ClawHavoc: Analysis of Large-Scale Poisoning Campaign Targeting the OpenClaw Skill Market for AI Agents
1.Overview
In early 2026, with the explosive popularity of OpenClaw, compounded by confusion stemming from multiple name changes, its ecosystem became a new target for supply chain attacks. As an open-source personal AI agent, OpenClaw offered flexible Skills (skill plugins) extension interfaces and launched its official skill marketplace, ClawHub, forming a novel AI industry ecosystem. Attackers exploited this by registering as ClawHub developers, creating and mass-uploading malicious “Skills” disguised as legitimate plugins. Using “ClickFix”-style social engineering techniques, they tricked users into downloading and installing these malicious Skills, thereby implanting and executing malicious code within users’ systems. This constituted a severe supply chain poisoning attack targeting the AI ecosystem. Antiy Computer Emergency Response Team (Antiy CERT) has continuously monitored this incident, conducting sample analysis and assessment. Antiy AVL SDK antivirus engine now possesses detection and removal capabilities for related malicious Skills samples. Host security products utilizing Antiy AVL SDK antivirus engine will detect and block relevant malicious Skills files and associated downloaded samples after updating.
OpenClaw (formerly known as ClawdBot and Moltbot) is a phenomenal open-source AI agent that has recently garnered global attention. Positioned as a “cross-platform digital productivity tool”, it has rapidly gained immense popularity. Its Skills module, as an ecosystem extension, supports deep integration with dozens of office and social media platforms, which users can easily access and install. Currently, thousands of various Skills have been developed, covering multiple scenarios such as office automation, cryptocurrency tools, and social media assistance, forming a self-organizing and rapidly evolving open-source ecosystem.
ClawHub, serving as the core Skills distribution channel for OpenClaw, has cultivated a developer community with significant retention. On February 1, 2026, the international security team Koi Security discovered a large-scale, coordinated injection of malicious Skills on the ClawHub platform. They named this attack operation “ClawHavoc”[1]. We respect Koi’s right as the first discoverer to name the incident and translate its Chinese designation as “利爪浩劫“. Based on the morphological characteristics of the poisoned samples, we have classified the relevant batches as Trojan/OpenClaw.PolySkill.
ClawHub operators have taken responsive actions, rendering some malicious Skills unsearchable. However, some have slipped through the cracks. Following the large-scale removal of malicious Skills, the platform contained 3,498 Skills as of this report’s publication. According to Antiy CERT statistics, at least 1,184 malicious Skills have historically appeared on ClawHub. Among these, the author with ID hightower6eu uploaded the most malicious packages, totaling 677.
As the scale of the skills-based ecosystem rapidly expands, poisoning the Skills marketplace has become the most prominent and urgent security challenge facing the OpenClaw ecosystem. This also introduces a new threat to the AI ecosystem: supply chain contamination through extended plugins. Malicious Skills can steal sensitive user data, seize system privileges, tamper with system data, disrupt system operations, and launch automated lateral penetration attacks through stealthy disguise and deceptive propagation. If these risks remain unchecked, they will constrain the health and sustainable development of the OpenClaw open-source ecosystem while eroding user confidence in AI agent tools and products. Similarly, this incident serves as a significant warning for the construction and development of China’s domestic AI ecosystem. This, coupled with the recent emergence of malicious code written on large model platforms, serves as a stark reminder that the so-called AI security should not be narrowly defined as risks inherent to AI mechanisms—such as algorithmic, model risks, or data poisoning. Instead, the AI-driven automation of cyber attacks, together with the expanded attack surface and new attack vectors introduced by AI applications, are evolving at an accelerating pace — these are the pressing real-world threats that demand our most urgent resource investment to address at present.
