Malicious skills on ClawHub, ClawHavoc campaign, and marketplace scanning

Large-Scale Poisoning of ClawHub Skills and the Ongoing Threat Landscape in 2026

The year 2026 has marked a pivotal point in the security challenges surrounding OpenClaw, driven by widespread supply chain attacks, dangerous skill proliferation, and sophisticated marketplace compromises. Central to these threats is the ClawHavoc operation—a massive, coordinated assault that has poisoned OpenClaw’s ecosystem with over 1,180 malicious skills, many targeting sensitive domains like cryptocurrency and autonomous agent control.

The ClawHavoc Supply Chain Attack

Attackers masqueraded as legitimate developers on ClawHub, the primary marketplace for AI modules and skills of OpenClaw, registering more than 1,180 malicious modules. These modules contained malicious code snippets designed to:

• Steal SSH keys, access tokens, and cryptocurrency wallets
• Hijack autonomous agents, executing unauthorized commands
• Leak organizational and user data

This large-scale poisoning exploited the openness of OpenClaw’s ecosystem, turning it into a conduit for widespread compromise. Once infiltrated, affected organizations experienced data breaches, operational disruptions, and a loss of trust in the platform’s supply chain integrity.

OpenClaw responded swiftly by accelerating module vetting processes, requiring cryptographic signing of modules, and deploying automated vetting tools—such as VirusTotal and tork-scan—which scan modules for security risks before deployment. These measures aim to establish trusted repositories and enforce strict deployment controls to prevent future poisoning attempts.

The Threat of Dangerous Skills and Marketplace Poisoning

Beyond the initial supply chain attack, the threat landscape includes continuous discovery and removal of malicious skills. Recent scans of hundreds of ClawHub modules reveal that approximately 10% are dangerous or suspicious, highlighting the persistent risk posed by malicious actors.

Articles such as "We scanned 500 ClawHub skills for security risks – 10% were dangerous" and "ClawHub Identifies 1,184 Malicious Tools Targeting Crypto" underscore the scale of the problem. Threat actors have developed malicious skills to distribute info-stealers, cryptojackers, and malware loaders, with some modules explicitly designed to steal SSH keys and cryptocurrency assets.

A notable example is the use of malicious OpenClaw skills to distribute Atomic MacOS Stealer, demonstrating how attackers leverage the marketplace as a vector for deploying malware across platforms.

Active Exploitation of CVEs and Rogue Agents

The threat environment is further complicated by exploited CVEs and rogue autonomous agents capable of bypassing safeguards:

• CVE-2026-24764: Exploited in Slack integrations, enabling agent hijacking and security bypasses.
• CVE-2026-26327: An authentication bypass risking impersonation of AI assistants and unauthorized command execution.
• CVE-2026-27486 & CVE-2026-27487: Flaws in OpenClaw CLI and OAuth token handling, exploited for privilege escalation and OS command injection.

Threat actors have manipulated rogue agents to delete and leak emails, disclose confidential data, and execute malicious commands—bypassing traditional security measures. The case of an agent leaking sensitive data from a Meta AI safety researcher exemplifies the potential for tangible harm.

Ecosystem Expansion and New Attack Surfaces

The rapid expansion of OpenClaw’s ecosystem has inadvertently broadened attack vectors:

• Development tools and CI/CD pipelines: The Cline CLI supply chain attack compromised thousands of developer environments via stolen tokens.
• Hardware and cloud devices: Targets include NVIDIA Jetson units and cloud-managed solutions like OpenClaw Direct, often compromised through credential leaks.
• Third-party integrations: Systems like Qwen 3.5, Ollama, and heartbeat services introduce additional vulnerabilities due to weak access controls.
• Marketplace vulnerabilities: Incidents such as ClawJacked WebSocket hijacks have allowed malicious websites to hijack local AI agents, leading to remote code execution.

The ClawJacked WebSocket vulnerability exemplifies the importance of origin validation and WebSocket security to prevent remote hijacks.

Defensive Measures and Recommendations

In response to these mounting threats, OpenClaw’s security teams have implemented multiple hardening measures:

• The Kilo Gateway (Version 2026.2.23) features traffic filtering, anomaly detection, and rate limiting.
• Sandboxing high-risk modules like Moonshot and Kimi Vision Video to contain malicious code.
• Behavioral analytics monitor agent behavior in real-time, enabling early detection of anomalies such as unauthorized data access or command execution.
• Automated vetting tools like VirusTotal and tork-scan evaluate modules, flagging approximately 10% as suspicious.
• Enforcing digitally signed updates and verified repositories to prevent tampering.

Organizations must adopt a defense-in-depth strategy that includes automated vetting, strict access controls, secret management, network segmentation, and continuous behavior monitoring to effectively mitigate risks.

Future Outlook

Despite proactive measures, adversaries continue to refine their techniques, exploiting new vulnerabilities and leveraging marketplace poisoning. The ongoing deployment of security patches—such as the fix for ClawJacked WebSocket hijacks—demonstrates OpenClaw’s commitment to security. However, threat actors remain a step ahead, making community collaboration and shared threat intelligence vital.

In summary, 2026 has been a year of profound challenges for OpenClaw, with large-scale poisoning campaigns, active exploitation of vulnerabilities, and the emergence of rogue autonomous agents. Organizations must maintain vigilance, implement layered security measures, and foster community cooperation to ensure the safe, resilient deployment of AI agents in complex enterprise environments.