ClawHavoc Campaign Analysis: How 1,184 Malicious Skills Passed ClawHub Review

The ClawHavoc campaign is the largest supply chain attack in the OpenClaw ecosystem — and one of the more sophisticated social engineering operations we've seen targeting an open source package registry. This post breaks down how the attack worked, why existing tools failed to catch it, and what indicators to look for in your own deployment.

Everything here is sourced from published security research (Koi Security, Antiy CERT, Snyk, eSecurity Planet) and supplemented with our own analysis of 1,184 confirmed malicious skills.

Timeline

January 27, 2026: Koi Security researcher Oren Yomtov — working with his own OpenClaw assistant — begins auditing all 2,857 skills on ClawHub. Within two minutes, he identifies the first malicious package. By the end of the audit, 341 are flagged as malicious. 335 come from a single coordinated campaign.

Early February 2026: Antiy CERT expands the analysis and identifies 1,184 malicious packages tied to 12 publisher accounts. One account alone pushed 677 packages. The campaign is tracked as Trojan/OpenClaw.PolySkill.

February 2026 (ongoing): Multiple security firms begin publishing advisories. Updated scans report over 800 confirmed unique malicious skill names (roughly 20% of the total registry). Some packages accumulate over 14,000 downloads before takedown.

The Attack Architecture

The ClawHavoc campaign used a three-stage architecture, each stage designed to evade a different type of detection.

Stage 1: Legitimate-looking SKILL.md files

Every malicious skill had a professional SKILL.md — proper markdown formatting, clear feature descriptions, version history, installation instructions. The skill names targeted high-value categories where users would be motivated to install quickly without careful review: cryptocurrency tools (111+ skills), Polymarket trading bots (34+), YouTube utilities (57+), and ClawHub CLI typosquats (29+ variants like clawhubb, clawhubcli, clawwhub).

The actual skill code in most cases was either minimal or genuinely functional. Several Polymarket bots actually connected to the Polymarket API and returned real data. The malicious payload wasn't in the skill logic — it was in the install step.

Stage 2: ClickFix social engineering

This is the clever part. The SKILL.md files included a "Prerequisites" section that instructed users to download and run a separate utility before the skill would work. Something like:

The user thinks they're installing a dependency. They're actually running the first stage of a malware chain. Password-protecting the Windows ZIP defeats most automated scanning. The macOS payload hosted on glot.io (a legitimate code snippet service) avoids domain-based reputation filtering.

This technique — using fake "fix" or "setup" instructions to get users to voluntarily execute malware — is called ClickFix. It's been used in other contexts, but ClawHavoc's application to an AI agent ecosystem was effective because OpenClaw users are already accustomed to running terminal commands as part of normal setup.

Stage 3: AMOS stealer delivery

The macOS chain downloads a base64-encoded shell script that decodes and executes in memory, then pulls the Atomic macOS Stealer (AMOS). AMOS is a well-documented commercial stealer that targets:

• Browser credentials from Chrome, Firefox, and Safari
• macOS Keychain data
• Telegram session files
• SSH keys
• Cryptocurrency wallet data across multiple platforms (Bitcoin, Ethereum, Solana, Phantom)
• API keys from OpenClaw's own configuration files

The Windows chain extracts a keylogger from the password-protected ZIP. Both chains exfiltrate stolen data to attacker-controlled infrastructure.

Outlier Attacks Outside the Main Campaign

Not everything we cataloged belongs to the coordinated ClawHavoc operation. Koi Security identified several outlier attacks using more sophisticated techniques.

Reverse shell backdoors in functional code. Skills like better-polymarket and polymarket-all-in-one actually worked as described — they connected to the Polymarket API and returned real trading data. But embedded in the functional code was a reverse shell that opened an interactive connection to the attacker's server. These are harder to detect because the skill passes a basic functionality test.

Credential exfiltration via webhook.site. A skill called rankaj used a different approach entirely — no AMOS, no ClickFix. It simply read the contents of ~/.clawdbot/.env (where API keys are stored) and POSTed them to webhook.site, a free webhook testing service. Simple, effective, and invisible unless you're monitoring outbound network traffic.

Delayed activation. Some skills waited 24-48 hours after installation before exfiltrating data. On first install, they behaved normally. The malicious behavior triggered on the second run or after a time check. This defeats the most common review pattern: install the skill, test it once, and move on.

Why Existing Tools Failed to Catch It

This is the part that matters for defenders. The ClawHavoc campaign exposed gaps in every layer of the detection stack.

