Incident

ClawHavoc: anatomy of a skill-marketplace attack

In February 2026, ClawHub showed how an agent-skill marketplace gets weaponized: security researchers found over a thousand malicious skills — disguised, typosquatted, carrying credential theft and remote control.

~7 min read · Incident

What happened

Auditing the roughly 14,000 publicly listed ClawHub skills, researchers found 1,184 malicious ones — an infection rate of nearly 8.5%. 335 of them belonged to a single coordinated operation called ClawHavoc. The targets were macOS and Windows machines, especially always-on machines (such as Mac minis) where OpenClaw runs permanently as an agent host.

The tricks

Typosquatting: many skills imitated legitimate names — clawhubb, cllawhub, clawhubcli — to catch accidental installs from users clicking quickly through the marketplace.

Disguise: others posed as in-demand tools — crypto wallets, Polymarket trading bots, YouTube utilities, auto-updaters, Google Workspace integrations.

One skill that posed as a legitimate Polymarket tool secretly ran a command that gave the attacker full remote control over the system.

What the skills did

Why "verified" wasn't enough

A marketplace checks origin and version — not intent. A typosquat is a perfectly "legitimate" upload. That's exactly the gap from Skills as the entry point: verification isn't security.

How PoisonZero stops this

PoisonZero operates one layer deeper than the marketplace — at write access. The daemon monitors ~/.openclaw/skills and the config files locally:

More on the mechanism: Memory Poisoning and Supply-chain worms.

Protect your OpenClaw skills.

PoisonZero evaluates every write to ~/.openclaw/skills — and stops disguised skills fail-closed.

Try 14 days free

Read next: Skills as the entry point · Supply-chain worms · What is memory poisoning?

All articles