ClawHavoc Explained: Inside the Largest AI Skills Supply Chain Attack

Q: What is the ClawHavoc campaign?

ClawHavoc is a coordinated supply-chain attack discovered in early 2026 involving 335 malicious skills uploaded to ClawHub. The campaign primarily distributed the Atomic macOS Stealer (AMOS) through seemingly legitimate productivity and development tools.

Q: How did ClawHavoc avoid detection?

The attackers used multiple evasion techniques: manufactured trust through fake star counts and reviews, gradual payload introduction via initially clean skills that later pushed malicious updates, domain fronting through legitimate services, and code obfuscation that bypassed VirusTotal scanning.

Q: What data does AMOS steal?

AMOS (Atomic macOS Stealer) extracts macOS Keychain passwords, browser-saved credentials, cryptocurrency wallet seed phrases, cloud service tokens, session cookies, and complete AI agent configurations including memory and authentication tokens.

ClawHavoc is the largest coordinated supply-chain attack targeting an AI agent ecosystem to date. 335 malicious skills were uploaded to ClawHub, the primary registry for OpenClaw, distributing the Atomic macOS Stealer (AMOS) through seemingly legitimate productivity tools. The campaign ran for weeks before detection and affected an unknown number of users.

This article is a technical breakdown of how ClawHavoc worked, why it succeeded, and what it means for the broader OpenClaw security crisis.

335

Malicious Skills

AMOS

Primary Payload

Weeks

Before Detection

820+

Total Malicious (ClawHub)

Attack Timeline

Late January 2026

Initial seeding. The first wave of skills is uploaded to ClawHub under multiple author accounts. Skills appear to be legitimate productivity tools — code formatters, writing assistants, project management integrations.

Early February 2026

Trust manufacturing. Star counts are artificially inflated. Positive reviews are posted from coordinated accounts. Some skills gain "trending" status on ClawHub.

Mid-February 2026

Payload activation. After establishing credibility, skills push updates that include the AMOS infostealer payload. The malicious code is obfuscated and triggered only after the skill has been running for several sessions.

Late February 2026

VirusTotal integration. ClawHub adds VirusTotal scanning. Some low-effort malicious skills are detected and removed. The sophisticated ClawHavoc skills pass automated scanning.

March 2026

Discovery and disclosure. Security researchers identify the coordinated campaign. Cisco publishes initial findings. ClawHub begins manual review process.

Attack Techniques

1. Manufactured Trust

The ClawHavoc operators didn't rely on users stumbling across their skills. They actively manufactured trust signals. Cisco's investigation found that star counts on ClawHub skills were artificially inflated through coordinated accounts. Some skills showed hundreds of stars within days of publication — impossible for organic growth from an unknown publisher.

Positive reviews were posted by the same network of accounts. The reviews were grammatically correct, specific enough to seem genuine, and mentioned features that the skill actually provided. The legitimate functionality was real — the malicious payload was hidden behind it.

2. Delayed Payload Activation

This was the critical technique that bypassed automated detection. The skills were initially clean. At the time of upload and first scan, they contained only legitimate code. The malicious payload was introduced through a "minor update" days or weeks after the skill had established credibility.

Some variants used conditional activation — the payload only triggered after the skill had been running for a minimum number of sessions, or after detecting specific system characteristics (macOS, presence of crypto wallets, etc.).

3. Code Obfuscation

The AMOS payload was delivered through multiple obfuscation layers:

Base64-encoded strings decoded at runtime
Split payloads spread across multiple files, assembled only during execution
Legitimate API calls used for exfiltration — sending data through real services rather than obvious C2 servers
Dynamic code loading from external URLs that changed frequently

4. Multi-Account Infrastructure

The campaign used dozens of distinct ClawHub accounts. Each account published only a few skills, making it harder to identify the network. The accounts were created at different times and had varying activity patterns to appear organic.

What AMOS Steals

The Atomic macOS Stealer is a well-documented infostealer that targets macOS systems. In the context of OpenClaw, it has access to everything the agent can reach:

macOS Keychain: All stored passwords, certificates, and secure notes
Browser credentials: Saved passwords and autofill data from Chrome, Firefox, Safari, Brave
Cryptocurrency wallets: Seed phrases and private keys from MetaMask, Phantom, Exodus, and others
Cloud service tokens: AWS, GCP, Azure credentials; OAuth tokens for connected services
Session cookies: Active sessions for email, banking, social media
AI agent configuration: Hudson Rock documented the first case of AMOS stealing a complete OpenClaw agent identity — memory, personality, authentication tokens, and conversation history

Why Automated Scanning Failed

VirusTotal was integrated into ClawHub in February 2026. It catches:

Known malware signatures → ClawHavoc used custom obfuscation
Static pattern matching → Payloads were split and encoded
LLM-based content analysis → Skill descriptions were professionally written

It does not catch:

Delayed payload activation (clean at scan time, malicious later)
Data exfiltration through legitimate services
Manufactured trust metrics
Multi-account coordinated campaigns

For a full comparison of automated vs. human auditing, see Why Security-Audited Skills Matter.

Indicators of Compromise (IOCs)

If you've installed skills from ClawHub in the January-March 2026 timeframe, check for:

Skills that were recently updated with no changelog or explanation
Unexpected outbound connections to unfamiliar domains
New processes running alongside OpenClaw that you didn't start
Changes to your browser extension list or bookmarks
Unexplained cryptocurrency transfers
OAuth token grants you didn't authorize

If you find any indicators, immediately: disconnect from the internet, change all passwords from a different device, revoke all OAuth tokens, and rotate all API keys and cloud credentials.

Defense Strategy

ClawHavoc exploited every layer of the trust model — from ClawHub's lack of verification to users' reliance on star counts. Defending against this type of attack requires a fundamentally different approach:

Don't trust ClawHub metrics. Star counts, reviews, and download numbers are all manipulable.
Audit before install. Use the audit guide to review every skill.
Harden your setup. Follow the 15-step hardening checklist.
Pin versions. Never allow auto-updates for installed skills.
Use pre-audited sources. Skills from trusted, security-audited collections eliminate the need to trust ClawHub.
Monitor agent behavior. Log everything. Investigate anomalies.

Avoid ClawHavoc Entirely

25 security-audited skill packs that never touch ClawHub. Every skill reviewed by a 20+ year cybersecurity veteran.

Browse Trusted Skill Packs →

FAQ

What is the ClawHavoc campaign?

ClawHavoc is a coordinated supply-chain attack involving 335 malicious skills uploaded to ClawHub. The campaign distributed the AMOS infostealer through seemingly legitimate tools, using manufactured trust and delayed payload activation to avoid detection.

How did ClawHavoc avoid detection?

Multiple techniques: manufactured star counts and reviews, initially clean skills that pushed malicious updates later, code obfuscation, domain fronting through legitimate services, and multi-account infrastructure. See why automated scanners fail for details.

What data does AMOS steal?

macOS Keychain passwords, browser credentials, cryptocurrency wallet seed phrases, cloud service tokens, session cookies, and complete AI agent configurations including memory and authentication tokens.

Nasser Oumer

Cybersecurity & intelligence professional with 20+ years of experience. Creator of OpenClaw Skills Packs.

LinkedIn · Website · About

Last updated: March 4, 2026. Back to blog.