ClawHub's review process didn't catch any of the 1,184 packages. The SKILL.md files were well-formatted, the skill code was clean (or genuinely functional), and the malicious payload was in the "prerequisites" — a section that describes manual steps for the user, not code that the platform can automatically analyze.

VirusTotal integration (added after the initial disclosures) scans skill files for known malware signatures. It catches the AMOS payload if it's present in the skill directory, but it doesn't catch:

• ClickFix social engineering in SKILL.md text
• Skills that download malware at runtime rather than including it in the package
• Reverse shells embedded in otherwise functional code
• Credential exfiltration using legitimate services like webhook.site

The built-in openclaw security audit checks gateway configuration, file permissions, and known CVEs. It does not scan installed skills against IOC databases, check SKILL.md files for social engineering patterns, detect MCP server proxying, monitor for persistence mechanisms, or verify identity file integrity.

SecureClaw (Adversa AI) extends the built-in audit with 56 checks and includes some supply chain indicators. It's a meaningful improvement. But like all automated tools, it works from known patterns — it can't assess whether a specific skill's "prerequisites" section contains social engineering or whether a functional skill has a reverse shell hidden in its legitimate code.

The fundamental challenge: detecting social engineering in natural language documentation requires contextual judgment that automated tools don't yet handle well. A "prerequisites" section that says "download this utility and run it" looks identical whether it's legitimate or malicious — the difference is what the downloaded utility does.

IOC Samples from Our Database

We've cataloged 1,184 confirmed malicious skill names across 16 categories. Here's a representative sample to give defenders something to check against immediately.

ClawHub CLI typosquats (high confidence — any match is malware): clawhub, clawhub1, clawhubb, clawhubcli, clawwhub, cllawhub, clawdhub1, clawdhub

Crypto/wallet tools (sample from 111+ skills): solana-wallet-tracker, phantom-wallet-utils, phantom-wallet-pro, insider-wallet-finder, wallet-tracker-pro, sol-whale-tracker, crypto-wallet-pro, token-sniper-bot

Fake security scanners (the irony): security-scanner-pro, virus-checker, malware-detector, safe-skills-checker

Known malicious publishers: zaycv (uploaded ClawHub typosquats), hedefbari (hosted malware on GitHub releases), Ddoy233 (campaign-specific GitHub account), moonshine-100rze (60+ packages, 14,285+ downloads before takedown). All accounts were created in late January 2026 with no prior GitHub activity.

C2 infrastructure: Payload hosting via glot.io (base64-encoded macOS payloads) and GitHub releases from campaign-specific accounts. Exfiltration via webhook.site. Technique signatures include base64 -d | bash, curl -sSL [URL] | sh, and password-protected ZIPs with password openclaw.

To check your installation against these IOCs:

# List installed skills and check against known-bad names
openclaw skills list --paths

# Search for suspicious patterns in SKILL.md files
find ~/.openclaw/skills -name "SKILL.md" -exec grep -liE \
  '(curl|wget|bash -c|powershell|base64.*decode)' {} \;

# Check for unexpected outbound connections
lsof -i -nP | grep ESTABLISHED

These commands catch the basics. The full 1,184-skill IOC database with names, publisher accounts, file hashes, behavioral signatures, and C2 indicators is available in the BulwarkAI Security Blueprint.

What Defenders Should Do Now

Immediate (today)

1. Update OpenClaw to v2026.2.14 or later
2. Check your installed skills against the IOC samples above
3. If you installed any skill from ClawHub before February 2026, assume your credentials may have been exposed. Rotate API keys, LLM provider tokens, and SSH keys.

Short-term (this week)

4. Run openclaw security audit --deep and fix everything it flags
5. Review your SKILL.md files for suspicious "prerequisite" sections — look for download links you don't recognize
6. Check crontab -l for entries you didn't create (persistence mechanism)
7. Restrict outbound network access to known-good domains only

Ongoing

8. Hash your identity file (sha256sum ~/.openclaw/identity.json) and check it after every skill install
9. Audit MCP server configurations — verify every registered server is one you intentionally set up
10. Monitor the OpenClaw security advisories and ClawHub takedown notices

The ClawHavoc campaign wasn't the first supply chain attack on an AI agent ecosystem, and it won't be the last. The pattern — legitimate-looking packages with payloads hidden in install steps or delayed activation — will be reused because it works. The best defense is a combination of automated tools and manual review, with particular attention to anything that asks you to download and run external code.