns, sometimes in combination.1

Staged downloads. A skill that looked benign on first install would call out to a second-stage URL after activation, pulling additional malware that the original package didn't contain. This pattern beats static analysis tools that only inspect the published artifact.

Reverse shells via Python. Several packages embedded Python system() calls that opened a shell back to attacker-controlled infrastructure. Once established, the attacker had hands on keyboard inside the victim machine.

Direct data grabs. The simplest pattern: skills that did exactly what they advertised, plus exfiltrated browser credentials, keychain entries, SSH keys, and crypto wallet files in the background. The victim might not notice anything wrong for weeks.

Trend Micro's deeper analysis surfaced one wrinkle that matters specifically for what to tell your team. The current AMOS variants embedded in OpenClaw skills do not silently exfiltrate the macOS Keychain; they pop a deceptive setup dialog that asks the user to type their account password manually, as if it were a legitimate install prompt from a tool they already trust. The exfiltration only succeeds when the human types the password. That makes the practical employee-training message specific: an AI agent skill that asks for your account password during install is the attack signature. The correct response is to cancel and report it.4

The eventual payload across all three patterns was AMOS, sold as malware-as-a-service for roughly $500 to $1,000 per month. AMOS harvests browser-stored credentials, macOS Keychain passwords (where the dialog trick succeeds), cryptocurrency wallet data, SSH keys, and arbitrary files from common user directories. Strings inside the binary are encrypted with a multi-key XOR scheme to defeat static analysis. The variants are Mach-O universal binaries that run on both Intel and Apple-silicon Macs.4

Disguises that made the bad skills look legitimate

The package names were not random. The most-uploaded category, more than 100 skills, posed as cryptocurrency tools: Solana wallet utilities, Phantom wallet helpers, Polymarket integrations. 57 were YouTube-related. 51 presented as finance or social media tools. A separate category targeted ClawHub itself with typosquats of the official command-line interface.1

The pattern is familiar to anyone who has watched npm or PyPI deal with similar attacks: the most popular legitimate categories attract the most parasitic uploads, because that's where the search traffic is. The attackers were not being clever about targeting. They were being efficient.

The upload policy that made this possible

This is the part that should land for any business owner thinking about installing an OpenClaw skill.

ClawHub's publishing policy at the time of the attack required a publisher to have a GitHub account that was at least one week old. That was the entire trust check. No identity verification. No code signing. No mandatory static analysis before publication. No human review. Anyone with a one-week-old GitHub account could upload anything to a marketplace where the published artifact gets executed inside a context that has access to whatever the user's OpenClaw instance has access to.

This is not malice on the maintainers' part. It's a stance toward openness that worked at small scale and broke at scale. Every package ecosystem (npm, PyPI, RubyGems, Cargo, Go modules) has had some version of this same lesson in its history. The difference with an AI agent skill registry is what the executable code can reach. A typical PyPI package gets installed and runs in a Python interpreter on a developer's laptop. A ClawHub skill gets installed and runs inside an agent that has been granted access to the user's email, their files, their browser, sometimes their bank account if they wired up that integration. The blast radius is much larger by default.

What OpenClaw and ClawHub have shipped in response

The marketplace's response to ClawHavoc has been substantial, and most of it happened between February and mid-May 2026. The current posture is materially different from the one in place when the attack landed, though it is not yet complete.6

Mandatory disable-model-invocation security control. Post-ClawHavoc, the flag that prevents a freshly-installed skill from invoking the underlying model without explicit user confirmation became required rather than optional. This is the protocol-level brake that would have prevented a meaningful fraction of the original campaign's payloads from running unattended.

ClawHub publisher identity verification. The one-week-old-GitHub-account check is gone. Publishers now must verify their identity via GitHub or email before they can publish, and verified publishers get author badges that show up on the skill listing.

Required code signing on new submissions. Every skill published after the policy change must be signed. Unsigned skills already in the registry continue to function but are flagged in the UI.

Stalled-download cancellation. ClawHub now cancels stalled archive body reads instead of leaving installs hanging after headers arrive, which was a vector used in the staged-download variants of the attack.