2. Analysis of the “ClawHavoc” Incident and Samples
OpenClaw, as an AI agent framework supporting functional extensions, enables its Skills extension packages to be conveniently installed via the ClawHub marketplace. Skills are essentially “plugin/capability packages organized as structured files”, containing configurations, code, resources, and metadata. From the perspective of executor governance proposed by Antiy, Skills represent a novel type of executor in script format. Attackers exploit the open extension mechanism of Skills to create malicious skill packages disguised as legitimate functionalities, then upload them to ClawHub to lure users into downloading and installing them. These malicious skill packages typically embed “fake installation steps” within the SKILL.md documentation or accompanying scripts, instructing users to execute terminal commands or download and run unknown binary files. By employing social engineering tactics, they deceive users into trusting and performing high-risk operations. Once executed, the malicious code leverages the skill package’s system access privileges to directly infiltrate the host, ultimately achieving control over the user’s system, data theft, or malicious program implantation, forming a complete attack chain.
2.1 Analysis of Typical Malicious Skill Samples
Although a large number of samples have been captured, they primarily exhibit three types of malicious functionality: inducing downloads and executing malicious code (ClickFix), establishing reverse connection shells (RAT), and information theft (steal). Some of these are not traditional malicious code but rather phishing content containing URLs. Following Antiy’s malware classification naming convention—prefix/environment prefix.family—Antiy CERT has uniformly designated this batch of samples as Trojan/OpenClaw.PolySkill, classifying them as Trojan horses. This marks the first inclusion of the OpenClaw prefix in our naming database. Simultaneously, since the Skill package is a polymer (Poly) of code, data, configuration, metadata, etc., its risk lies precisely in Poly’s dual capability to manipulate OpenClaw and deceive users. Thus, we combined Poly with Skill for its naming. The binary Trojan downloaded via malicious Skill will be analyzed in a subsequent report. This article focuses on malicious Skill poisoning. For the Trojans induced by these malicious Skills, we continue to adopt the original homogenous family naming scheme.
1、Typical sample of luring users to download and execute malicious code: The skill content corresponds to a ZIP archive containing a JSON file and a SKILL.md file. Malicious download links or commands are embedded within the SKILL.md file.
The corresponding sample provides false information in the documentation, falsely claiming that users must manually install the openclaw-core component for usage. Leveraging the operational guide document, it conducts social engineering deception to lure users into downloading and executing malicious code. For Windows systems, it downloads a malicious encrypted compressed package from GitHub, extracts it, and executes the malware, exploiting users’ trust in GitHub to increase deception success rates. On macOS systems, it executes a base64-decoded command to download and execute a binary payload from the attacker’s server.
Table 2-1 SKILL.md Sample Labels
| Virus Name | Trojan/OpenClaw.PolySkill |
| Original File Name | SKILL.md |
| MD5 | 5e4428176aeb8cfc7f0391654d683a2a |
| File Size | 5.36 KB (5,493 bytes) |
| File Format | Text/ISO_IEC.UTF8[:No bom] |
| SKILL Package Name | google-k53 |
| Version | 1.0.0 |
Figure 2-1 Inducing Download of Compressed Package or Execution of Malicious Commands
Analysis of malicious code targeting macOS systems reveals that after base64 decoding, it retrieves a URL and downloads a binary payload. Detailed information about this payload can be found in the Antiy Virus Encyclopedia[3].
Table 2-2 MacOS Binary Sample Labels
| Virus Name | Trojan/MacOS.Amos |
| Original File Name | sujwb2nsdn93d79q |
| MD5 | be24b44d4895c6bc14e3f98a9687a399 |
| Processor Architecture | X86_64、ARM64 |
| File Size | 509 KB (521,440 bytes) |
| File Format | Mach-O |
| Compilation Language | C/C++ |
| VT First Upload Date | 2026-02-03 15:48:21 UTC |
| VT Detection Result | 26/65 |
Its binary payload contains a large amount of encrypted static data that is only decrypted during runtime to evade detection.
Figure 2-2 Encrypted Data and Corresponding Decryption Code
Based on its algorithm, it decrypts configuration information within multiple distinct sample data segments. These configurations all contain the strings “jhzhhfomng” and “https://socifiapp[.]com”, along with dialog prompt text. The primary difference lies in the range of file types targeted for theft.
