ClawHub Malware: The Complete Guide to Malicious OpenClaw Skills

What Is ClawHub?

ClawHub is the official skill marketplace for OpenClaw, where users publish and install extensions (called 'skills') that give their agents new capabilities. It's similar to npm for Node.js or the Chrome Web Store for browsers — except with far weaker security controls.

The ClawHavoc Campaign

In January 2026, Koi Security Research disclosed a coordinated malicious skill campaign they called ClawHavoc. Attackers uploaded 1,467 skills across a 6-week period. The campaign used these techniques:

• Typosquatting: skills named nearly identically to popular legitimate skills
• Reputation seeding: initial fake installs to inflate install counts and ratings
• Legitimate-looking descriptions: professional copy, screenshots, version changelogs
• Delayed payload activation: skills appeared benign for the first few runs
• Diversification: hundreds of different skills across different categories

What Malicious Skills Do

Credential Theft

The most common payload was credential theft. Skills would read ~/.ssh/id_rsa, ~/.aws/credentials, .env files, and browser cookie stores, then send the contents to attacker-controlled infrastructure.

Persistence

Several skills established persistence via crontab or launchd (on macOS) or systemd (on Linux). This allowed them to continue running and reporting even after OpenClaw sessions ended.

Silent Exfiltration

Data exfiltration was disguised as telemetry or analytics calls to domains like telemetry.clawhub-cdn.net — designed to look like legitimate ClawHub infrastructure.

How to Check If You're Affected

• List your installed skills: `openclaw skills list`
• Scan each skill URL at GitOpenClaw
• Check for unexpected crontab entries: `crontab -l`
• Look for unknown launchd entries: `ls ~/Library/LaunchAgents/`
• Review outbound network connections from OpenClaw sessions
• Check if ~/.ssh/id_rsa access timestamps are recent and unexpected