The Invisible Attack: How 800+ Malicious Skills Turned OpenClaw Into a Shadow-AI Nightmare

The Lure and the Catch

Oren Yomtov's OpenClaw bot, named Alex, had a good reason to be suspicious. The bot spent its days installing new skills from ClawHub, OpenClaw's community marketplace — the same way a developer might pull packages from npm. But ClawHub had grown to over 2,800 skills, and nobody was vetting them. So Yomtov asked Alex to audit every single one.

The bot found 341 malicious entries. That was February 1st. By February 16th, with the registry grown to 10,700 skills, the count had reached 824 — nearly 20 percent of everything available, according to Koi Security's ongoing monitoring. The campaign, which Yomtov named ClawHavoc, had planted AMOS — Atomic macOS Stealer — behind fake crypto tools, YouTube utilities, and Polymarket bots. Koi Security traced the malware to a single C2 IP address: 91.92.242.30. AMOS sells for $500 to $1,000 per month as malware-as-a-service and steals browser credentials, SSH keys, cryptocurrency wallets, and Telegram sessions.

The kill chain was not complicated. A developer installs what looks like a legitimate skill — solana-wallet-tracker, say, or polymarket-trader. The SKILL.md documentation includes a prerequisites section instructing the user to paste a script from glot.io into their terminal. The script fetches a password-protected ZIP from an attacker-controlled server, bypassing antivirus through the archive's encryption. Inside is the AMOS binary. By the time the developer notices, their credentials are gone.

A Developer Problem, Not Just an OpenClaw Problem

OpenClaw's crisis is specific to OpenClaw. The structural gap it exposed is not.

The security industry built two distinct layers of supply-chain defense. SAST — static application security testing — scans source code for injection flaws, hardcoded secrets, and insecure patterns. SCA — software composition analysis — checks dependency versions against known vulnerability databases, generating the SBOMs that enterprise security teams audit before deployment. Together they cover the waterfront of how software used to be compromised: through code, or through the packages code depends on.

SKILL.md files are neither. They are markdown documents with YAML frontmatter. They contain natural-language instructions telling an AI agent what the skill does, how to configure it, and what commands to run. They look like documentation. A human code reviewer would wave them through because none of it is executable code.

But an AI agent parses those instructions as operational directives — and acts on them with the full credential scope of the developer who installed the skill.

Snyk audited 3,984 skills from ClawHub and skills.sh in February 2026. The results: 36.82 percent contained at least one security flaw. 13.4 percent had critical issues, of which 76 were confirmed to contain active malicious payloads — not accidental overpermissions, but deliberate credential theft, reverse shells, and data exfiltration. The poisoned files do not trigger a CVE. They do not appear in an SBOM. No mainstream scanner has a detection rule for them, because the category did not exist eighteen months ago.

The attack community noticed. Simon Willison and Palo Alto Networks coined the term "Lethal Trifecta" to describe the condition that makes a skill especially dangerous: simultaneous access to private data (SSH keys, API credentials, wallet files), exposure to untrusted content (skill instructions, memory files, email), and the ability to communicate externally (network egress, webhook calls, curl). Most production agent deployments today satisfy all three, according to the OWASP Agentic Skills Top 10 project.

The Invisible Attack That Already Happened

The April publication from researchers at Griffith University, Nanyang Technological University, the University of New South Wales, and the University of Tokyo — documented in VentureBeat's coverage — gave the structural gap a name: Document-Driven Implicit Payload Execution, or DDIPE. Across four agent frameworks and five language models, DDIPE achieved bypass rates between 11.6 and 33.5 percent. Static analysis caught most samples. 2.5 percent evaded all four detection layers.

But ClawHavoc was not a proof-of-concept. The AMOS malware was real. The stolen credentials were real. A documented production incident from April 2026 — covered by VentureBeat — saw a crafted GitHub issue title trigger an AI triage bot wired into Cline, exfiltrating a GITHUB_TOKEN that attackers used to publish a compromised npm dependency. Roughly 4,000 developer machines received a second-stage payload. Eight hours of access. No human approved the action.

Carter Rees, VP of AI at Reputation, gave VentureBeat the architectural diagnosis: "A significant vulnerability in enterprise AI is broken access control, where the flat authorization plane of an LLM fails to respect user permissions." A compromised skill running on that flat plane does not need to escalate privileges. It already has them.

The Fix Industry Catches Up

Cisco shipped an open-source Skill Scanner in April. Snyk released mcp-scan for behavioral analysis of agent instruction files the same month. Merritt Baer, CSO of Enkrypt AI and former Deputy CISO at AWS, told VentureBeat that the response is following a familiar pattern: "This feels very similar to early container security, but we're still in the 'we'll get to it' phase across most orgs." At AWS, she said, it took high-profile wake-up calls before container security became table stakes.

The difference this time is speed, and the absence of a compilation barrier. "There's no build pipeline, no compilation step," Baer said. "Just content." CLI-Anything — the Hong Kong University Data Intelligence Lab tool that generates SKILL.md files for any open-source repository, reaching 30,000 GitHub stars since March — is the accelerant. Every star is a developer who may soon be operating a CLI-generated skill with no SAST rule, no SCA entry, and no CVE category.

What Security Teams Can Actually Do

The OWASP Agentic Skills Top 10 project, published in March 2026, provides the procurement framework. AST01 — Malicious Skills — is the entry point: audit every SKILL.md, MCP config, and rules file in the environment the same way you audit package.json or requirements.txt. Restrict agent execution privileges so a compromised skill cannot reach SSH keys, cloud credentials, or browser session storage. Instrument runtime observability — what data is the agent accessing, what actions is it taking, and are those aligned with expected behavior?

The inventory question comes first. SecurityScorecard identified 135,000-plus internet-exposed OpenClaw instances as of February 2026. Bitdefender GravityZone telemetry confirmed OpenClaw deployments on corporate endpoints — not BYOD experiments, but machines on enterprise networks running a tool that an IT department had never approved, evaluated, or secured. This is the new shape of shadow AI: not the consumer chatbot an employee opened in a browser, but an autonomous agent with terminal permissions, persistent memory, and access to every credential the developer who installed it possessed.

The ClawHavoc campaign is not over because it was patched. It is over because most of the victims do not know they were hit. That is the definition of a successful supply-chain attack — and the reason the structural gap matters more than the specific vulnerability.

The vulnerability that started it — CVE-2026-25253, rated CVSS 8.8 — was patched in OpenClaw version 2026.1.29 on January 30th. The skills marketplace has been audited and cleaned. But the 824 malicious skills Koi Security found represent only what anyone has looked for. Nobody has scanned what they have not yet thought to look for. That is the supply chain problem the security industry is now racing to close.