Cybersecurity researchers have uncovered a major supply-chain malware campaign targeting users of OpenClaw, a popular open-source AI assistant formerly known as Clawdbot and Moltbot. A comprehensive security audit found 341 malicious third-party skills on ClawHub — the marketplace for OpenClaw extensions — that are being used to distribute data-stealing malware and expose users to serious security risks.
The discovery highlights how community-driven AI ecosystems with weak vetting processes can be exploited by threat actors to push malware at scale, turning what should be helpful tools into dangerous vectors for credential theft, system compromise, and financial loss.
What Are ClawHub and OpenClaw?
OpenClaw is a self-hosted AI assistant platform that allows users to install “skills” — modular add-ons that expand the assistant’s capabilities, much like mobile apps or browser extensions. These skills are shared through ClawHub, an online marketplace where developers publish extensions for others to use.
ClawHub’s open-entry model lets developers publish skills with minimal verification — only requiring a GitHub account that is at least one week old — making it attractive for both legitimate creators and opportunistic attackers.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
The ClawHavoc Campaign: Trojanised Skills in the Wild
Security firm Koi Security, aided by an AI analysis bot named Alex, audited 2,857 skills on ClawHub and identified 341 that were clearly malicious, mainly concentrated in a coordinated campaign now dubbed ClawHavoc.
Most of the malicious skills didn’t hide their danger in obvious ways. Instead, they masqueraded as useful utilities — such as cryptocurrency wallet trackers, YouTube tools, finance dashboards, auto-updaters, and Google Workspace add-ons — and included additional “prerequisite” steps that led users to install hidden malware.
For example:
- Crypto and wallet utilities were labelled as Solana wallet trackers
- Productivity tools claimed to summarise YouTube videos
- “Auto up-dater” skills falsely promised convenient updates
- Fake Google integrations suggested Gmail/Calendar enhancements
Once installed, these skills triggered malicious payloads that installed a commodity stealer known as Atomic Stealer (AMOS). This malware can collect sensitive data — including credentials, API keys, private wallet keys, SSH keys, and browser passwords — from the compromised machine.
How the Malware Trick Works
Unlike typical stealth malware that hides deep in code, these malicious skills relied on social engineering:
- The skill appeared legitimate and professionally documented.
- The documentation instructed users to install an extra file or run a command — such as downloading “openclaw-agent.zip” or pasting a script into a macOS Terminal.
- That step triggered the installer to fetch and execute additional malware from attacker-controlled servers.
By breaking the attack into seemingly harmless steps, attackers increased the chance that users would follow instructions without suspicion.
Risks to Users and Developers
The malware revealed in this campaign can steal a wide range of data:
- Cryptocurrency wallet private keys — giving attackers direct access to digital assets.
- Exchange API keys — enabling remote financial transactions.
- SSH credentials and login tokens — allowing deeper system access.
- Browser cookies and passwords — exposing personal accounts and stored secrets.
Because OpenClaw is often run with broad permissions and may have access to local files, email, and system credentials, a compromised skill can give attackers almost unrestricted access to the host environment.
OpenClaw Responds, Security Measures Updated
The uncovering of the ClawHavoc campaign has prompted immediate security responses from the OpenClaw community. Developers behind the project are rolling out reporting features that allow users to flag suspicious skills on ClawHub — skills with multiple unique reports are now auto-hidden while investigations occur.
However, security experts have warned that marketplaces with minimal vetting are inherently vulnerable to abuse, and users should treat third-party skills like executable software — vetting publishers, reviewing code if possible, and avoiding untrusted uploads.
Broader Implications: Supply Chain Risks in AI Tools
The ClawHub incident underscores a larger cybersecurity concern: AI-driven ecosystems with third-party extensions are increasingly becoming targets for supply-chain attacks. Similar threats have been seen with plugin markets for programming environments and browser extensions, where malicious code is injected into legitimate-looking packages to harvest data or deliver backdoors.
Koi Security’s findings also coincide with reports of other serious vulnerabilities in OpenClaw — including critical flaws allowing one-click remote code execution via malicious links — illustrating that AI assistants with system access must be secured both at the code and ecosystem level.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
