Security Researchers Uncover 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

Cybersecurity researchers have exposed a large-scale supply-chain malware campaign targeting OpenClaw, a widely used open-source AI assistant previously known as Clawdbot and Moltbot. A detailed security audit has identified 341 malicious third-party skills hosted on ClawHub - the official extension marketplace - that were actively stealing sensitive user data and compromising systems.

The findings reveal how open, community-driven AI ecosystems with minimal verification controls are increasingly being weaponised by threat actors. What appears to be a helpful AI enhancement can quickly become a gateway for credential theft, financial compromise, and full system access.

What Are ClawHub and OpenClaw?

OpenClaw is a self-hosted AI assistant platform that allows users to install modular “skills” to extend functionality - similar to browser extensions or mobile apps. These skills are distributed via ClawHub, an open marketplace where developers can publish extensions with very limited checks, requiring little more than a GitHub account that is just a week old.

This low barrier to entry has encouraged innovation - but it has also opened the door for abuse at scale.

The ClawHavoc Campaign: Trojanised Skills in the Wild

Security firm Koi Security, assisted by an AI analysis system named Alex, audited 2,857 skills on ClawHub and confirmed that 341 were malicious, forming a coordinated campaign now referred to as ClawHavoc.

Rather than deploying obviously suspicious tools, attackers disguised malware as legitimate utilities, including:

• Cryptocurrency wallet trackers (often branded as Solana tools)

• YouTube summarisation and analytics skills

• Productivity dashboards and “auto-updaters”

• Fake Google Workspace and Gmail integrations

Once installed, these skills deployed Atomic Stealer (AMOS) - a well-known commodity malware capable of extracting credentials, browser data, API keys, private crypto wallets, SSH keys, and system secrets.

How the Malware Trick Works

Unlike traditional hidden malware, the ClawHavoc attack relied heavily on social engineering:

1. The skill appeared legitimate and professionally documented

2. Users were instructed to complete a “prerequisite” step

3. This involved downloading a ZIP file or running a Terminal command

4. The command fetched and executed malware from attacker-controlled servers

By breaking the attack into seemingly harmless steps, attackers significantly increased success rates - especially among technically confident users.

Risks to Users and Developers

The malware involved in this campaign presents severe risks:

• Crypto wallet theft leading to irreversible asset loss

• Exchange API key compromise, enabling unauthorised trades

• SSH and system credential exposure

• Browser password and cookie harvesting

Because OpenClaw often runs with elevated permissions, compromised skills can access local files, development environments, and financial data. In business contexts, such breaches can quietly corrupt financial records - reinforcing why structured controls, reconciliations, and professional bookkeeping services in india are critical for early detection of unauthorised transactions and data misuse.

OpenClaw Responds, Security Measures Updated

Following the disclosure, OpenClaw maintainers introduced emergency safeguards:

• Community reporting tools to flag suspicious skills

• Automatic hiding of skills receiving multiple independent reports

• Increased scrutiny of skill documentation and external installers

However, security experts caution that marketplaces with minimal vetting will remain high-risk unless stronger governance, automated scanning, and mandatory code transparency are enforced.

Broader Implications: Supply Chain Risks in AI Tools

The ClawHub incident is part of a growing global trend: supply-chain attacks targeting plugin-based ecosystems. Similar compromises have been seen in browser extensions, IDE plugins, and cloud automation tools.

As AI assistants gain deeper system access and enterprise adoption, their extension marketplaces become prime targets. Without robust controls, one malicious add-on can compromise thousands of users silently.

The incident underscores a clear lesson: AI tools are no longer just software - they are infrastructure. And infrastructure without governance becomes an attack surface.