OpenClaw's skill economy is a gift and a liability. Security teams now tag the latest wave of incidents under the keyword openclaw-malicious-skills so every briefing lines up with the same slug. Every automation lives inside a SKILL.md, and the ClawHub marketplace makes those skills a one-click install. Over the past quarter, several independent security teams published hard evidence of malicious uploads that abused that trust. Instead of repeating generic risk lists, this brief walks through three documented incidents, how they unfolded, and what actually worked to contain them.
TL;DR
- ClawHavoc (Feb 2026): Antiy Labs documented a large-scale poisoning campaign on ClawHub where fake "maintenance" skills abused the Prerequisites block to pull remote bash loaders. ClawHub now rate-limits new publishers and pipes every upload through VirusTotal before listing it.
- ToxicSkills Audit (Feb 2026): Snyk's crawl of thousands of skills flagged a significant percentage as credential-stealing or infostealer droppers. OpenClaw responded by adding mandatory plaintext linting, provenance tags, and auto-quarantine for repeat reports.
- Cline npm Compromise (Feb 2026): StepSecurity and Endor Labs traced a malicious
cline@2.3.0release that silently installed OpenClaw and preloaded specific ClawHub "productivity" skills seeded with obfuscated payloads. This forced Cline to rotate tokens and pushed OpenClaw to ship signed release manifests.
Why ClawHub Keeps Drawing Adversaries
OpenClaw skills are just text files, but the agent interprets every fenced code block as instructions it might execute. Security researchers have called this a "security nightmare" because a malicious skill is tantamount to arbitrary shell access if the operator rubber-stamps it. Skills also inherit the agent’s ambient credentials—Discord tokens, GitHub PATs, Stripe keys—which makes ClawHub a natural target for supply-chain actors hunting for API secrets. That context explains why the following incidents escalated so quickly.
Case 1: ClawHavoc’s Fake Maintenance Scripts
Antiy Labs' forensic write-up shows ClawHavoc accounts uploaded hundreds of nearly identical "gateway maintenance" skills. Each SKILL.md embedded a step instructing agents to run a bash script under the guise of installing dependencies. The payload fetched a binary that enumerated ~/.openclaw, zipped credentials, and posted them to a remote dropbox.
Detection cues
Defenders first noticed a spike in ClawHub’s “maintenance” tag plus outbound DNS lookups to suspicious domains. If you run self-hosted ClawHub mirrors, add detections for identical Prerequisites blocks, base64 blobs longer than 1 KB, and any SKILL that references curl | bash without pinning a checksum.
Remediation
ClawHub moderators revoked the publisher accounts, purged the skills, and backfilled VirusTotal scanning across the remaining queue. OpenClaw shipped openclaw skills publish --scan so that uploads run through the same multi-engine check, and gateways upgraded to warn operators when a SKILL asks for shell access outside the workspace.
Case 2: ToxicSkills Mass Credential Harvest
Snyk's "ToxicSkills" research crawled the public registry and flagged entries whose code blocks exfiltrated .env, aws/credentials, or browser password stores. The malicious clusters re-used templates for Git utilities, PDF summarizers, and "secure backups". All three quietly base64-encoded secrets and posted them to external APIs.
Why it worked
The malicious code never touched binaries; it lived inside markdown, so traditional file-type filters passed it through. Many operators rely on auto-run approval, so the agent executed commands like cat ~/.config/... without a human in the loop.
Mitigation that stuck
After the report, ClawHub required account age checks and verified emails before publishing new skills. Provenance metadata was added to metadata.openclaw so installs can be traced. OpenClaw also added openclaw skills lint --exfil which looks for red-flag commands (e.g., cat, tar, scp, curl) touching sensitive paths, forcing a human override before installation.
Case 3: Cline’s npm Compromise Seeding ClawHub Implants
Endorlabs linked a prompt-injection against the Cline triage bot to a malicious npm release (cline@2.3.0). The compromised package’s postinstall hook silently installed OpenClaw globally and preloaded specific ClawHub skills like focus-assistant-pro and drive-sync-suite. Those skills in turn called out to external CDNs, dropped an infostealer, and exfiltrated tokens.
