On February 1, 2026, cybersecurity firm Koi Security published a report called “ClawHavoc.” They had reviewed every skill on ClawHub and found 341 that were designed to steal data from users.
The attack was not random. The fake skills targeted people who use OpenClaw for cryptocurrency trading and productivity automation. They had convincing names, working descriptions, and some even had partially functional code. At a glance, they looked real.
One attacker account, “hightower6eu,” was responsible for 314 of the 341 malicious skills. A few other accounts (zaycv, Aslaep123, and a GitHub user called aztr0nutzs) published the rest.
Koi Security actually used an OpenClaw bot called “Alex” to help with the audit. The same tool being targeted by the malware also helped expose it.
What Is ClawHub?
ClawHub is OpenClaw’s marketplace for add-ons called “skills.” Skills extend what OpenClaw can do. For example, a skill might let it manage your email, monitor stock prices, or trade cryptocurrency.
At the time of the security audits, ClawHub had around 3,000 to 4,000 skills available. Anyone with a GitHub account older than one week could publish one. There was no review process, no code inspection, and no verification of who published it.
That openness helped the marketplace grow fast. It also made it easy for attackers to upload malware and wait for people to install it.
Who Found It
This was not a single discovery. Seven different security companies independently found problems on ClawHub in late January and early February 2026:
| Security Firm | What They Found | Date |
|---|---|---|
| Koi Security | 341 malicious skills (ClawHavoc report) | February 1, 2026 |
| Snyk | 76 confirmed malware payloads, 1,467 skills with security issues | February 5, 2026 |
| Bitdefender | About 900 malicious skills (roughly 20% of the marketplace) | February 2026 |
| VirusTotal / Google | Hundreds confirmed malicious | February 2026 |
| CrowdStrike | Enterprise risk assessment and detection tools (source) | February 2026 |
| Bitsight | 30,000+ exposed OpenClaw instances tracked worldwide | February 2026 |
| Zenity | Attacks through connected productivity tools like Google Workspace and Slack | February 2026 |
When seven independent security firms all reach the same conclusion, the problem is real.
How the Attack Works
The malicious skills use different methods depending on your operating system. Here is what happens on each.
On Mac
The main malware is called Atomic Stealer (also known as AMOS). It is a commercial tool sold to criminals for $500 to $1,000 per month. Here is how it reaches your machine:
- You install a skill from ClawHub that looks useful, like a crypto trading bot or a YouTube automation tool.
- The skill tells you (or tells your OpenClaw agent) that you need to install some “prerequisites” to make it work.
- You run a command that looks harmless but actually downloads a hidden script.
- That script connects to the attacker’s server and downloads the real malware.
- The malware runs and silently collects your data.
What it steals:
- Cryptocurrency wallet credentials from over 60 different wallet apps
- Saved passwords and cookies from your browsers
- Your macOS Keychain passwords
- SSH keys (used to connect to servers)
- API keys stored in OpenClaw’s configuration files
You will not see anything unusual happen. The malware runs quietly in the background.
On Windows
The Windows version is simpler:
- You download a file called “openclaw-agent.zip” from GitHub
- The ZIP file is password-protected on purpose, because antivirus software cannot scan password-protected archives
- Inside is a trojan that 18+ antivirus vendors have since flagged
Other Tricks
Not all malicious skills installed separate malware. Some used other methods:
- Hidden backdoors: Skills like “better-polymarket” had working code on the surface, but buried around line 180 was a backdoor that gave attackers remote access to your machine.
- Direct theft: One skill called “rankaj” simply read the file where OpenClaw stores your API keys and sent the contents to the attacker.
- Tricking the AI agent: 91% of malicious skills also included prompt injection, which is a technique that manipulates the AI agent itself into doing things it should not do, like sharing your data or running commands.
How Many Skills Were Affected?
Different researchers counted differently because they used different definitions of “malicious”:
| Source | Confirmed Malicious | Total Security Issues | Skills Scanned |
|---|---|---|---|
| Koi Security | 341 | – | 2,857 |
| Snyk | 76 | 1,467 (36.82%) | 3,984 |
| Bitdefender | ~900 (~20%) | – | ~4,500 |
| VirusTotal | Hundreds | – | 3,016+ |
Koi Security only counted skills that clearly delivered malware. Snyk also flagged skills that leaked credentials or had other security holes. Bitdefender used the broadest definition.
No matter which number you use, the conclusion is the same: a large chunk of the ClawHub marketplace was compromised.
On top of the actual malware, Snyk found that 7.1% of all ClawHub skills (283 out of about 4,000) exposed sensitive credentials like API keys in plain text. Another 10.9% had passwords or secrets hardcoded into their source code. One skill called “buy-anything” v2.0.0 instructed the AI agent to collect users’ credit card numbers.
Who Is at Risk
The exact number of affected users has not been published. Here is what we know:
- Over 30,000 OpenClaw instances were running online between January 27 and February 8, 2026
- At peak, around 8,000 to 9,000 were active at the same time
- Many were running without proper authentication, meaning anyone on the internet could access them
- Affected deployments were found in healthcare, finance, government, and insurance organizations
- The attack focused on macOS users, since many people run OpenClaw around the clock on Mac Minis
The fake skills mostly targeted crypto users. The attackers wanted wallet credentials they could use to steal funds directly.
A Separate Vulnerability: CVE-2026-25253
On top of the ClawHub malware problem, researchers also found a serious bug in OpenClaw itself.
This vulnerability (tracked as CVE-2026-25253, severity score 8.8 out of 10) allowed an attacker to take over someone’s OpenClaw instance with a single click. All they had to do was get the user to click a link. That link would steal the authentication token, turn off all safety confirmations, and give the attacker full control of the machine.
In plain terms: one wrong click and an attacker could read your files, run commands, and access everything your OpenClaw instance had access to.
This was fixed in OpenClaw version 2026.1.29 on January 30, 2026. The Belgian government’s cybersecurity agency issued a public warning urging people to update immediately.
If you run OpenClaw, make sure you are on version 2026.1.29 or newer.
What OpenClaw Has Done About It
Peter Steinberger (OpenClaw’s creator) and the team made several changes after the reports went public:
Reporting system: Users can now flag suspicious skills. If a skill gets 3 or more reports, it is automatically hidden from the marketplace.
VirusTotal scanning (February 8, 2026): Every skill on ClawHub is now scanned by VirusTotal before it goes live. Skills are labeled as safe, suspicious, or malicious. Existing skills are re-scanned every day.
Security roadmap: Steinberger announced plans to publish a full threat model, security roadmap, and audit details at trust.openclaw.ai.
What they admitted: OpenClaw acknowledged that VirusTotal scanning “is not a silver bullet.” Some attacks, especially prompt injection hidden inside a skill’s instructions, can still slip through. They are right about that. Automated scanning catches known malware but cannot reliably detect every creative trick an attacker might use.
It is also worth mentioning that when The Register first contacted OpenClaw about the security problems, they did not get a response. The fixes came after multiple security firms and news outlets put public pressure on the project.
What You Should Do Right Now
If you have ever installed a skill from ClawHub, go through this checklist.
1. Check your installed skills
Look at which skills you have installed. If any came from these accounts, assume your data has been stolen: hightower6eu, zaycv, Aslaep123.
2. Install Clawdex
Koi Security released a free tool called Clawdex that scans your installed skills and checks them against a list of known malicious packages. Install it and run it.
3. Change your passwords and keys
If you think you might be affected:
- Change all API keys stored in your OpenClaw configuration
- Change your passwords for accounts where you saved login credentials in your browser
- Move your cryptocurrency to new wallets with new seed phrases (do this from a different, clean device)
- Generate new SSH keys and remove the old ones from any servers you connect to
- Revoke any access tokens for services connected to OpenClaw
Do not skip the crypto step. The attackers were specifically going after wallet credentials.
4. Update OpenClaw
Make sure you are running version 2026.1.29 or newer. This patches the CVE-2026-25253 vulnerability and removes the option to run without authentication.