Figure 2-3 Partial Decrypted Configuration Information
After execution, it displays preconfigured disguise information prompting users to enter their system passwords, thereby gaining elevated privileges to carry out malicious actions. Based on related prompt messages and code analysis, the sample is identified as the Atomic macOS Stealer (AMOS) information-stealing Trojan. AMOS can steal files, browser-stored passwords, cookies, autofill data, system keychain data, Telegram sessions and chat logs, SSH keys, bash/zsh history, and cryptocurrency wallet assets. It then compresses the stolen data into ZIP files and sends them to the C2 server.
Figure 2-4 Launching a Fake Password Input Box upon Startup
2、Typical reverse shell sample: The “skill” refers to a ZIP archive containing: a JSON file, an SKILL.md file, and a scripts folder with Python script files.
This sample masquerades as a cryptocurrency monitoring tool to gather market data from cryptocurrency platforms. However, the script code embeds commands that exploit the os.system function to execute malicious downloads or launch reverse shells.
Table 2-3 Python Code Sample Labels
| Virus Name | Trojan/OpenClaw.PolySkill |
| Original File Name | polymarket.py |
| MD5 | a3365c837ec2659c2aa04e7010a0db15 |
| File Size | 13.6 KB (13,927 bytes) |
| File Format | Script/Python.PY |
| SKILL Package Name | polymarket-all-in-one |
| Version | 1.0.0 |
Figure 2-5 Download Remote Control Trojan with Reverse Shell Connection Capability
3、Typical data-stealing sample: The “skill” corresponds to a ZIP archive file. The malicious code resides within a JavaScript file inside the archive, using JavaScript to exfiltrate data.
The corresponding sample disguises itself as a “weather assistant” function, retrieving weather data from the open-source weather website open-meteo.com and sending it to the user’s email. However, it actually steals the local file ~/.clawdbot/.env. This file contains trusted configuration sources for paid AI services (such as Claude and OpenAI).
Table 2-4 js Code Sample Labels
| Virus Name | Trojan/OpenClaw.PolySkill |
| Original File Name | index.js |
| MD5 | 2444b3ab5de42fcca22e6025cf018e3b |
| File Size | 7.55 KB (7,734 bytes) |
| File Format | Script/Netscape.JS |
| SKILL Package Name | rankaj |
| Version | 1.0.0 |
Figure 2-6 Sending Stolen Data to Webhook
2.2 Cyber Offense and Defense Incident Timeline
➢ January 27, 2026: First malicious Skill, polymarket-trading-bot v1.0.1, released by uploader aslaep123;
➢ January 28, 2026: Malicious Skills reddit-trends v1.0.0 and base-agent v1.0.0 released;
➢ January 29, 2026: Malicious Skill bybit-agent v1.0.0 released;
➢ January 31, 2026: Mass release of malicious Skills begins, with 7 attackers deploying 386 malicious Skills—including 354 by primary attacker hightower6eu;
➢ February 1, 2026: Security team Koi first discloses related attacks, naming them ClawHavoc;
➢ February 1, 2026: The community developed Clawdex, an AI-based tool for automatically verifying Skill security;
➢ February 3, 2026: The community issued a security advisory on GitHub, stating that relevant Skills had been manually removed, multiple security issues resolved, and two pull requests submitted.
2.3 Malicious Skill Sample Statistics
As of February 5, 2026, at the time of this report’s publication, Antiy CERT identified 1,184 malicious skill packages within ClawHub’s historical repository, attributed to 12 author IDs. Among these, the author ID hightower6eu accounted for 677 malicious packages. The ClawHub platform is currently undergoing cleanup.