Plugin compatibility metadata required for npm releases. The package contract between the npm plugin publish plan and ClawHub now has to match before packages ship, which closes one of the cross-ecosystem injection paths that earlier attackers exploited.

May 15, 2026 security roadmap. OpenClaw published a longer-horizon plan with filesystem safeguards, network egress control, and enhanced plugin integrity checks. The roadmap explicitly preserves the agent's ability to access local files, run commands, and interact with external systems while putting more controls around how those capabilities are exposed to skills.

The honest read on this set: it closes most of the specific vectors ClawHavoc used. It does not eliminate the structural risk that the marketplace model creates, and it does not retroactively clean the catalog. The 7.6% dangerous-pattern share remains the open issue: most of those skills predate the new policies and continue to function until specifically taken down. The third-party scanner ecosystem (Koi's Clawdex, NemoClaw, DefenseClaw, the newer ClawSecure verification service) is the gap-filler.7

What this means for a business running OpenClaw

If you have OpenClaw deployed (yourself or an employee), or you have an agent platform built on top of it, you should treat the marketplace skills the same way you'd treat browser extensions on a customer-facing employee laptop. Which is to say, with suspicion and a list of approved ones.

Enable disable-model-invocation by default. Post-ClawHavoc this is the required setting on new OpenClaw deployments, but older instances may still have it off. Confirm it's on for every agent you run before doing anything else. It is the one-line change that does the most work on this list.

Inventory what's installed. For each OpenClaw instance in your business, list the skills currently active. The agent's configuration file is the source of truth. Do not trust the names; the typosquats are designed to read as legitimate.

Run a scanner. Koi Security released Clawdex, a free tool that scans installed skills against their database of known malicious packages.2 NVIDIA's NemoClaw and Cisco's DefenseClaw cover similar ground from different angles; the comparison piece on NemoClaw vs DefenseClaw covers when to use which. The newer ClawSecure verification service offers a paid, ongoing 3-tier audit if you want the recurring check rather than a one-shot scan.7

Pin versions. If a skill is doing useful work, pin it to a specific version that you've reviewed. Auto-update for marketplace skills is the same risk shape as auto-update for browser extensions: a benign skill can be sold to an attacker who pushes a malicious update on day 200.

Restrict what the agent can reach. The hybrid architecture pattern (described in the n8n + OpenClaw piece) is the most effective control here. If the agent doesn't have direct credentials, a malicious skill cannot exfiltrate them. The skill can only ask the workflow tool to take actions the workflow tool is configured to allow.

Tell your team about the password-dialog trick. The current AMOS variant in this campaign needs the user to type their account password into a fake setup dialog for the most damaging exfiltration to succeed. An AI agent skill that asks for your account password during install is the attack signature. The correct response is cancel, do not type it, and report it.

Assume macOS endpoints are in scope. AMOS is a macOS-specific stealer. If the OpenClaw instance runs on a Mac, or a Mac in your business has interacted with one, the device has been a candidate target. Standard endpoint hygiene applies: rotate credentials that were stored in the browser or keychain, check for unauthorized SSH key usage in your hosting accounts, and audit recent crypto wallet transactions if any.

The single most useful question to ask: when an employee installed a ClawHub skill last quarter, who reviewed the code, and where is that review documented? If the answer is "nobody and nowhere," your remediation list is the inventory of every skill you have installed.

The bigger lesson for any AI agent platform

OpenClaw's ClawHub is the visible incident, but the structural risk is shared by every agent platform that allows third-party extensions. Anthropic's MCP ecosystem has the same shape. The OpenAI custom GPT marketplace has the same shape. Any framework where the agent can install and execute a community-contributed package, with whatever access the agent has, is vulnerable to this pattern.

The fix at the platform level is well understood: identity verification for publishers, mandatory static analysis on publication, signed releases, an immutable trust record per version, and a clear takedown pipeline when a package is flagged. These are not new ideas. The PyPI and npm ecosystems implemented versions of all of them, mostly after similar incidents. The agent ecosystem is at the "before similar incidents" stage on most platforms. ClawHavoc is the wake-up call.

