ClawHavoc explained: the supply chain attack that put 1,184 malicious skills on ClawHub

ClawHavoc is the name given to a coordinated supply chain attack campaign that planted malicious skills on ClawHub, the official marketplace for OpenClaw agent skills. Koi Security first reported 341 malicious skills in late January 2026. By mid-February, Antiy CERT expanded the count to 1,184 compromised packages distributed across 12 publisher accounts.

The timing was not accidental. The campaign exploited the early growth phase of ClawHub, when user trust in the marketplace was high and automated safety tooling was still being built. A user installing a skill with a plausible name and a handful of stars had almost no reliable way to know it carried a malicious payload.

Bitdefender Labs analyzed a sample of skills and found that approximately 17% of those it examined in early February 2026 carried malicious payloads. The most common payload was the AMOS infostealer, a macOS-targeted credential harvester that targets browser-stored passwords, crypto wallets, and session tokens.

Beyond AMOS, the campaign used skills to reach attacker-controlled servers via C2 callbacks, exfiltrate environment variables and API keys through POST requests, and install persistence mechanisms on infected hosts. Unit 42 found that 5% of the full ClawHub registry — roughly 2,490 skills — carried multi-stage attack chains that required mandatory security review.

Unit 42's Behavioral Integrity Verification research found something more troubling than ClawHavoc itself: 80% of ClawHub skills show at least one mismatch between their declared capabilities and what they actually do. Most of these are not malicious — they are sloppy or overly broad. But from a defender's standpoint, undeclared behavior is a risk surface regardless of intent.

Snyk's ToxicSkills study reached a similar conclusion: 36% of the 3,984 skills they scanned from ClawHub and skills.sh contained at least one security flaw, and 13.4% had critical-level issues. These numbers exist independently of ClawHavoc and suggest that supply chain hygiene for AI agent skills is a structural problem, not a one-time incident.

ClawHub integrated VirusTotal scanning and launched ClawScan following the initial disclosures. These tools help block known malicious files at upload time. However, subsequent analysis from February through May 2026 found that evasive malicious skills continued to appear on the marketplace, using techniques such as obfuscated payloads, staged downloads, and behavioral instructions embedded in natural language — methods that file-hash scanning cannot reliably catch.

TrustSkills runs static checks tuned to the specific patterns documented in the ClawHavoc campaign: C2 callback destinations associated with the campaign, data exfiltration patterns targeting environment variables and credential files, obfuscated payload structures using eval and base64 encoding, and prompt injection instructions embedded in skill descriptors.

For each finding, TrustSkills explains the risk in plain English rather than returning a hash or a CVE ID. The goal is to give the person evaluating the skill enough context to make a real security decision, not just a flag they have to look up.