PERMISSION/PROTOCOL
Back to incident tracker

2026-02-05

CriticalPrimary

ClawHavoc: 1,184 Malicious Skills Uploaded to OpenClaw ClawHub Marketplace Delivering Atomic Stealer Targeting API Keys, SSH Creds, and Browser Passwords

Koi Security disclosed that 1,184 malicious Skills were uploaded across 12 accounts to OpenClaw's ClawHub marketplace. Primary payload: Atomic Stealer (AMOS) targeting exchange API keys, wallet private keys, SSH creds, and browser passwords in ~/.clawdbot/.env. 40,214 internet-exposed OpenClaw instances.

OpenClawCredential exposureMarketplace poisoning: malicious AI skills delivering infostealerOpenClaw instances / developer environments / crypto wallets

What happened

Attackers created 12 coordinated accounts on ClawHub and uploaded 1,184 malicious Skills. When installed, the Skills executed AMOS payloads that read and exfiltrated credentials from ~/.clawdbot/.env (API keys, private keys, SSH credentials) and browser password stores.

Why it matters

40,214 internet-exposed OpenClaw instances potentially targeted. Exchange API keys, cryptocurrency wallet private keys, SSH credentials, and browser passwords exfiltrated from affected instances. Significant financial loss risk for any crypto operator with compromised API keys.

Missing authorization check

AI marketplace Skills should not have unrestricted access to credential files. Skill installation should require human authorization, and Skill file access should be sandboxed with explicit permission required to read credential paths like ~/.clawdbot/.env.

Would PP block it?

If file reads to credential paths (SSH keys, .env files, browser credential stores) required PP receipts, the AMOS payload would face an authorization gate before exfiltrating credentials. Marketplace-level controls (Skill signing, code review) are needed to prevent installation of malicious Skills.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-02-05

    Koi Security discloses ClawHavoc campaign: 1,184 malicious Skills across 12 ClawHub accounts delivering AMOS infostealer to OpenClaw instances.

  2. 2026-02-05

    OpenClaw removes malicious Skills from ClawHub. 40,214 internet-exposed instances identified as potential targets.

Technical breakdown

  • 12 coordinated attacker accounts uploaded 1,184 Skills to distribute load and avoid detection by appearing as independent contributors.
  • Primary payload: Atomic Stealer (AMOS), a known macOS infostealer specifically targeting crypto credentials and browser passwords.
  • Targeted credential paths: ~/.clawdbot/.env (API keys, private keys), SSH credential stores, browser password databases.
  • 40,214 internet-exposed OpenClaw instances provided a large attack surface for drive-by Skill installation.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Skill execution, credential file access gate, network exfiltration
Still needs
Marketplace Skill code review; Skill runtime sandbox; credential file access restrictions
Receipt required for
Skill installation, access to ~/.clawdbot/.env, browser credential reads, SSH key reads

PP's Tool-Call Gate would require receipts for Skill actions accessing credential files. It would not prevent Skill installation itself — that requires marketplace-level review and sandboxing.

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop