Safeguard
Vulnerability Analysis

The clawdhub Malicious AI Agent Skills Campaign Explained

A coordinated supply-chain campaign poisoned 1,184+ ClawHub AI agent skills, stealing crypto wallets and SSH keys via CVE-2026-25253.

Safeguard Research Team
Research
7 min read

On February 1, 2026, security researcher Oren Yomtov of Koi Security published an audit of ClawHub — the primary skill marketplace for the OpenClaw AI agent ecosystem — that found 341 of 2,857 published skills (11.9%) were actively malicious. Days later, Snyk's research team identified a live typosquat of the marketplace's own tooling: a package published under the name clawdhub1, masquerading as an official CLI for managing agent skills, that had already accumulated close to 100 installs before detection. Both findings sit inside a single, coordinated supply-chain campaign now tracked industry-wide as ClawHavoc — and it is the largest known compromise of an AI agent skills registry to date. By mid-February the malicious footprint had grown to more than 824 skills (1,184 individual malicious packages) spread across 12 publisher accounts, with a follow-on audit of 3,984 skills finding that 13.4% carried at least one critical-severity issue, from credential exfiltration to prompt injection to outright reverse shells.

The practical impact is severe and unusually direct for a software supply chain incident: victims who installed a poisoned skill and followed its "setup" instructions had infostealer malware executed with their own user privileges, resulting in theft of SSH keys, browser-saved passwords, cryptocurrency wallet files, exchange API keys, and — on macOS — full Keychain contents. Because OpenClaw skills are distributed as markdown documents with embedded shell instructions rather than signed, sandboxed binaries, the compromise required no exploit at all for most victims. It relied entirely on social engineering layered on top of a marketplace with no mandatory code review, no publisher verification, and no sandboxing enforcement before a skill goes live.

Affected Versions and Components

The campaign touches three distinct layers, and defenders should treat each separately when scoping exposure:

  • ClawHub marketplace content — any skill published to clawhub.ai prior to the platform's emergency moderation sweep in early February 2026, particularly packages from the 12 publisher accounts tied to ClawHavoc and typosquats of legitimate tooling such as clawdhub1, clawhub-cli, and several crypto-trading-automation skill names.
  • OpenClaw agent runtime — versions prior to the patch addressing CVE-2026-25253, a CVSS 8.8 (High) flaw in how the runtime evaluates and enforces skill permission scopes. The bug allows a malicious skill to escalate beyond its declared permission boundary and reach local resources — including services bound only to localhost — via a one-click chain, which materially worsened the blast radius of the ClawHub compromise by letting a single "install this skill" action pivot into deeper host access.
  • Downstream agent ecosystems that consume ClawHub content, including Claude Code-compatible skill loaders and the Moltbot agent-to-agent framework, which researchers at Straiker documented as a secondary propagation path — a compromised skill installed via ClawHub was observed spreading further when agents shared or republished skill definitions to Moltbook.

Both macOS and Windows endpoints were targeted, with the "required prerequisite" social-engineering lure tailored per platform: a shell command to paste into Terminal on macOS (delivering the Atomic macOS Stealer, AMOS), and a password-protected ZIP download on Windows to evade static scanning at the perimeter.

CVSS, EPSS, and KEV Context

CVE-2026-25253 carries a CVSS v3.1 base score of 8.8 (High), reflecting network-adjacent attack vector, low attack complexity, no privileges required beyond the initial skill install, and high impact to confidentiality, integrity, and availability once triggered. As of this writing, the vulnerability has not yet been added to CISA's Known Exploited Vulnerabilities (KEV) catalog and no formal FIRST EPSS score had been published, though the volume of active exploitation observed in the wild — over a thousand malicious packages actively distributing payloads within a two-week window — makes near-term KEV inclusion likely. Security teams should not wait for a KEV listing to act; the exploitation pattern here (social-engineering-driven install, followed by runtime permission escalation) is already confirmed and ongoing, which is a stronger signal than EPSS probability alone.

It's worth noting that the bulk of the damage in this campaign did not require CVE-2026-25253 at all — most victims were compromised purely through the ClickFix-style social engineering embedded in skill documentation. The CVE matters because it explains why compromises that started as "just" a stolen credential were able to escalate into broader host and localhost-service access.

Timeline

  • January 27–29, 2026 — An initial wave of 28 malicious skills targeting Claude Code and Moltbot users is published to ClawHub and mirrored on GitHub.
  • January 31–February 2, 2026 — A much larger second wave of 386 skills goes live, sharing infrastructure and TTPs with the first wave; this is the point at which the campaign's coordinated nature becomes clear.
  • February 1, 2026 — Koi Security publishes its ClawHub audit, identifying 341 malicious skills (11.9% of the registry at the time), naming the campaign ClawHavoc and tracing 335 of them to a single actor.
  • February 2–3, 2026 — Snyk identifies the clawdhub/clawdhub1 typosquat CLI tool masquerading as official marketplace tooling; the original listing is removed by ClawHub on February 3, but the clawdhub1 variant persists and continues accumulating installs.
  • Early–mid February 2026 — Trend Micro confirms the primary macOS payload as Atomic Stealer (AMOS); the malicious footprint grows to 824+ skills and 1,184 packages across 12 publisher accounts as researchers continue expanding the scope of the audit.
  • February 5, 2026 — A comprehensive ecosystem-wide scan of 3,984 ClawHub skills finds 13.4% contain at least one critical security issue, confirming the problem extends well beyond the named ClawHavoc cluster.
  • Ongoing — CVE-2026-25253 remains under active patch rollout across OpenClaw runtime deployments; new typosquat and copy-paste variants of the original malicious skills continue to surface as researchers take down confirmed listings.

Remediation Steps

  1. Inventory every OpenClaw, Claude Code, or Moltbot skill installed across your fleet. Treat any skill sourced from ClawHub before the emergency moderation sweep as unverified until checked against the published indicator lists from Koi Security, Snyk, and Trend Micro.
  2. Remove skills from the 12 flagged ClawHavoc publisher accounts and any typosquats of official tooling — including clawdhub1 and similarly named packages that mimic legitimate CLI utilities.
  3. Never execute a skill's "required prerequisite" command without independent verification. The single most effective control here is a hard organizational policy: agent skill setup instructions that ask a human to paste a shell command or download a password-protected archive are a red flag, full stop.
  4. Patch OpenClaw runtime to the version addressing CVE-2026-25253 and confirm skill permission scopes are actually being enforced post-patch, including for services bound to localhost.
  5. Rotate every credential type known to be targeted by AMOS and related payloads: SSH private keys, browser-saved passwords, cryptocurrency wallet files and seed phrases, and any exchange or cloud API keys that were reachable from an infected host.
  6. Block known ClawHavoc C2 infrastructure at the network edge — the published IOC bundle includes roughly a dozen C2 domains and associated IP ranges; ingest these into your existing threat-intel and EDR pipelines.
  7. Enforce skill sandboxing and least-privilege permission scopes going forward, and require a documented review step before any new skill is approved for use inside your organization, rather than trusting marketplace popularity or install counts as a proxy for safety.

How Safeguard Helps

ClawHavoc is a textbook case for why "is this component technically vulnerable" and "is this component actually reachable and executed in my environment" are different questions — and why teams need both answered fast. Safeguard's reachability analysis pinpoints which installed skills, dependencies, and runtime permission paths are actually exercised in your agent deployments, so you can prioritize the handful of ClawHub-sourced packages that matter over the hundreds that merely appear in an inventory. Griffin AI, Safeguard's agentic triage engine, correlates the published ClawHavoc indicators — malicious publisher accounts, C2 domains, AMOS file hashes, and the CVE-2026-25253 permission-escalation pattern — against your live environment to surface affected hosts in minutes rather than days of manual log review. Safeguard's SBOM generation and ingest capabilities extend to AI agent skill manifests, giving security teams the same software bill-of-materials visibility into ClawHub-sourced components that they already have for traditional package ecosystems like npm and PyPI. Where a patched OpenClaw runtime version or a clean replacement skill is available, Safeguard can open auto-fix pull requests directly against affected repositories, cutting the time between "indicator published" and "fix merged" from days to hours. Together, these capabilities are designed to catch the next ClawHavoc-style campaign before 341 malicious skills becomes 1,184.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.