Table 2-5 ClawHub Malicious Skills Package Statistics
| Skills Package Author | Quantity |
| hightower6eu | 677 |
| sakaen736jih | 390 |
| moonshine-100rze | 60 |
| zaycv | 19 |
| aslaep123 | 14 |
| jordanprater | 10 |
| noreplyboter | 4 |
| rjnpage | 2 |
| gpaitai | 2 |
| lvy19811120-gif | 2 |
| danman60 | 2 |
| noypearl | 2 |
Most of the malicious Skills have been removed from the platform. However, the following package addresses, still accessible and attributed to the uploader moonshine-100rze, remain active. These 60 packages have accumulated 14,285 downloads. Users are advised to be aware of the associated risks. We have compiled a list of URLs to assist network administrators in adding them to blacklists and mitigating potential threats.
Figure 2-7 Skills Package Uploaded by moonshine-100rze
2.4 Analysis of Attacker Tactics
Attackers have implemented targeted designs based on Skill popularity and user demographics to maximize attack value.
| Skill Categories | Representative Name | Target Audience | Attack Intent |
| Cryptocurrency Tools | solana-wallet-tracker, polymarket-trader, binance-agent | Cryptocurrency traders, DeFi users | Steal wallet private keys, mnemonic phrases, and exchange API keys |
| Productivity Enhancement | google-workspace, gmail-integration, excel-helper | Corporate employees, developers | Steal corporate documents, calendar schedules, and email communications |
| Social Media Tools | youtube-summarize-pro, x-trends-tracker, twitter-monitor | Content creators, marketers | Hijack social media accounts and steal session cookies |
| System Utilities | auto-updater, clawhub-cli, mac-optimizer | Advanced users, system administrators | Establish persistent backdoors and gain system-level privileges |
| Spell Confusion | clawhubb, cllawhub, clawwhub | Careless users | Exploit spelling errors for passive infection |
The most deceptive aspect of this attack was its use of accompanying documentation (README.md or SKILL.md) for malicious Skills to carry out social engineering deception. Attackers crafted supporting documents spanning 500–700 lines (likely AI-generated themselves), detailing the tool’s functionality, API integration methods, and use cases—significantly boosting the Skill’s credibility. Critical malicious addresses were cleverly concealed within sections titled “Prerequisites” or “Setup”. Attackers claimed that for the Skill to function properly—such as connecting to the Solana blockchain or invoking the YouTube API—users must install a specific “helper tool” or “proxy program”. This enticed victims to download and execute the trojan themselves.
For Windows users: Documentation provides a link to a GitHub Releases page, instructing users to download a password-protected ZIP archive. Attackers explicitly disclose the password (typically 1202, openclaw, or 1234). This encryption tactic circumvents GitHub’s automated scanning mechanisms and real-time scanning by users’ local antivirus software.
For macOS users: Documentation provides a seemingly complex terminal command for users to copy and paste. These commands often involve fetching scripts from clipboard services like rentry.co or glot.io.
This strategy exploits a psychological blind spot among AI users: accustomed to configuring complex dependencies to run AI tools, they lack vigilance toward requests to “install helper tools”.
2.5 Key Threat Actors and Technical Methods
● Attacker Profiles:
Operators: hightower6eu (deployed 677 malicious skills, leading large-scale distribution), zaycv (conducted targeted attacks), Ddoy233 and hedefbari (hosted malicious payloads). Relationships among poisoners require further analysis.
Motivation Analysis: Driven by financial gain, focusing on stealing cryptocurrency wallets (Solana, Phantom) and developer credentials (AWS, SSH).
● Key Technical Methods:
ClickFix 2.0: The social engineering deception technique employed in this poisoning attack represents an evolution of ClickFix. ClickFix refers to a novel social engineering technique that rapidly gained global traction starting in 2024. It leverages contextual deception to trick users into clicking, copying, and executing specific commands, thereby creating an opportunity for malicious code executor—commonly known as a “one-click fix” attack. This attack similarly bypasses software vulnerabilities and avoids triggering downloads via OpenClaw. Instead, it employs social engineering deception through a “document”. By fabricating “prerequisite installation requirements” within SKILL.md, it tricks users into downloading files and copying commands.
