Malicious Skills Found on ClawHub — Why Professional OpenClaw Setup Matters More Than Ever

If you've seen headlines about malware on ClawHub, take a breath. Yes, the findings are serious. Yes, you should pay attention. But panic doesn't protect you — understanding and action do.

Here's what happened, what it means for your setup, and exactly what to do about it.

---

What Happened

Security researchers published findings in early 2026 from an audit of ClawHub, the largest public repository for OpenClaw skills. The audit identified a significant number of actively malicious skills — designed to steal credentials, install malware, or establish persistent backdoor access to the machines running them.

The campaign has been dubbed "ClawHavoc" by researchers tracking it.

This isn't a theoretical vulnerability or a proof-of-concept exploit. These are skills that real people downloaded, installed, and ran on their machines — in many cases on Mac Minis and other always-on hardware that serves as the backbone of their personal AI infrastructure.

The scale was substantial — a meaningful percentage of all skills audited were compromised. And the attackers weren't amateurs. The campaign shows sophistication in its targeting, distribution, and payload delivery — all designed to exploit the trust that OpenClaw users place in community-contributed skills.

---

How the Attack Works

The ClawHavoc campaign uses several attack vectors, but the most widespread relies on a deceptively simple trick: fake prerequisites.

The Fake Prerequisites Trick

When you install an OpenClaw skill, it can declare prerequisites — other packages or tools it claims to need in order to function. Normally, this is legitimate: a skill that interfaces with Google Calendar might need specific API libraries, for example.

The malicious skills in ClawHavoc abuse this mechanism. They present themselves as useful tools — crypto portfolio trackers, YouTube video downloaders, auto-updaters, Google Workspace integrations — the kinds of skills that feel natural to install. But during installation, their "prerequisites" execute malicious code.

On macOS (the primary target), the prerequisite step runs an obfuscated shell script fetched from glot.io — a legitimate code-sharing platform being abused as a payload host. That script downloads and installs Atomic Stealer (AMOS), a well-known macOS malware, from a command-and-control server at 91.92.242.30.

On Windows, the attack delivers a password-protected ZIP file containing a keylogging trojan. The password is provided in the skill's "installation instructions," which means the user unknowingly participates in bypassing their own security software.

Typosquatting

The attackers also created typosquatted versions of ClawHub itself — domains and repository names like clawhub1, clawhubb, and similar near-misses. Users who misspelled the URL or clicked a slightly-off link could end up downloading compromised skills from what appeared to be the legitimate repository.

Credential Exfiltration

Beyond the AMOS malware payload, six of the malicious skills took a more targeted approach: they installed reverse shell backdoors or directly exfiltrated credentials from ~/.clawdbot/.env — the file where OpenClaw stores API keys, OAuth tokens, and service credentials.

This is particularly dangerous because that .env file is the skeleton key to your entire AI assistant setup. It can contain your OpenAI or Anthropic API keys, messaging platform tokens, email credentials, smart home access keys, and more.

---

What's at Risk

If you've installed a compromised skill, the potential exposure is broad:

• AI API keys — Anthropic, OpenAI, Google, and other LLM provider keys. Attackers can run up thousands of dollars in API charges or use your keys to generate harmful content traced back to you.
• Messaging credentials — Telegram bot tokens, Discord tokens, WhatsApp session data. These give attackers the ability to read your messages, impersonate you, or access private conversations.
• OAuth tokens — Google Workspace, Microsoft 365, and other service tokens that grant access to email, calendar, documents, and cloud storage.
• Smart home credentials — Home Assistant tokens, IoT device keys, smart lock access. If your AI assistant controls your home, a compromised credential means someone else can too.
• Financial data — If your assistant has access to banking notifications, crypto wallets, or financial APIs, those credentials are exposed.
• Persistent system access — AMOS and the keylogging trojan don't just steal what's in the .env file. They can capture everything you type, including passwords, 2FA codes, and private keys entered after the infection.

The ClawHavoc campaign specifically targets people who run OpenClaw on always-on hardware like Mac Minis — which means the malware has 24/7 access to exfiltrate data, and the persistent nature of these setups means a compromised machine can go undetected for weeks or months.

---

How to Check If You're Affected

If you've installed skills from ClawHub — especially in the last six months — take these steps immediately:

1. Audit Your Installed Skills

List every skill you've installed and check them against published indicators of compromise (IOCs) from the security researchers covering ClawHavoc. Pay special attention to:

• Crypto-related tools you don't remember installing
• YouTube or media download utilities
• Skills that claimed to "auto-update" OpenClaw
• Google Workspace integrations from unverified publishers
• Any skill with a suspiciously generic name

2. Check for Suspicious Processes

On macOS, open Activity Monitor and look for processes you don't recognize — particularly any making outbound network connections to unfamiliar IP addresses. In Terminal:

# Check for connections to known C2 server
lsof -i | grep 91.92.242
# Check for suspicious background processes
ps aux | grep -i "atomic\|amos\|stealer"
# Review recent network connections
netstat -an | grep ESTABLISHED

3. Inspect Your .env File

Check when your ~/.clawdbot/.env file was last accessed:

stat ~/.clawdbot/.env
ls -la ~/.clawdbot/.env

If the access time is more recent than you'd expect, or if you see file permission changes you didn't make, treat this as a potential compromise.