5. Be more careful going forward
Before installing any ClawHub skill:
- Check who published it and when their account was created
- Look at the source code, especially for hidden scripts or encoded commands
- Ask yourself if you actually need it
- Check if VirusTotal has flagged it
Why This Matters Beyond OpenClaw
This is not just an OpenClaw problem. It is a preview of what will happen on every AI agent platform that has a skill or plugin marketplace.
AI agents have deep access to your system. OpenClaw can read your files, run commands, manage API keys, and connect to external services. When a malicious skill takes over an AI agent, the attacker gets all of that access. That is more dangerous than a bad browser extension or a shady app, because the AI agent already has the keys to everything.
Anyone could publish on ClawHub. The only requirement was a GitHub account older than one week. No identity verification, no code review. This is the same model used by npm, PyPI, and the Chrome Web Store, and all of those platforms have had similar supply chain attacks. The difference here is that AI agent skills have deeper system access than a typical browser extension.
Prompt injection is a new kind of attack. Traditional malware is a piece of code that does something bad. Prompt injection is different. It tricks the AI agent itself into doing something bad on the attacker’s behalf. Existing security tools like VirusTotal can detect traditional malware but struggle with prompt injection because there is no malicious code to scan for, just carefully worded instructions.
Every platform that connects AI agents to third-party plugins should learn from this:
- Skills should come from verified publishers
- Skills should run in a sandbox with limited permissions
- Skills should not have access to your passwords, SSH keys, or wallets by default
- Sensitive actions like running commands or accessing files should require your explicit approval
Timeline
| Date | Event |
|---|---|
| Late January 2026 | OpenClaw goes viral, reaches 30,000+ online instances |
| January 27-28, 2026 | 177% growth in deployed instances |
| January 30, 2026 | OpenClaw rebrands from MoltBot; CVE-2026-25253 patched in v2026.1.29 |
| February 1, 2026 | Koi Security publishes ClawHavoc report with 341 malicious skills |
| February 5, 2026 | The Register, Snyk, and others publish their findings |
| February 8, 2026 | OpenClaw adds VirusTotal scanning to ClawHub |
| February 2026 (ongoing) | CrowdStrike, Bitdefender, and Bitsight publish enterprise security warnings |
FAQ
How many malicious skills were found?
Depends on who counted. Koi Security found 341. Bitdefender flagged about 900. Snyk found 76 confirmed malware payloads and 1,467 skills with some kind of security issue. The numbers differ because each firm used a different definition of “malicious,” but they all agree the problem is large.
What does the malware actually do?
It steals your data. On Mac, it uses a program called Atomic Stealer that grabs cryptocurrency wallets, browser passwords, saved cookies, SSH keys, and macOS Keychain passwords. On Windows, it delivers a trojan hidden in a password-protected ZIP file.
Am I at risk?
If you installed any third-party skill from ClawHub before February 8, 2026 (when VirusTotal scanning started), you should check. See the “What You Should Do Right Now” section above.
Has this been fixed?
Partially. OpenClaw added VirusTotal scanning, a reporting system, and patched the separate CVE-2026-25253 vulnerability. But they admitted that scanning cannot catch everything. You should still be careful with any skill you install.
Who did this?
The main attacker used a ClawHub account called “hightower6eu” and published 314 malicious skills. Other accounts involved include “zaycv,” “Aslaep123,” and GitHub user “aztr0nutzs.” Their real identities have not been published. Based on their tools and targets, they appear to be financially motivated criminals going after crypto wallets.
Should I stop using OpenClaw?
Not necessarily. The core platform has been patched. The problem was with third-party skills on the marketplace, not with OpenClaw itself. But you should treat ClawHub skills the same way you would treat unknown software from the internet: do not install anything unless you have a good reason and you have checked who made it.
What is CVE-2026-25253?
A separate security bug in OpenClaw (not related to the malicious skills) that let an attacker take over your machine with one click. It was fixed on January 30, 2026 in version 2026.1.29. Update if you have not already.
