The OpenClaw Security Problem: CVEs, Malicious Skills, and What to Do
Published February 27, 2026
OpenClaw is the most popular open-source AI agent framework, with 233K+ GitHub stars and thousands of production deployments. Its skill ecosystem — ClawHub — has 3,286 published skills that extend agent capabilities with integrations for messaging, browsing, file management, and hundreds of other actions.
In January 2026, the ClawHavoc incident exposed a critical problem: 2,419 malicious skills were discovered and removed from ClawHub. That is 42% of the registry at the time. The malicious skills included credential harvesters, crypto miners, reverse shells, and DNS exfiltration tools disguised as legitimate integrations.
The cleanup was fast, but it revealed structural vulnerabilities in how AI agent skills are distributed and installed.
What Happened During ClawHavoc
The ClawHavoc campaign was a coordinated supply chain attack on the ClawHub skill marketplace. Attackers published thousands of skills that appeared legitimate — useful-sounding names, reasonable descriptions, functional code — but included hidden malicious payloads.
The attack patterns fell into five categories:
Credential Harvesting
Skills that extracted API keys, passwords, and tokens from the host environment and exfiltrated them to attacker-controlled servers. These skills often provided real functionality (like a “better clipboard manager”) while silently reading ~/.ssh/, browser credential stores, and environment variables.
Crypto Mining
Skills that spawned background processes to mine cryptocurrency using the host’s CPU and GPU. Because OpenClaw agents often run on machines with significant compute resources, these miners could operate for weeks before being detected through elevated power bills.
Reverse Shells
Skills that established outbound connections to command-and-control servers, giving attackers persistent remote access to the host machine. Because OpenClaw runs with the user’s permissions, a reverse shell has full access to everything the user can access.
DNS Exfiltration
Skills that encoded stolen data (credentials, file contents, environment variables) into DNS queries, sending them to attacker-controlled name servers. DNS exfiltration is difficult to detect because DNS traffic is rarely inspected and is permitted through most firewalls.
Code Obfuscation
Many malicious skills used base64 encoding, eval() calls, dynamic __import__(), and other obfuscation techniques to hide their payloads from casual code review.
The Numbers
| Metric | Value |
|---|---|
| Skills removed | 2,419 |
| Registry size at time of cleanup | ~5,700 |
| Percentage malicious | ~42% |
| Current registry size | 3,286 |
| Known attack categories | 5 (credential theft, crypto mining, reverse shells, DNS exfiltration, obfuscation) |
| Known-malicious npm packages | 6 blocklisted (from ClawHavoc supply chain) |
Why This Keeps Happening
The fundamental issue is that AI agent skill registries face the same supply chain security problems as package managers (npm, PyPI) but with less mature tooling:
1. No mandatory code review. ClawHub skills are published by anyone without security review. The SKILL.md format makes skills easy to write and distribute — which also makes them easy to weaponize.
2. Agents run with user permissions. Unlike browser extensions (sandboxed) or mobile apps (permission-gated), OpenClaw agents run shell commands, read files, and access the network with the installing user’s full permissions. A malicious skill has root-equivalent access.
3. Skills can request broad permissions. OpenClaw’s permission model is coarse-grained. A skill that needs filesystem access to read a config file gets the same permissions as a skill that reads your SSH keys.
4. No runtime monitoring. Once a skill is installed, there is no monitoring of what it actually does at runtime. A skill that passes static analysis can still execute malicious payloads dynamically.
5. Community trust signals are gameable. Download counts, star ratings, and even “verified” badges can be manipulated. The ClawHavoc skills had fake reviews and inflated download numbers.
What You Can Do Today
1. Scan Before You Install
Do not install ClawHub skills blindly. At minimum, review the source code. Better yet, use automated scanning.
We built a free ClawHub Security Scanner that checks skills against 50+ threat patterns, including:
- YARA-based pattern matching for known malicious signatures
- Dependency blocklist checking (6 known-malicious npm packages from ClawHavoc)
- Code obfuscation detection (
eval,base64, dynamic imports) - Credential harvesting pattern recognition
- Reverse shell and network exfiltration detection
The scanner is free, requires no signup, and gives you an A-F security grade with detailed findings.
2. Pin Skill Versions
Never use latest in production. Pin your skill versions and review changes before upgrading. A skill that was safe in v1.0 could be compromised in v1.1 via a hijacked maintainer account.
3. Run Agents in Sandboxed Environments
Do not run AI agents on your development machine or production servers with full user permissions. Use containerized environments with:
- Read-only filesystem mounts where possible
- Network egress controls (block outbound connections to unknown hosts)
- CPU and memory limits (prevents crypto mining from consuming all resources)
- No access to host credential stores (
~/.ssh/,~/.aws/, browser profiles)
4. Monitor Network Traffic
Watch for unusual outbound connections from your agent processes. DNS exfiltration, reverse shells, and data theft all require network access. Tools like tcpdump, Wireshark, or network-level monitoring can catch exfiltration attempts.
5. Use the Community Verified Rule
Skills that have 100+ downloads and are more than 3 months old are statistically less likely to be malicious. New skills with low download counts and no community history deserve extra scrutiny.
How Curate-Me Helps
Our platform addresses the agent security problem at three layers:
Gateway layer. Every LLM API call from your agents passes through the Curate-Me governance chain. PII scanning catches credentials before they reach LLM providers. Cost caps prevent resource abuse from mining or infinite loops.
Execution layer. Managed runners are sandboxed containers with configurable tool profiles. Full dev tools, browser-only, or data-processing-only — each profile restricts what the agent can access. Egress policies control which external services the agent can reach.
Skill scanning layer. The ClawHub Security Scanner runs the same 6-stage pipeline we use internally: OpenClaw native checks, YARA pattern matching, dependency blocklist, VirusTotal integration, LLM code review, and manual review queue for high-risk findings.
The Bigger Picture
The OpenClaw security problem is not unique to OpenClaw. Every AI agent framework with a skill or plugin ecosystem faces the same risks. LangChain tools, CrewAI components, AutoGen plugins — any executable code that extends an agent’s capabilities is a potential attack vector.
As AI agents become more autonomous and gain more capabilities, the attack surface grows. The industry needs:
- Mandatory security scanning for skill registries (like npm audit but for AI skills)
- Runtime sandboxing as the default, not an afterthought
- Governance policies that restrict what agents can do, not just what they can say
- Audit trails that record every action an agent takes in production
The ClawHavoc cleanup removed 2,419 malicious skills. The next supply chain attack is a matter of when, not if.
Scan your ClawHub skills for free at dashboard.curate-me.ai/scanner . No signup required. 50+ threat patterns. A-F security grade in seconds.
Curate-Me is the governance layer for AI agents. Cost caps, PII scanning, rate limiting, HITL approvals, managed runners, and a full audit trail — zero code changes.