In a coordinated supply-chain attack later named 'ClawHavoc', 824 malicious skills were uploaded to ClawHub in under 72 hours — representing roughly 20% of the entire marketplace — and targeted AI agent credentials, SSH keys, and cryptocurrency wallets across thousands of users before takedown.
The ClawHavoc attack introduced 824 malicious skills to ClawHub over a ~72-hour period, many typo-squatting popular skill names (e.g., 'web-search-pro' vs. 'web-search'). Installed skills executed with full agent privileges by default, meaning any agent loading them gained access to SSH keys, stored API keys, browser cookies, and crypto wallet files on the host. Several skills opened reverse shells to attacker infrastructure. At 824 skills, the haul represented roughly 20% of ClawHub's entire listing — the largest single supply-chain event in OpenClaw's history.
The Actual Culprit
ClawHub required no author verification, no skill signing, and no manifest review. Skills executed with full agent capability by default — there was no permission model at the skill level.
npm, PyPI, and every prior package ecosystem learned this the hard way. New ecosystems do not get a pass.
'Web search' and 'run arbitrary shell commands' should not be the same capability. Without manifest-declared, user-approved capabilities, every skill is a root exploit.
Similarity checks on publish, download warning on edit-distance-1 collisions, and reserved-name lists should be built in from day one.
Loading comments...