12% of OpenClaw Skills Were Malicious: How to Vet What You Install | OpenClaw DC

What happened: the ClawHavoc campaign

In early March 2026, security researchers at Cisco published findings on a coordinated malware campaign targeting OpenClaw users. They called it ClawHavoc. The scope was alarming: 341 malicious skills had been uploaded to ClawHub, the main public registry for OpenClaw skills, out of a total of roughly 2,857 skills available at the time. That is approximately 12% of the entire registry.

The campaign was not a single burst. Uploads began in late January 2026 and continued through February, with attackers creating dozens of throwaway accounts to publish skills across popular categories like file management, API integrations, and productivity automation. Each skill appeared functional on the surface. Names mimicked legitimate tools. Descriptions were polished. Some even included working demo videos.

Cisco’s analysis identified 42,000+ exposed OpenClaw instances across 82 countries that were potentially vulnerable. Many of those instances had installed at least one ClawHavoc skill without any review process in place.

If you are new to OpenClaw and want to understand the basics before diving into security, start with our introduction to OpenClaw.

What the malicious skills actually did

The ClawHavoc skills fell into three categories based on their payload.

Data exfiltration. The most common behavior was silently reading local files and environment variables, then sending them to attacker-controlled endpoints. API keys, SSH credentials, .env files, browser cookies, and wallet seed phrases were all targeted. The exfiltration calls were disguised as analytics pings or update checks, making them difficult to spot in network logs without careful inspection.

Prompt injection. A subset of skills embedded hidden instructions designed to override user-defined agent behavior. When OpenClaw loaded these skills, the injected prompts told the agent to execute attacker commands, download secondary payloads, or alter outputs in ways the user never authorized. This is particularly dangerous because the user sees normal-looking responses while the agent quietly acts on the attacker’s instructions in the background.

Credential theft and persistence. Some advanced variants modified the local OpenClaw configuration to ensure the malicious skill would reinstall itself after removal. Others added cron jobs or launch agents to maintain access even if the user uninstalled OpenClaw entirely. A few targeted the OpenClaw gateway token, giving attackers remote access to the instance.

How to vet a skill before installing: 5-step checklist

Do not install any ClawHub skill without running through these steps first. This takes five minutes and can save you from a compromised machine.

Step 1: Read the source code

Every ClawHub skill has a source repository. Clone it and read the code before installing.

git clone https://clawhub.dev/skills/<skill-name>

Look for any file that makes outbound HTTP requests, reads files outside the skill’s own directory, or accesses environment variables. If the repository is private or the code is not available, do not install the skill.

Step 2: Check the author’s history

openclaw skills info <skill-name> --author

Look at the author’s account age, number of published skills, and whether they have a verified GitHub profile linked. A brand-new account with a single high-value skill is a red flag.

Step 3: Search for known malicious indicators

openclaw skills scan <skill-name>

This command, available in OpenClaw 3.13 and later, runs a local static analysis pass on the skill manifest and entry points. It checks for obfuscated code, base64-encoded strings, and known ClawHavoc signatures.

Step 4: Review the permission manifest

Every skill declares what it needs access to in its manifest.yaml. Compare what the skill claims to do with what it asks for.

openclaw skills permissions <skill-name>

A calendar reminder skill should not need network access to arbitrary domains. A text formatting skill should not need file system write access. If permissions do not match the described functionality, walk away.

Step 5: Test in a sandboxed environment

openclaw sandbox run <skill-name> --isolated

Run the skill inside an isolated sandbox before adding it to your main instance. Monitor network traffic and file access during the test. If anything reaches out to unexpected endpoints, remove it immediately.

For a broader security hardening approach, see our full OpenClaw security checklist.

Red flags that should stop you from installing

Keep this list handy when browsing ClawHub. Any one of these is reason enough to skip a skill.

• Obfuscated or minified code. Legitimate skill authors have no reason to hide their source. If the main logic is packed into unreadable one-liners or base64-encoded blobs, it is hiding something.
• Excessive permissions. A skill that requests access to your entire file system, all environment variables, and unrestricted network access is either poorly designed or deliberately overreaching.
• New author with no history. An account created in the last 30 days with one or two skills and no linked GitHub profile matches the ClawHavoc pattern exactly.
• No linked source repository. If you cannot read the full source code before installing, you are trusting a stranger with access to your machine.
• Unusual network calls in the code. Any hardcoded IP addresses, URL-shortener links, or requests to domains unrelated to the skill’s purpose should be treated as hostile.
• Skill names that mimic popular tools. Typosquatting is common. Double-check that you are installing “gmail-sync” from a verified author, not “gmai1-sync” from a new account.

How ClawHub responded

After Cisco published the ClawHavoc report, the ClawHub team took several steps.

Immediate removal. 2,419 skills were flagged and removed from the registry, including the 341 confirmed malicious packages and an additional set that exhibited suspicious behavior patterns.

VirusTotal integration. All new skill submissions are now scanned through VirusTotal before they appear in the public registry. This catches known malware signatures but will not stop novel attacks or clean-looking prompt injection payloads.

Author verification. ClawHub introduced a verified author badge tied to GitHub account linking and a minimum account age requirement. Skills from unverified authors now display a warning banner.

Skill review queue. High-permission skills are routed through a manual review process before publication. The ClawHub team has acknowledged that this creates delays but considers it necessary given the scale of ClawHavoc.

These are meaningful improvements. However, no automated system catches everything. Manual vetting on your end is still the single most effective defense. VirusTotal will not flag a skill that uses clean code to read your .env file and POST its contents to an attacker’s server using a legitimate-looking API endpoint.

What you should do right now

If you have an existing OpenClaw setup, audit your installed skills immediately.

openclaw skills list --installed
openclaw skills scan --all

Remove anything you did not manually vet. Then follow the five-step checklist above before reinstalling any skill you actually need.

If you are setting up OpenClaw for the first time, follow our installation guide and apply the security checklist before adding any skills from ClawHub.

The OpenClaw ecosystem is powerful and most of the community builds genuinely useful tools. But 12% of a public registry being compromised is a serious wake-up call. Treat every skill like software you download from the internet, because that is exactly what it is.

Need help auditing your OpenClaw setup or vetting skills for your team? Book a Call and we will walk through it with you.