🦞 OpenClaw Trader Pro
OpenClaw · By Dan Machado · 2026

ClawHavoc: 1,184 Malicious Skills, AMOS Stealer, How to Audit Yours

1,184 malicious skills on ClawHub. 14,285 confirmed installs of the top variant. SSH keys, wallets, sessions exfiltrated. How to audit your installs.

Security context: Three critical CVEs disclosed in OpenClaw in Q1 2026 (CVE-2026-25253, CVE-2026-32922) plus the ClawHavoc supply-chain attack (1,184 malicious skills). Always run v2026.4.12 or later. Full security assessment.

Beginning February 1, 2026, the OpenClaw skill marketplace ClawHub was hit by a coordinated supply-chain attack. By the time it was caught and cleaned up, 1,184 malicious skills had been published. The most-downloaded single malicious package, deeps-agnw6h, had been installed 14,285 times. Payloads ranged from macOS Atomic Stealer (AMOS) variants to Linux reverse shells to crypto wallet drainers.

The attack was named ClawHavoc by Koi Security, which along with Snyk's ToxicSkills research team did the first detailed forensic analysis. This guide walks through what happened, what was stolen, how to audit your own ClawHub installations for compromise, and what changed in the marketplace afterwards.

TL;DR — The 30-second answer

  • Scale: 1,184 malicious skills uploaded between Feb 1 and Feb 18, 2026.
  • Source: One threat actor responsible for 677; rest from smaller groups.
  • Top install: deeps-agnw6h with 14,285 confirmed downloads.
  • macOS payload: Atomic Stealer (AMOS) variants — SSH keys, wallets, browser data.
  • Linux/Windows payload: Reverse shells to 91.92.242.30:4444.
  • Trading-specific: A "Polymarket helper" was among the most insidious.
  • Today: ClawHub scans every upload through VirusTotal + Snyk static analyzer.

How the attack worked

ClawHavoc attack scale statistics
The single-actor concentration (57% from one publisher) made the attack easier to identify in retrospect, harder during.

In late January 2026, multiple new ClawHub accounts began publishing skills at a rate of 20–50 per day. The skills targeted high-search-volume keywords: "polymarket helper," "binance balance," "deriv signals," "telegram alert bot." Each skill's SKILL.md looked plausible at first glance — a short description, a YAML frontmatter, instructions that read like an intern's first day.

Inside the SKILL.md, however, was a hidden payload. The pattern varied, but the typical sequence was:

  1. Bait: first 20 lines of SKILL.md describe a legitimate-sounding skill that does something boring.
  2. Distraction: a section labeled "Initial setup" or "Configuration check" includes a curl-to-bash command. "Just to make sure your environment is healthy."
  3. Payload: the curl URL serves a platform-specific binary or shell script.
  4. Execution: on first invocation, the skill runs the bait curl. OpenClaw, trusting the user-installed skill, executes the command.
  5. Persistence: the downloaded payload writes a cron job (Linux), launchd entry (macOS), or scheduled task (Windows) for re-execution at boot.
  6. Exfiltration: sensitive files are POSTed to a hardcoded IP, then deleted from disk to reduce forensic traces.
ClawHavoc payload chain on macOS
The macOS payload chain. Each box was a separate process to make detection harder.

What was stolen

Per Snyk's ToxicSkills analysis, the exfiltrated data included:

  • SSH private keys from ~/.ssh/ — useful for lateral movement to servers and Git providers.
  • Browser session cookies and saved passwords — from Chrome, Firefox, Safari, Brave on macOS; from various profiles on Windows/Linux.
  • Crypto wallet files — MetaMask vaults, Electrum, Sparrow, Atomic Wallet, Exodus, Phantom, Solflare.
  • Telegram session files — lets attackers impersonate the victim on Telegram.
  • Discord and Slack tokens — for social engineering and access to private channels.
  • OpenClaw configuration including any LLM API keys, broker tokens, and on-disk memory.
  • AWS, GCP, Azure credentials from ~/.aws/, ~/.config/gcloud/, and Windows credential manager.

The trading-specific Polymarket helper variant

One of the most insidious ClawHavoc skills was a "Polymarket helper" that did what it advertised — placed orders on Polymarket via the official CLOB — while also running a reverse shell in the background. Users genuinely thought they were trading, while the attacker had real-time access to the same machine and could drain wallets faster than the user could refresh.