The fix at the user level is equally well understood: treat marketplace packages with suspicion, prefer pinned and reviewed dependencies, restrict the agent's blast radius, and have a real incident response plan if a malicious package gets in. None of that is unique to AI. It's the same hygiene every developer learned from their first npm or PyPI scare. The difference is that the AI agent skills run with much higher default trust than a typical package, which means the consequences of getting it wrong are also higher.

The Bottom Line

  • From late January through February 2026, attackers uploaded between 341 and 1,184 malicious skills to OpenClaw's ClawHub marketplace, reaching roughly 300,000 users before takedowns caught up. Newer audits flag 7.6% of the 31,000-plus skill catalog as containing dangerous patterns; ClawHavoc is the cluster that got named, not the only one.
  • The payload across the campaign was Atomic macOS Stealer (AMOS), a commodity malware-as-a-service that harvests browser credentials, crypto wallets, SSH keys, and arbitrary files. Current variants need the user to type their account password into a fake setup dialog for the Keychain exfiltration to succeed; that's the practical employee-training signature.
  • The marketplace's trust policy at the time was "publisher must have a GitHub account at least one week old." That's the entire check.
  • OpenClaw shipped a substantial response: disable-model-invocation is now mandatory, ClawHub requires publisher identity verification and code signing on new submissions, stalled-download cancellation closes a staged-payload vector, and the May 15 security roadmap adds filesystem safeguards, network egress control, and plugin integrity checks. The structural marketplace risk and the not-yet-cleaned legacy catalog are still open.
  • If your business runs OpenClaw: confirm disable-model-invocation is on, inventory installed skills, run Koi's free Clawdex or the newer ClawSecure for ongoing checks, pin versions, restrict the agent's reachable surface, tell your team about the password-dialog trick, and assume any Mac that interacted with the instance was a candidate target.
  • The pattern is not unique to OpenClaw. Every AI agent platform with a third-party extension marketplace has the same structural risk. The fixes (publisher identity, static analysis, signed releases, real takedown pipelines) are the lessons npm and PyPI already learned the hard way.

If your business runs OpenClaw, Claude Code, or any AI agent with installable skills or connected SaaS-side AI features, the inventory-hygiene-and-hardening work is exactly the engagement covered by my AI agent security review. Worth doing before the next ClawHavoc-style campaign rather than after. Connect on LinkedIn.

Keep reading: OpenClaw Security: What CTOs Need to Know is the warning piece this is the post-mortem of. NemoClaw vs DefenseClaw covers the layered defenses. The OpenClaw + n8n hybrid architecture covers the blast-radius control that matters most here.

Sources

  1. Campaign scale, ~300,000 users affected, attack patterns and disguise categories. Per Repello AI's incident analysis and Cyberpress coverage.
  2. Koi Security's initial 341-skill identification, ClawHavoc naming, and Clawdex detection tool release. Per Koi Security's writeup.
  3. Antiy CERT broader 1,184 malicious-skill count. Per follow-on coverage at SC Media and The Hacker News.
  4. AMOS payload analysis, password-dialog social-engineering wrinkle, multi-key XOR encryption, Mach-O universal binary detail, Trend Micro detection naming. Per Trend Micro's technical analysis and the Acronis "Poisoning the well" cross-platform post-mortem. AMOS pricing of $500-$1,000/month per Repello AI's incident analysis.
  5. 7.6% of 31,000+ ClawHub skills flagged as dangerous patterns; 2,200+ malicious AI-agent skills across GitHub more broadly. Per VibeCoding's ClawHub security risks analysis and Sangfor's supply-chain abuse breakdown.
  6. OpenClaw security roadmap (May 15, 2026), mandatory disable-model-invocation, ClawHub identity verification, code signing, stalled-download cancellation, plugin compatibility metadata. Per Blockchain News's coverage of the security upgrades, OpenClaw's patch notes, and the post-crisis safe-install guide aggregating policy changes.
  7. Third-party scanner ecosystem: Clawdex (Koi), NemoClaw (NVIDIA), DefenseClaw (Cisco), ClawSecure verification service. Per ClawSecure's verified-skills marketplace listing and ongoing coverage at MintMCP's running tally of OpenClaw security advisories.