CyberDesserts — ClawHavoc malicious skill campaign
AI relevance: OpenClaw skills execute with agent-level permissions, so a supply-chain campaign like ClawHavoc turns “install a skill” into full host compromise.
- CyberDesserts reports 1,184+ malicious skills identified across ClawHub, with ClawHavoc traced to a coordinated actor.
- Repello AI tied 335 skills to the ClawHavoc operator; Antiy CERT classified the malware as Trojan/OpenClaw.PolySkill.
- The campaign surged between Jan 27–31, 2026, and variant package names remain discoverable after takedowns.
- ClawHavoc uses ClickFix-style social engineering: fake error prompts convince users to paste base64 commands that drop Atomic Stealer.
- Bitdefender identified parallel campaigns: AuthTool (reverse shell on prompt trigger), Hidden Backdoor (fake Apple update + tunnel), and Credential Exfiltration from ~/.clawdbot/.env.
- The study stresses that malicious skills inherit terminal, filesystem, and API-key access granted to the agent.
Why it matters
- AI agent ecosystems collapse traditional trust boundaries — a single poisoned skill can grant system-wide access.
- Prompt injection is now paired with classic malware delivery, blending social engineering with supply-chain compromise.
- The ClawHavoc scale suggests marketplace hygiene alone isn’t enough without runtime isolation and credential hardening.
What to do
- Vet skills before install: pin versions, review source, and prefer signed or curated registries.
- Harden agent permissions: least-privilege tokens, read-only mounts, and isolated execution sandboxes.
- Detect ClickFix patterns: block workflows that ask users to paste opaque commands.
- Monitor for exfiltration: alert on unexpected outbound connections or API-key access.