OpenClaw Ecosystem Targeted by Malicious ClawHub Skills and Infostealer Theft of Agent Configuration Files
A supply-chain poisoning campaign dubbed ClawHavoc compromised OpenClaw’s official ClawHub marketplace by distributing 1,184 trojanized “Skills” intended to steal data and establish backdoor access on victim systems. Reporting attributes the initial disclosure to Koi Security, with Antiy CERT later tracking the activity as the TrojanOpenClaw PolySkill family and linking the uploads to 12 publisher accounts (including one responsible for 677 packages). The attackers abused ClawHub’s permissive publishing model (any GitHub account older than one week could upload), mass-posting Skills disguised as crypto trading bots, productivity tools, and social utilities; analysis described behaviors including ClickFix-style download prompts and reverse-shell droppers enabling remote command execution and persistence.
Separately, researchers reported infostealer activity exfiltrating sensitive files from victims’ local OpenClaw directories—openclaw.json, device.json, soul.md, and related memory files—highlighting how AI-agent artifacts can be leveraged beyond traditional credential theft. Hudson Rock assessed the malware as broadly harvesting files by extension rather than explicitly targeting OpenClaw, but warned dedicated modules are likely to emerge to decrypt/parse these agent files. The stolen data could enable attackers to connect to a victim’s local OpenClaw instance (notably if port 18789 is exposed) using gateway.auth.token, and potentially bypass “Safe Device” checks by abusing keys from device.json to sign messages as the victim’s paired device and access connected services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
OpenClaw partners with VirusTotal to scan ClawHub for malicious skills
Following the discovery of malicious skills in ClawHub, OpenClaw partnered with Google VirusTotal to scan marketplace uploads and perform recurring rescans to catch malicious or mutated packages. The move was part of OpenClaw's response to the marketplace abuse.
Researchers report infostealer theft of sensitive OpenClaw local files
Hudson Rock reported one of the first publicly disclosed cases of infostealer malware exfiltrating sensitive files from the OpenClaw directory, including configuration, device, and memory files. The stolen data could enable remote access to a victim's local OpenClaw instance, message signing as the victim's device, and exposure of personal context.
Antiy CERT identifies 1,184 malicious skills across 12 publisher accounts
By February 5, Antiy CERT had classified the malware as the TrojanOpenClaw PolySkill family and identified 1,184 malicious packages tied to 12 publisher accounts. Reporting said the skills used techniques including ClickFix-style lures, reverse-shell droppers, and direct data theft, with some infections delivering Atomic macOS Stealer.
Koi Security discloses the ClawHavoc marketplace poisoning campaign
Koi Security disclosed the ClawHavoc supply-chain poisoning campaign affecting OpenClaw's ClawHub marketplace. The disclosure described malicious skills used to steal data, deliver malware, and establish backdoor access through social engineering and embedded malicious instructions.
Threat actors begin mass-uploading malicious ClawHub skills
In late January 2026, multiple threat actors registered as ClawHub developers and uploaded trojanized OpenClaw skills disguised as legitimate tools such as crypto, productivity, and social media utilities. The campaign abused ClawHub's permissive publishing model to seed malware at scale.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Massive OpenClaw supply chain attack floods OpenClaw with malicious skills | SC Media
scworld.com
Open sourceOpenClaw's #1 Skill is a Malware that Stole SSH Keys, and Opened Reverse Shells in 1,184 Packages
cybersecuritynews.com
Open sourceClawHavoc Poisoned OpenClaw’s ClawHub with 1,184 Malicious Skills, Enabling Data Theft and Backdoor Access
cybersecuritynews.com
Open sourceInfostealer exfiltrates sensitive OpenClaw files | SC Media
scworld.com
Open sourceAI 에이전트 확장 마켓플레이스 ClawHub, 대규모 공급망 공격 발생
blog.alyac.co.kr
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious OpenClaw skills abused via ClawHub to steal cryptocurrency and browser data
Security researchers reported that the *OpenClaw* self-hosted AI assistant ecosystem is being abused for malware distribution via **ClawHub**, a public registry for third-party “skills.” At least **14 malicious skills** uploaded over a short window masqueraded as crypto trading/wallet automation tools, but were designed to trick users into executing obfuscated setup commands that fetch and run remote scripts. Because OpenClaw skills are installed as executable code (not sandboxed) with access to local files and network resources, successful installs can enable credential theft and cryptocurrency wallet compromise on **Windows and macOS**, and one malicious listing reportedly reached prominent placement before removal, increasing the likelihood of accidental installs. Separate reporting also highlighted a related risk: a **1-click remote code execution (RCE)** issue affecting OpenClaw/Moltbot/ClawdBot was discussed in the security community, indicating that the same ecosystem is facing both supply-chain style extension abuse and potential direct exploitation paths. Organizations allowing developer or power-user adoption of OpenClaw should treat third-party skills as untrusted software, restrict installation sources, and monitor for social-engineering patterns such as “copy/paste this one-liner” installers that retrieve code from external servers—especially when tied to cryptocurrency-themed lures.
Feb 10, 2026
OpenClaw AI Agent Skills Abused for Credential Exposure and Prompt-Injection Backdooring
Security researchers and media reports warned that the open-source AI agent **OpenClaw** (formerly *Moltbot/Clawdbot*) can be abused via its *ClawHub* “skills” ecosystem, with findings that **~7.1% of marketplace skills** contributed to exposure of **API keys, credentials, and credit card data** due to problematic `SKILL.md` instructions. Snyk highlighted a particularly severe example, **buy-anything skill v2.0.0**, which performs credit-card “tokenization” in a way that can be used to **pilfer financial details** before prompting users to provide card information. Additional research described **indirect prompt-injection** risk: a malicious Google document can coerce OpenClaw into integrating a new **Telegram bot**, enabling follow-on actions such as **file exfiltration** and deployment of a **Sliver** command-and-control beacon for persistence, with potential for **privilege escalation, lateral movement, and ransomware execution**. Separately, one report noted OpenClaw’s move to scan skills with **VirusTotal**, but also emphasized that signature-based scanning is not a complete mitigation for **prompt-injection** and other logic-level abuses; other items in the same news roundup (e.g., telecom “Salt Typhoon” oversight) were unrelated to OpenClaw’s vulnerabilities.
Mar 21, 2026
Infostealer Malware Targeting OpenClaw Agent Configuration Secrets
Threat intelligence reporting identified the first documented in-the-wild case of **infostealer malware** exfiltrating *OpenClaw* (formerly *ClawdBot/MoltBot*) agent files to steal **API keys, authentication tokens, and other secrets** stored in the agent’s persistent configuration/memory environment. Hudson Rock assessed the activity as likely tied to a **Vidar** infostealer variant and framed it as a shift from traditional browser-credential theft toward harvesting the “identity” and access of local AI agents that can interact with email, communications apps, local files, and online services. Separate weekly roundups and commentary amplified the broader risk theme around **agentic AI** and secret sprawl, including mentions of OpenClaw-related exposure and tooling intended to help organizations discover where such agents are running. Other items in the set (e.g., Ivanti EPMM exploitation, Notepad++ supply-chain compromise, macOS ClickFix “Matryoshka,” and various breach/ransomware claims) describe distinct incidents and are not part of the OpenClaw infostealer event.
Mar 21, 2026