ClawHavoc: 824 malicious ClawHub skills, one threat actor at the center

Patch now. CVE-2026-25253 (CVSS 8.8) is in the wild, paired with 824 confirmed malicious skills uploaded to ClawHub. 335 of those skills trace to a single threat actor running a coordinated campaign — the campaign Repello and Koi have named ClawHavoc. The macOS payload is Atomic Stealer (AMOS). It harvests keychain passwords, browser credentials, SSH keys, and crypto wallet files, and ships them to a hardcoded C2.

If you are running OpenClaw on a Mac with even one third-party skill installed, audit before you read further. Older releases must be upgraded today, not next week. The fix shipped in OpenClaw 2026.3.11.

The boundary that broke is between the ClawHub registry and your local agent process. The working assumption — that ClawHub's curation team and the marketplace's social signal would surface bad skills before they spread — does not survive the numbers. The first audit found 341 malicious skills in 2,857. The follow-up at 13,729 skills found 824. The absolute count rose; the rate dropped from twelve percent to six percent. Curation is scaling. Curation is not winning.

The trust boundary has to move. The local agent process needs to treat every skill as adversarial input until it has a signed publisher, a verified provenance log, and a sandboxed first-run. ClawHub needs to enforce signing at the registry level rather than at an install-time prompt the user can dismiss in three seconds. This is the npm 2018 problem, with one critical difference: npm modules are libraries the developer reads before importing. ClawHub skills are instructions the agent reads as authoritative the moment they're loaded. The blast radius of a malicious skill is bigger than a malicious package, because the consumer is an LLM that follows instructions for a living.

ClawHavoc uses three attack techniques in combination, all documented by Repello and Koi:

First, **prompt injection** embedded in skill descriptor files — the SKILL.md and accompanying metadata that the agent ingests as authoritative system instructions. A malicious descriptor can include lines that direct the agent to exfiltrate environment variables, recent conversation history, or local file contents to a remote endpoint the moment the skill is activated. The agent has no native distinction between 'instructions from the user' and 'instructions from a skill manifest.' Both are text in the context window.

Second, **hidden reverse shells delivered as fake pre-requisites**: 335 of the ClawHavoc skills declared a system-level dependency that the install wizard offered to fetch automatically. The dependency name was harmless-looking. The binary it delivered was AMOS — Atomic Stealer, a macOS commodity infostealer. AMOS reads `~/Library/Keychains`, every Chrome, Brave, and Firefox profile, common SSH paths, and known crypto wallet directories, then ships the haul to a hardcoded command-and-control endpoint over plain HTTPS. The Repello write-up names 12 distinct C2 domains across the campaign.

Third, **CVE-2026-25253** in the OpenClaw Control UI. The `gatewayUrl` query parameter is passed to the agent without sanitization. An attacker sends a crafted URL — a single click in a browser that has OpenClaw running — and the agent's authentication tokens exfil to the attacker's server. CVSS 8.8 reflects three things: network-attackable, requires no authentication, and yields full session compromise. The agent will continue running normally; the attacker just has a copy of its credentials.

The combination matters. CVE-2026-25253 alone is a phishing CVE: bad, common, fixable. The 824 malicious skills alone are a registry hygiene problem: bad, common, partially fixable. The two together are the supply chain pattern that infected 300,000 estimated OpenClaw users between October and February — the registry was the entry, the CVE was the lateral move, and AMOS was the cash-out.

The temptation is to read ClawHavoc as proof that public skill marketplaces are unworkable. That overstates what the data actually shows. The malicious-skill rate fell from twelve percent to six percent across the same window the marketplace grew almost five-fold. ClawHub's curation team is matching upload volume better than the headlines suggest. This is the same rate-vs-volume curve the npm registry walked between 2018 and 2021, before signing and provenance attestation became table stakes.

The solvable problem is the latency between upload and quarantine. The unsolvable problem — assuming a free-upload public registry stays free-upload — is the rate of malicious uploads themselves. The npm fix worked: mandatory publisher 2FA, sigstore-backed provenance, and removing anonymous publishing as a first-class option. ClawHub will end up there. Until it does, the burden sits with the operator, not the registry. Treat skills the way you'd treat unsigned binaries from a forum post — because that is what most of them currently are.