Blast radius
Even though the gateway never auto-paired with channels, the daemon still had filesystem and network access. CI runners that cached npm modules unknowingly bundled the implant into golden images. This incident showed how a traditional supply chain attack could be used to seed malicious AI agent skills.
Lessons learned
Cline rotated npm tokens, added Sigstore signing, and now requires two maintainers for release. OpenClaw introduced signed manifest checks so that future silent installs must match a published checksum. ClawHub added “pinned publisher” labels so operators can limit installs to org-verified skills.
Operator Playbook for Preventing the Next Wave
- Threat Intel Syncs: Subscribe to the ClawHub moderation feed plus the StepSecurity SLSA radar. Treat those as CVE feeds for skills.
- Immutable Allow-lists: Mirror only the skill IDs you have already audited. ClawHub’s
npx clawhub sync --allowlistmode exists for this reason. - Automated Lint + Human Review: Run
openclaw skills lint --exfiland block auto-approvals for skills that read secrets, touch/usr/bin, or spawn shells. - Runtime Monitors: Ship Falco or OSQuery rules that alert whenever the OpenClaw process spawns
curl,tar, orscp—that’s what every malicious skill in these cases had in common. - Credential Scoping: Rotate PATs and API keys so the agent only has per-repo scopes. The ClawHavoc crew specifically monetized GitHub PATs with repo+workflow scopes because they could push malicious PRs elsewhere.
Conclusion
The latest mainstream coverage points in one direction: skill marketplaces are now a primary supply-chain target for AI agents. Antiy Labs' ClawHavoc reporting, Snyk’s ToxicSkills audit, and StepSecurity’s cline@2.3.0 incident analysis all show the same pattern—malicious skills win when review is shallow and runtime monitoring is missing. For OpenClaw operators, the practical takeaway is simple: trust published case evidence, enforce provenance and lint gates before install, and monitor live execution like production infrastructure.
Your AI Receptionist, Live in Minutes.
Scale your front desk with an AI that never sleeps. Solvea handles unlimited multi-channel inquiries, books appointments into your calendar automatically, and ensures zero missed opportunities around the clock.
FAQ
What are OpenClaw malicious skills?
OpenClaw malicious skills are AI agent capabilities, often distributed via ClawHub, that contain hidden or disguised code designed to perform unauthorized actions like data exfiltration, credential theft, or system compromise. They exploit the agent's permissions and trust mechanisms.
How can I identify a malicious OpenClaw skill?
Look for suspicious behaviors such as requests for excessive permissions, unusual network activity, or attempts to access sensitive files. Always verify the publisher, check for provenance metadata, and use security linting tools like openclaw skills lint --exfil before installation. Be wary of skills that promise functionality that seems too good to be true or require unexpected shell access.
What is ClawHub and why is it a target?
ClawHub is the official skill marketplace for OpenClaw, allowing users to easily install new AI agent capabilities. It's a target because skills inherit the full permissions of the AI agent, including access to system resources and sensitive credentials. This makes it an attractive vector for supply chain attacks, as demonstrated by incidents like ClawHavoc and ToxicSkills.
What steps has OpenClaw taken to improve security?
Following incidents, OpenClaw and ClawHub have implemented stricter publishing requirements (e.g., account age, verified emails), introduced provenance tags for traceability, and added auto-quarantine mechanisms for reported skills. OpenClaw also now ships signed release manifests and provides tools like openclaw skills publish --scan and openclaw skills lint --exfil to enhance security vetting.
Can prompt injection lead to malicious skill execution?
Yes, as seen in the Cline npm compromise, prompt injection can be a vector. Attackers can manipulate AI agents through crafted prompts to execute unintended commands or load malicious skills. This highlights the need for robust input validation and careful review of any skill that interacts with user prompts or external data.