Environmental Parasitism: Malicious code exploits the elevated privileges of AI agents (by reading .env files) to directly send credentials to webhooks, bypassing the need for complex C2 communication.
2.6 Mitigation Recommendations
For OpenClaw Users:
1. Review recent Skill downloads, promptly remove malicious Skills, and update all OpenClaw-related account credentials (passwords, tokens, etc.).
2. Install endpoint security software capable of continuously tracking malicious Skills and receiving updates, such as Antiy Smart Shield Endpoint Defense System.
3. Exercise caution when downloading Skills and avoid integrating platforms storing sensitive information into OpenClaw.
Monitor OpenClaw security updates and promptly upgrade to the latest version.
3.Extended Analysis: New Risks Introduced by Agent-Based AI
The widespread impact of ClawHavoc Operation stems partly from its targeting of an emerging ecosystem—the OpenClaw AI agent ecosystem—that existed in a security blind spot. It also reflects the accelerating convergence of “operational adversarial activities” and “cognitive adversarial activities”, a trend Antiy has consistently warned about. Therefore, we must expand our analysis to encompass additional risks and potential threats.
3.1 OpenClaw: AI with Hands Is More Dangerous
Unlike passive generative large language models (LLMs) such as ChatGPT, OpenClaw belongs to the category of agentic AI. The core value of such systems no longer lies in interaction based on generation, but in “action”—they not only generate text but also execute tasks on behalf of users. While ChatGPT represents AI truly opening its mouth, OpenClaw represents AI growing “hands”.
To enable these “hands” to function effectively, users typically grant AI extensive system privileges, including:
● Shell access: Execute terminal commands.
● File system read/write: Modify code, read documents.
● API key management: Access to third-party services like GitHub, AWS, and Google Workspace.
OpenClaw gained prominence for its “Vibe Coding” capability (fully automated code writing and deployment). However, this automation introduces a critical security assumption: users often implicitly trust ecosystem recommendations or AI-generated code as safe, bypassing the human-in-the-loop review inherent in traditional software installations.
A more advanced threat scenario involves attackers gaining control over OpenClaw or other similarly designed nodes. In such cases, the attackers would possess not merely a jump host or a bot, but an intelligent attack infrastructure. This would transform botnet nodes from merely executing attacker commands into entities capable of acting autonomously, much like the attackers themselves.
3.2 ClawHub: The Unprotected AI Supply Chain Market
To expand AI agents’ capabilities, developers established ClawHub—a community-driven marketplace for “Skills”. These Skills are essentially configurations and scripts that teach AI how to perform specific tasks (e.g., “analyze Solana blockchain data” or “summarize YouTube videos”).
The core root cause of this incident lies in ClawHub’s default open upload policy, allowing any user to publish relevant skills. The only current restriction is that publishers must possess a GitHub account registered for at least one week. Koi Security’s report states, “ClawHub has virtually no security review mechanisms”. A GitHub account registered for just one week could publish skills, which were then discoverable and installable by OpenClaw user instances. This vulnerability was exploited by attackers as an ideal vector for malware distribution, enabling a classic supply chain attack (MITRE ATT&CK T1195): attackers poisoned upstream skill repositories, leveraging user trust in the platform to inject malicious logic into downstream endpoints. In response, OpenClaw founder Peter Steinberger has urgently added a skill reporting feature. According to the official announcement: Logged-in users can now report skills within the platform; each user may submit up to 20 valid reports simultaneously; any skill reported by three or more distinct users will be automatically hidden by the platform.
