Protect your OpenClaw agent from malicious ClawHub skills. Covers the ClawHavoc campaign, skill vetting, and safe installation practices.

OpenClaw Supply Chain Safety

The ClawHub marketplace hosts over 13,700 skills for OpenClaw. As of March 2026, approximately 36% of all skills contain detectable security flaws, and the ClawHavoc campaign infiltrated over 1,200 explicitly malicious skills. This guide teaches you how to protect yourself.

The ClawHavoc Campaign#

In late January 2026, a coordinated supply chain attack targeted the ClawHub marketplace. Here is what happened:

Timeline#

January 27, 2026 -- First malicious skill uploaded to ClawHub
January 31, 2026 -- Surge in malicious uploads; a single user ("hightower6eu") uploaded 354 malicious packages in an automated blitz
February 1, 2026 -- Koi Security names the campaign "ClawHavoc" and publishes initial findings: 341 malicious skills out of 2,857 total
February 14, 2026 -- Updated scan reveals 824+ malicious skills across 10,700+ total
February 24, 2026 -- ClawHavoc skills still discoverable under variant package names; campaign infrastructure still active

How It Worked#

Attackers registered as ClawHub developers (only requirement: a GitHub account at least one week old)
They mass-uploaded malicious skills disguised as legitimate plugins -- especially cryptocurrency trading tools
Skills used "ClickFix"-style social engineering to trick users into executing malicious commands
Malware targeted macOS and Windows systems, stealing crypto exchange API keys, wallet private keys, SSH credentials, and browser passwords

What Made It Dangerous#

No vetting process -- At the time, ClawHub had no automated static analysis, no code review, and no signing requirement
Persistent memory exploitation -- Attackers targeted OpenClaw's SOUL.md and MEMORY.md files, permanently altering agent behavior even after the malicious skill was removed
Reverse shell backdoors -- Some skills embedded backdoors that triggered during normal use, not at installation
Credential exfiltration -- Skills quietly sent OpenClaw bot credentials from ~/.openclaw/.env to external webhook services

Warning

Because OpenClaw retains long-term context in memory files, a single compromised skill can permanently alter your agent's behavior. This transforms a point-in-time exploit into a stateful, delayed-execution attack.

## How to Vet Skills Before Installing

Step 1: Check the Publisher#

Look for verified publishers on ClawHub
Check the publisher's GitHub account age and activity
Be suspicious of new accounts with many published skills

Step 2: Check the VirusTotal Report#

OpenClaw has a VirusTotal partnership. On any skill's ClawHub page, check the security scan results:

# Check a skill before installing
openclaw skill info <skill-name>
# Look for the "security" section in the output

Step 3: Read the Source Code#

Skills are markdown files with instructions. Before installing:

# Download without installing
openclaw skill download <skill-name>

# Review the skill.md file
cat ~/.openclaw/downloads/<skill-name>/skill.md

# Look for:
# - External URLs or webhook endpoints
# - Shell commands (especially curl, wget, or eval)
# - References to ~/.openclaw/.env or config files
# - Obfuscated code or base64-encoded strings

Step 4: Use Community Curated Lists#

The VoltAgent/awesome-openclaw-skills repository curates and categorizes 5,400+ skills from ClawHub's full registry. Skills in this list have been reviewed by the community.

Step 5: Check for Known Malicious Patterns#

Red flags to watch for:

Skills that request access to your .env file or credentials
Skills that make outbound network requests to unfamiliar domains
Skills that modify SOUL.md or MEMORY.md files
Skills with obfuscated or minified code
Skills that install additional dependencies at runtime

Safe Installation Practices#

Use a Test Environment First#

# Create an isolated test workspace
openclaw workspace create --name test-skills

# Install the skill in the test workspace
openclaw skill install <skill-name> --workspace test-skills

# Monitor what it does
openclaw logs --workspace test-skills --tail 100

Restrict Skill Permissions#

{
  "skills": {
    "<skill-name>": {
      "allowNetwork": false,
      "allowFileSystem": "read-only",
      "allowShell": false
    }
  }
}

Monitor After Installation#

After installing any skill:

# Run security audit
openclaw security audit

# Check for unusual outbound connections
openclaw logs --filter "network" --tail 50

# Verify memory files haven't been tampered with
git diff ~/.openclaw/agents/*/SOUL.md
git diff ~/.openclaw/agents/*/MEMORY.md

Current State of ClawHub Security#

As of March 2026:

| Metric | Value | |--------|-------| | Total ClawHub skills | 13,700+ | | Skills with security flaws | ~36% | | Confirmed malicious skills (ClawHavoc) | 1,200+ | | Malicious skills found by Snyk | 283 with credential leaks | | ClawHub verification requirement | GitHub account (1 week old) | | Automated security scanning | VirusTotal partnership (opt-in) | | Formal code review | None |

Info

Following the ClawHavoc disclosure, twelve community security tools appeared on GitHub. However, all existing tools are heuristic -- they detect known patterns but cannot prove the absence of malicious behavior. Treat every skill as untrusted until you have personally reviewed it.

## Recommended Security Tools

SecureClaw -- Community security scanner for OpenClaw skills
Evo Agent Security Analyzer -- Used by Snyk in their ClawHub audit
awesome-openclaw-skills -- Community-curated, reviewed skill list

Next Steps#

CVE Tracker -- Stay current on OpenClaw vulnerabilities
Hardening Guide -- Secure your overall deployment
MCP Skills Guide -- Understanding how skills work technically