4. Review Skill Prerequisites

For any skill you've installed, review what it actually installed as prerequisites:

# Check installation logs
cat ~/.clawdbot/logs/skill-install*.log
# Look for scripts fetched from external sources
grep -r "glot.io\|curl\|wget" ~/.clawdbot/skills/*/

5. Check for Reverse Shells

Look for unexpected outbound connections or listener processes:

# Check for listening ports that shouldn't be there
lsof -i -P | grep LISTEN
# Check crontab for suspicious entries
crontab -l
# Review launch agents on macOS
ls ~/Library/LaunchAgents/

If You Find Something

1. Disconnect the machine from the network immediately. Don't shut it down — that can destroy forensic evidence.
2. Rotate every credential in your ~/.clawdbot/.env file. Every API key, every token, every password. Do this from a different, known-clean device.
3. Revoke OAuth tokens from the provider side (Google, Microsoft, etc.) — don't just change passwords.
4. Check your AI API billing for unauthorized usage spikes.
5. Run a full malware scan using a reputable tool. For AMOS specifically, Malwarebytes and Objective-See's tools have published detection signatures.
6. Consider a clean reinstall if you find evidence of AMOS or the keylogging trojan. These malware families are designed to persist through simple removal attempts.

---

How Professional Setup Protects You

The ClawHavoc campaign exploits a fundamental weakness in the DIY approach to OpenClaw: you're responsible for evaluating every piece of software you install, and the attackers are betting that most people won't do it thoroughly.

That's not a criticism — it's a reality. Most people setting up an AI assistant aren't security researchers. They want their assistant to work, and they trust that a skill repository is safe because it looks safe. The attackers exploit exactly that trust.

This is where professional setup changes the equation:

We Vet Every Skill Before It Touches Your System

At OpenClaw Install, we don't install skills from ClawHub blindly. Every skill goes through a review process before it's added to a client's setup. We read the code. We check the prerequisites. We verify the publisher. If something looks off, it doesn't get installed — period.

Would we have caught ClawHavoc? The obfuscated shell scripts downloading from external servers during "prerequisite" installation are exactly the kind of red flag our review process is designed to catch.

We Configure Proper Permissions and Sandboxing

A properly configured OpenClaw installation doesn't give every skill unrestricted access to your system. We set up granular permissions so that a calendar skill can access your calendar — but not your crypto wallet credentials or your home automation tokens. If a skill is somehow compromised, the blast radius is contained.

We Set Up Isolated Environments

Skills run in isolated environments where they can't access each other's data or reach parts of the system they don't need. This is the difference between a house where every room has the same key and one where each door has its own lock.

We Never Install Unverified Third-Party Skills

Our clients' setups use a curated, tested set of skills. We don't chase the latest ClawHub trending list. Every integration is chosen deliberately, tested thoroughly, and monitored ongoing.

We Audit Credential Storage and Access

Your .env file shouldn't be a flat text file that any process can read. We configure proper credential management — encrypted storage, scoped access, and monitoring — so that even if something goes wrong, your most sensitive credentials aren't sitting in plain text waiting to be exfiltrated.

If you're running OpenClaw and today's news has you questioning your setup, a free consultation is a good place to start. We can review your current configuration, check for signs of compromise, and recommend next steps — whether that's a full managed setup or just targeted hardening.

---

Security Checklist for DIY Users

If you prefer to manage your own OpenClaw installation, here's a 10-item checklist to harden your setup against threats like ClawHavoc:

1. Audit every installed skill. Remove anything you didn't intentionally install or no longer use. Fewer skills means a smaller attack surface.

2. Read skill code before installing. Yes, actually read it. At minimum, check what the prerequisite installation scripts do. If they download from external URLs, investigate before proceeding.

3. Never install skills from typosquatted or unofficial sources. Verify the URL every time. Bookmark the real ClawHub and use only that bookmark.

4. Encrypt your .env file. Don't store API keys and tokens in plain text. Use an encrypted secrets manager or at minimum restrict file permissions to owner-only read (chmod 600).

5. Use scoped API keys wherever possible. If your LLM provider supports it, create keys with the minimum permissions needed. Don't use your root/admin API key for your assistant.

6. Monitor your API billing. Set up billing alerts with every AI provider you use. An unexpected spike in usage is often the first sign of a compromised key.

7. Run your assistant in a sandboxed environment. Use containers (Docker), virtual machines, or at minimum a dedicated user account with restricted permissions. Don't run OpenClaw as root or with your primary user account.

8. Keep your system and OpenClaw updated. Security patches exist for a reason. Run updates regularly and subscribe to OpenClaw's security mailing list.

9. Enable logging and monitor it. Turn on access logging for your .env file and skill installation directory. Review logs weekly at minimum.

10. Have an incident response plan. Know what you'll do before something goes wrong. Which credentials need rotating? Where are your backups? How do you do a clean reinstall? Write it down now so you're not figuring it out during a crisis.

For a deeper dive into securing your self-hosted AI setup, check out our complete guide to self-hosting AI in 2026, which covers security architecture in detail.

---

The Bigger Picture

The ClawHavoc campaign is a wake-up call, but it shouldn't be a surprise. As personal AI assistants become more powerful and more deeply integrated into our lives, they become higher-value targets. An AI assistant that manages your email, calendar, smart home, finances, and communications is — from an attacker's perspective — a single point of compromise that unlocks everything.

The open-source ecosystem that makes OpenClaw powerful is the same ecosystem that makes attacks like ClawHavoc possible. That's not an argument against open source — it's an argument for treating your AI infrastructure with the same security rigor you'd apply to any other critical system.

Whether you handle that yourself or bring in professionals to help, the important thing is that you handle it. Today. Not after the next headline.

---

Next Steps

If you're concerned about your current setup, book a free consultation. We'll review your configuration, check for ClawHavoc indicators, and give you an honest assessment of your security posture — no obligation, no pressure.

If you're ready for a professionally managed setup, check our pricing. Every plan includes skill vetting, credential hardening, sandboxed environments, and ongoing security monitoring.

If you're going the DIY route, bookmark this page, run through the checklist above, and stay vigilant. The community is stronger when everyone takes security seriously.

Stay safe out there.