Antiy CERT’s assessment of these measures is that while necessary and essential, they are far from sufficient. Their implementation requires a series of automated backend detection and operational mechanisms, including static analysis, code and semantic analysis, sandbox analysis, and a dedicated response team operating within an established operational framework. From Apple Store, Google Play, and Microsoft Store to domestic mobile app stores, these unified platforms, while offering convenience, inevitably become hubs for supply chain poisoning. Consequently, software and mobile app operators have engaged in prolonged battles against attackers, continuously refining systems that include listing reviews, automated analysis, manual spot checks, and user-report response mechanisms. Antiy Mobile Security Team has also supported the design of listing security mechanisms for most domestic smartphone brands’ app stores, gaining deep insights into these systems. Yet whenever new scenarios emerge, they inevitably repeat all the security mistakes made in previous contexts.
3.3 AI Early Adopters: Trust Weaponized Against Victims
In successful ClickFix-type attacks, engineers actually account for a significant proportion of attackers. Users lacking IT skills may become flustered upon seeing purported system repair prompts, and even when presented with misleading “tutorials”, they often remain unable to navigate into the command window. Such system repair prompts can be deceptively convincing to some engineers. This represents the weaponization of technical trust. As an AI agent undergoing rapid iteration and refinement, OpenClaw remains far from a tool that novices can easily DIY deploy. A significant proportion of OpenClaw users are IT engineers, programmers, or tech-savvy individuals. When receiving a suspicious email or an executable file via IM, this group remains vigilant—even Office or PDF documents raise concerns about potential format-buffer overflow attacks. However, within the so-called developer ecosystem, their sensitivity naturally diminishes. This is precisely why individuals with strong IT capabilities can fall victim to attacks. Notable early cases include the Xcode unofficial version malware contamination incident extensively analyzed by Antiy Labs[4], where attackers implanted backdoors in pirated IDA Pro to infiltrate the computers of software developers and threat analysts. Such high-profile breaches highlight how developers and engineers may exhibit security complacency within their professional domains—a vulnerability attackers exploit.
Summary
The “ClawHavoc” stands as a landmark incident in AI security. This was not merely a simple malware propagation but a result catalysed by a convergence of factors: technical architecture flaws on the platform side, chaotic community management, and attackers seizing operational windows to execute sophisticated social engineering. Employing a remarkably traditional attack method—submitting poisoned code to deceive execution—which some tech purists might dismiss as lacking technical sophistication, it demonstrated that the pressing risk to artificial intelligence lies not in the “awakening of AI algorithms”, but in the “foundational collapse” of IT governance.
4.1 Why OpenClaw Became the Perfect Attack Target
This attack, and future ones, precisely exploit three vulnerabilities inherent in the nascent development of the current agentic AI ecosystem:
● “Vibe Coding” and a speed-first development culture sacrificing foundational security
OpenClaw and its companion editor Moltbook are representative products of “Vibe Coding”—a development model reliant on AI assistance, rapid iteration, and intuitive decision-making. The founders have publicly acknowledged that the project was “built by intuition”. This culture prioritizing rapid deployment and feature iteration often neglects fundamental security architecture, policies, and capability development—such as failing to implement effective risk control and audit strategies on the skill store side, or failing to isolate high-risk operations like file read/write and shell command execution on the product side. The result was an AI agent tool with system-level privileges, combined with an open plugin market lacking risk control measures, being pushed to users in a virtually unprotected state—effectively opening the door for attackers.
● The iterative evolution of “ClickFix” social engineering has adapted to AI agent scenarios
The attack was not a simple poisoning scheme but a targeted design exploiting developers’ psychological and behavioral patterns. Between 2024 and 2026, the “ClickFix” attack technique (luring users into copying and pasting malicious commands to “fix” issues) evolved through variations. In this incident, attackers disguised malicious instructions as “Prerequisites” required for skill installation, embedding them within documents like SKILL.md. Exploiting users’ tendency to follow manuals, directly download binary packages, or run installation scripts, they achieved highly stealthy code execution. If we persistently dismiss phishing attacks disguised as social engineering, deceptive downloads, and executable launches as low-tech threats—attributing them solely to victims’ security awareness gaps rather than addressing them through technical countermeasures, capability building, management protocols, and resource allocation—then such social engineering attacks will only proliferate more rampantly.
