341 Malicious OpenClaw Skills Discovered Distributing macOS Malware

What Happened

A major supply-chain attack has been uncovered within the ClawHub skill marketplace for OpenClaw bots. Koi Security researcher Oren Yomtov and his AI assistant "Alex" discovered 341 malicious skills targeting OpenClaw users.

The attack, now labeled "ClawHavoc", employed multiple techniques:

• Typosquatting: Over two dozen lookalike packages (e.g., clawhubb, cllawhub, clawhub-cli)
• Malicious Prerequisites: Skills instructed users to download password-protected ZIP files
• Obfuscated Scripts: Hidden shell scripts that install malware

Why It Matters

OpenClaw's rapid growth has created a new attack surface. Permiso's research found that:

• AI agents hold real credentials to email, Slack, SharePoint, and calendar
• Skill marketplaces operate without security scanning
• An entire ecosystem of agent-first platforms is forming faster than anyone can secure them

The attack specifically targeted macOS users with ClickFix malware, designed to:

• Steal crypto wallets
• Harvest API keys
• Install remote access trojans (RATs)

Related Threats

Additional threats in the OpenClaw ecosystem:

1. Fake VS Code Extension: A "ClawdBot Agent" extension claimed to integrate with VS Code but actually installed ScreenConnect and other RATs

2. Telegram/Discord Scams: Links to "cracked" or "premium" OpenClaw versions that are malware droppers

3. CVE-2026-25253: A high-severity RCE vulnerability (CVSS 8.8) allowing one-click remote code execution via malicious links, patched in v2026.1.29

Protection Measures

1. Verify all packages — Only install from official ClawHub
2. Never run suspicious scripts — Avoid "Prerequisites" that require downloading ZIP files
3. Update to latest version — Ensure you have v2026.1.29 or later
4. Audit credentials — Review what access your OpenClaw instance has
5. Use official channels — Avoid "cracked" versions from Telegram/Discord