ClawTank
All posts
ClawHavoc: How 341 Malicious Skills Targeted OpenClaw Users

ClawHavoc: How 341 Malicious Skills Targeted OpenClaw Users

|3 min read

In January 2026, security researchers discovered 341 malicious skills on ClawHub — the official OpenClaw skill marketplace. The campaign, dubbed ClawHavoc, distributed Atomic Stealer malware that exfiltrated API keys, browser credentials, and crypto wallets.

What Happened

Attackers uploaded skills to ClawHub that looked legitimate — names like smart-email-assistant, calendar-sync-pro, and file-manager-plus. The skills worked as advertised, but included hidden code that:

  1. Extracted environment variables (API keys, tokens)
  2. Read browser credential stores
  3. Sent data to attacker-controlled servers
  4. Installed persistent backdoors

The malicious skills accumulated thousands of installs before detection.

How the Attack Worked

Typosquatting

Many malicious skills used names similar to popular ones. openclaw-gmail vs the legitimate openclaw-google-mail. Users installing quickly wouldn't notice the difference.

Delayed Execution

The malware didn't activate immediately. It waited 24-48 hours before exfiltrating data, making it harder to connect the installation to the compromise.

Legitimate Functionality

Every malicious skill actually provided the advertised feature. Users had no reason to suspect anything because the skill worked.

Are You Affected?

Check Your Installed Skills

openclaw plugins list

Cross-reference against the published list of malicious skills. Key indicators:

  • Skills installed from unverified publishers
  • Skills with generic names that duplicate existing popular skills
  • Skills installed between November 2025 and January 2026

Check for Compromise

Look for these signs:

  • Unexpected API usage spikes
  • Unfamiliar logins to your cloud accounts
  • New SSH keys you didn't create
  • Unexpected outbound network connections from your OpenClaw instance

Immediate Steps If Affected

  1. Rotate all API keys — Every key accessible to your OpenClaw instance
  2. Uninstall suspicious skills — Remove any unverified skills
  3. Check browser credentials — Change passwords for any saved credentials
  4. Audit your server — Look for unauthorized processes and SSH keys
  5. Update OpenClaw — Latest versions include skill verification

How Managed Hosting Protects You

This is where self-hosting becomes genuinely dangerous. When you install skills on your own server, malicious code has access to everything on that machine.

ClawTank mitigates this by design:

  • Container isolation — Each user runs in a sandboxed Docker container. A compromised skill can't access the host system or other users
  • Curated skills — Pre-configured with verified skills only
  • No root access — Skills can't install system-level backdoors
  • Automatic updates — Security patches applied without user intervention
  • Network monitoring — Suspicious outbound connections are flagged

Lessons Learned

The ClawHavoc incident highlights a fundamental challenge with open marketplaces: trust. npm, PyPI, and now ClawHub have all faced supply chain attacks.

For most users, the safest approach is managed hosting where the operator controls which skills are available and monitors for threats.

Stay Safe

Deploy on ClawTank for sandboxed, managed OpenClaw hosting. Your AI assistant runs in an isolated container with curated skills — no supply chain risk.

Ready to deploy OpenClaw?

No Docker, no SSH, no DevOps. Deploy in under 1 minute.

Get started free