Koi Security published findings on February 1 showing that 341 out of 2,857 skills on ClawHub, the third-party skill marketplace for the viral AI agent OpenClaw, were malicious. The vast majority, 335, belonged to a single campaign the researchers dubbed ClawHavoc. The primary payload: Atomic Stealer, a macOS infostealer that goes after browser sessions, saved credentials, crypto wallets, and SSH keys.
What makes this particularly uncomfortable is how the attack worked. Not through sophisticated exploits or zero-days, but through markdown files with professional-looking "Prerequisites" sections that told users to run a shell command or download a ZIP file before the skill would work.
A markdown file walks into your terminal
The Agent Skills format, which Anthropic developed and tools like Claude Code and Cursor have adopted, centers on a SKILL.md file. It's meant to be a set of instructions for an AI agent. In practice, as 1Password's Jason Meller pointed out, that markdown file functions as an installer.
ClawHavoc exploited this by embedding fake dependency requirements. A skill calling itself solana-wallet-tracker or youtube-summarize-pro would include a "Prerequisites" block directing macOS users to copy a script from glot.io and paste it into Terminal. That script decoded a base64 payload, which fetched a second-stage dropper, which downloaded a 521KB universal Mach-O binary, which stripped macOS Gatekeeper quarantine attributes before executing. Five steps from "install this skill" to full system compromise.
On Windows, the chain was simpler: download a password-protected ZIP (the password bypasses antivirus scanning) and run the executable inside. Koi identified it as a keylogger.
Meller submitted the macOS binary to VirusTotal. The result was unambiguous: macOS infostealing malware. AMOS specifically, a commodity stealer sold on Telegram for $500 to $1,000 per month that targets over 60 cryptocurrency wallets, browser data from Chrome through Brave, Telegram sessions, and SSH keys.
The scale problem
All 335 ClawHavoc skills shared a single command-and-control IP: 91.92.242.30. The campaign window ran January 27 through 29, according to Snyk's analysis. Three days. By the time ClawHub rolled out a reporting feature (skills with three or more reports get auto-hidden), the damage was done.
Koi researcher Oren Yomtov, working with his own OpenClaw bot named Alex, catalogued the categories: 111 crypto tools, 57 YouTube utilities, 34 Polymarket bots, 29 ClawHub typosquats, 28 auto-updaters, and 17 skills claiming Google Workspace integration. The targeting was deliberate. Crypto users are high-value marks. YouTube tools offer mass appeal. And typosquatting the ClawHub CLI itself is the kind of move that catches people who type fast and read slow.
The six outlier skills used different techniques. Two Polymarket-themed skills buried reverse shell backdoors around line 180 of otherwise functional code, triggering during normal search operations. A weather tool called rankaj simply read the bot's .env configuration file and posted it to webhook.site. No obfuscation, no staged delivery. Just straightforward theft.
So who's minding the store?
ClawHub's barrier to publishing a skill: a GitHub account that's at least one week old. No code signing. No security review. No sandbox.
"The ecosystem is at an inflection point," Snyk's ToxicSkills report noted, after scanning 3,984 skills and finding 13.4% contained at least one critical security issue. That figure goes beyond the ClawHavoc campaign to include prompt injection vulnerabilities and skills that instruct agents to pass API keys through the LLM context window in plaintext. Eight malicious skills from Snyk's confirmed dataset remained live on ClawHub as of their publication date.
OpenClaw creator Peter Steinberger has acknowledged the security concerns. "It's a free, open source hobby project that requires careful configuration to be secure," he told CNBC. He's rolled out the reporting feature on ClawHub and noted that "prompt injection is still an industry-wide unsolved problem," which is true but also the kind of thing that sounds less reassuring when your skill registry just served 341 malware payloads.
The deeper issue, one Steinberger can't solve alone, is architectural. OpenClaw bots connect to email, messaging platforms, calendars, and local file systems. They maintain persistent memory files. A compromised skill doesn't just steal what's on the machine right now. It can poison the bot's memory, altering its behavior long after the malicious skill is removed. Palo Alto Networks researchers flagged this, noting that persistent memory turns one-time exploits into "stateful, delayed-execution attacks."
What happens next
Koi published a skill called Clawdex that scans skills against their malicious database before installation. Snyk released mcp-scan, a free tool that checks SKILL.md files for malicious patterns using multiple models and deterministic rules. These are band-aids on a structural wound, but they're the band-aids available right now.
The Agent Skills format isn't going away. It's already been adopted beyond OpenClaw by Claude Code, Cursor, and others. Skills published on ClawHub can travel to any agent that supports the same spec, which means this isn't just an OpenClaw problem. It's a distribution mechanism.
If you ran any ClawHub skills between late January and early February, particularly anything crypto-related, Polymarket-adjacent, or calling itself a ClawHub CLI tool, the standard advice applies: rotate your credentials, check for unauthorized access, and treat the machine as potentially compromised. If you did this on a work device, loop in your security team now rather than later.
