The campaign, tracked as ClawHavoc, targeted ClawHub, the official skill marketplace for OpenClaw, an open-source AI agent platform that allows users to install add-ons for tasks such as browser automation, file handling, coding support, messaging, crypto tracking and productivity workflows. The scale of the compromise marks one of the most serious tests yet for agent ecosystems, where third-party code can sit close to sensitive local files, credentials, browser sessions and business data.
A full scan of nearly 50,000 ClawHub skills found malicious packages tied to 12 compromised publisher accounts. The operation combined typosquatting, inflated download signals, ranking manipulation and staged payload delivery. Some packages impersonated legitimate tools or used names designed to catch users who mistyped common commands. Others appeared as popular utilities for wallets, social media, PDF handling, calendar management, coding and security scanning.
The attack moved beyond traditional malware distribution because the target was not only the human user. AI agents that select tools based on ranking, relevance or popularity can be tricked into installing poisoned skills without the same caution a developer might apply during manual review. That makes marketplace manipulation a direct infection route in agentic systems.
Early findings on ClawHavoc identified 341 malicious skills in February after a sweep of the ClawHub registry. Follow-up scans showed the count rising as the marketplace expanded, with later tallies placing the historical number of malicious skills at 1,184. The latest installation figure of 247,693 indicates that the campaign reached far beyond experimental uploads and entered active user environments.
The payloads focused on credential theft, crypto-wallet compromise, SSH key harvesting, browser password extraction and secret exfiltration. Some macOS-focused attacks delivered Atomic macOS Stealer, a commodity infostealer known for targeting browser data, keychains, Telegram sessions and cryptocurrency wallet files. Windows users were also exposed through trojanised downloads and deceptive installation instructions.
A common technique involved placing malicious instructions inside skill documentation, especially under “prerequisites” or setup sections. Users were told that a runtime component or helper utility was required before the skill could operate. The command or downloaded file then triggered a second-stage payload from attacker-controlled infrastructure. Password-protected archives and obfuscated shell commands helped bypass automated scanners.
The incident highlights a structural weakness in AI-agent marketplaces. A skill is not merely a plug-in with limited user-interface permissions. It can contain natural-language instructions, scripts, dependencies and workflows that influence how an agent behaves. When an agent has access to local files, shell commands, browser sessions or enterprise tools, a malicious skill can turn that access into an attack path.
OpenClaw’s popularity has made ClawHub a high-value target. The platform’s appeal lies in allowing users to extend an agent rapidly, but the same openness creates pressure on moderation, publisher verification and automated scanning. Earlier controls, including VirusTotal integration and ClawScan screening, were not enough to stop evasive uploads, inflated files and packages whose risky behaviour was embedded in instructions rather than obvious executable malware.
Security researchers have also warned that scanner disagreement is a growing problem. Some tools detect bundled malware, while others identify prompt-level abuse, suspicious permissions or semantic risks in the skill’s instructions. A single allow-or-block decision can miss threats that sit between conventional malware detection and agent-behaviour analysis.
The campaign has pushed attention towards layered defences. These include publisher provenance checks, mandatory code review for high-risk categories, stricter limits on shell execution, sandboxing, clear permission prompts, signed packages, download anomaly detection and continuous rescanning after publication. Enterprise users are being urged to maintain internal allowlists and avoid installing marketplace skills directly into production environments.
The broader concern is that AI agents are being connected to email, cloud drives, messaging platforms, development environments and financial tools faster than governance models are maturing. A poisoned skill in such an environment can do more than steal files. It can influence decisions, automate transactions, send messages, scrape internal systems or prepare further compromise.
ClawHavoc also shows how familiar software supply-chain tactics are being adapted for agentic AI. Typosquatting, fake publishers, staged payloads and popularity manipulation have long affected package managers and browser extensions. The difference is that agent marketplaces introduce a new trust layer in which the user, the agent and the skill may each assume the others have verified the risk.
Also published on Medium.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