Several Polymarket account drains reported in February and early March 2026 trace back to ClawHavoc variants of this skill. The pattern: a user installs the skill, places a few small trades to verify it works, then funds a larger USDC position. Within minutes, the attacker uses the exfiltrated MetaMask vault to drain the funded wallet before any trade can settle.

Auditing your own ClawHub installations

If you installed any skill from ClawHub between January 25 and February 20, 2026: do this today.

  1. List installed skills: clawhub list --installed. Save the output.
  2. Cross-reference against the published ClawHavoc indicators list at snyk.io/toxicskills-2026. If any match, treat the machine as compromised.
  3. Search for the C2 IP in your firewall logs: grep '91.92.242.30' /var/log/*. Any hit means active exploitation.
  4. Check cron jobs for unfamiliar entries: crontab -l and ls /etc/cron.*. ClawHavoc cron entries usually call into /tmp/.X11-unix/ or ~/.cache/openclaw/ with names mimicking system processes.
  5. Check launchd (macOS): launchctl list | grep -v com.apple. Anything unfamiliar is suspect.
  6. If compromised: rotate every credential the machine had access to (broker, exchange, LLM provider, GitHub, AWS, all wallets). Wipe the machine, don't try to clean it.

If your crypto wallets were on the affected machine: do NOT use the same seed phrase on a new machine. The seed phrase is exfiltrated. Create a brand-new wallet, move funds across once (accepting the gas cost), and burn the old one.

What ClawHub changed after the attack

ClawHub's response, as documented in the OpenClaw Foundation's March 2026 post-incident review:

  • VirusTotal scanning on upload. Every binary or downloadable referenced in a SKILL.md is now scanned. Static and behavioral analysis both run.
  • Snyk static analyzer integration. SKILL.md content scanned for known malicious patterns (pipe-to-shell, SSH key reads, hardcoded IP beacons).
  • New-publisher rate limits. Accounts under 30 days old can publish max 3 skills/day. The mass-upload attack vector is now closed.
  • Manual review for finance skills. Any skill categorized under finance/crypto/trading gets human review before listing. Slows things down but worth it.
  • SBOM (Software Bill of Materials). Each skill now publishes a manifest of all files and URLs it references. Easier to audit at install time.
  • Sandboxed first-run. New skills run in a sandboxed environment with no network/filesystem access on first invocation. User must explicitly grant permissions.

Lessons for skill users (you)

ClawHavoc was a sophisticated attack, but every malicious skill could have been caught with a 60-second SKILL.md read. The defenders failed because they relied on the marketplace to be safe. Don't make that mistake:

  1. Read every SKILL.md before installing. Look for the four red flags.
  2. Check publisher reputation. New accounts (<30 days) with high installs are suspicious.
  3. Verify URLs and IPs. Numeric IPs are almost always C2.
  4. Run new skills in a workspace with limited permissions first.
  5. Use a dedicated VPS for OpenClaw, not your daily-driver laptop.

Frequently asked questions

Are the malicious skills still available?

No. All 1,184 were removed from ClawHub by late February 2026. Some may still be available on third-party mirrors — do not use third-party mirrors.

Can I get reimbursed if I was affected?

OpenClaw is open-source with no warranty. ClawHub is operated by the OpenClaw Foundation, also no warranty. Some users have pursued civil suits against the identified threat actor with limited success. There is no insurance for this.

Why did ClawHub allow these in the first place?

Marketplaces struggle with this attack class — npm, PyPI, and the App Store have all seen similar incidents. The defense is layered automated analysis plus rate limits plus reputation, which ClawHub now does.

Could this happen again?

Yes, with a more sophisticated payload that bypasses VirusTotal. The defense is reading every SKILL.md, not assuming the marketplace is safe.

What to read next

Sources cited: The Hacker News (CVE-2026-25253 disclosure, Feb 2026); Conscia 2026 OpenClaw Security Crisis advisory; Snyk ToxicSkills study; Cyber Press ClawHavoc reporting; Wall Street Journal Polymarket profitability analysis (May 2026); Andrey Sergeenkov via The Defiant (April 2026); Akey, Grégoire, Harvie & Martineau, SSRN paper (March 2026); openclaw.ai official advisories; Peter Steinberger public statements on X. Koi Security ClawHavoc detailed write-up; Snyk ToxicSkills full report; Cyber Press timeline; OpenClaw Foundation post-incident review.