● Frequent rebranding and community chaos weaken user recognition
The project underwent multiple name changes in a short period (ClawdBot → Moltbot → OpenClaw), fragmenting official communication channels and confusing user perception. This “brand fog” not only drained the development team’s maintenance resources but also severed users’ trust chain to authoritative sources. Attackers exploited this distraction—fueled by renaming debates and cryptocurrency scams—to mass-deploy malicious modules on the official skill platform, accelerating risk propagation.
The above three factors collectively form the structural backdrop enabling the attack’s proliferation, reflecting the security challenges facing the AI agent ecosystem during its explosive growth phase: a development culture prioritizing functionality over security, and community governance and security mechanisms that remain underdeveloped, while attack methods evolve rapidly with the evolving landscape. These serve as cautionary lessons for China as it advances its own AI agent development.
4.2 Executor Governance Remains Fundamental to AI Security
Antiy has introduced the concept of executor governance. Leveraging the precise malware detection capabilities of the AVL SDK antivirus engine and its executor reputation mechanism, we assist users in achieving full visibility into all running executors and system runtime environments. This further minimizes the security boundary from each endpoint down to every individual executor. As large-model AI evolves into next-generation operating systems, we observe that the form and essence of executors are also transforming. We propose that prompts represent a new type of executor.
This incident demonstrates a new form of executor within the AI agent environment. It remains an I/O object possessing execution capabilities or entry points, such as scripts or text containing executable path references (URLs). It still falls within the scope of antivirus technology’s normalization capabilities, enabling us to easily automate sample ingestion into databases and expand detection signatures and URL detection rules for the AVL SDK antivirus engine. From the platform perspective, ClawHub remains an extension of the app store model into the AI agent era. Its management of Skill developers and Skill modules still resembles source control in mobile app stores. This aligns with our long-term support for ecosystem partners like domestic smartphone manufacturers. These developments demonstrate that antivirus technology, often considered “traditional” technology, can still incorporate most new threats into standardized detection paradigms within novel AI scenarios, remaining a cornerstone of security capabilities.
Simultaneously, in response to ClickFix 2.0’s social engineering attack patterns, we have reflected on insufficient emphasis placed on user cognitive factors within executor logic. Examples include skipping non-script text as non-malicious files and lacking detection points for URLs in the clipboard. Whether on PC or mobile platforms, we will swiftly strengthen support for the user’s cognitive layer within our primary defense systems.
The Virus Encyclopedia Sample (virusview.net) analysis interface will soon launch a security analysis feature for Skills.
4.3 Artificial Intelligence Security Cannot Be Narrowed to Algorithmic Mechanism Security
Antiy has always maintained that the development of new technologies inevitably involves accelerating the “transformation” of old risks, creating new risks, and becoming targets of risk exploitation—and artificial intelligence is no exception[5]. AI inevitably elevates the automation level and efficiency of cyberattacks. Its widespread adoption inevitably introduces new exposure points, attack surfaces, and data leakage sources. Throughout AI’s preprocessing, algorithmic mechanisms, model training, and evaluation optimization, it inevitably faces threats and challenges such as data poisoning, privacy theft, model attacks, and malicious exploitation. However, currently in China, there is a tendency to a certain extent to narrow down the issue of artificial intelligence security to a scientific, mathematical, or algorithmic problem related to the inherent mechanism security of artificial intelligence itself. The attention and resource investment in the ongoing and escalating real cyber threat patterns, as well as the real activities of threat actors launching attacks against us, are seriously insufficient. Instead, greater focus is placed on proactively addressing the “Skynet Awakening” of artificial intelligence itself. While securing AI’s intrinsic mechanisms holds significant importance, establishing a clear methodological framework remains challenging amid AI’s rapid advancement. A progressive, parallel research approach is necessary to keep pace. Artificial intelligence is not a scenario where its own value can be self-contained, it is not a “brain in a vat”. Its value must be realized within existing industrial environments, integrated into data systems, deployed in specific scenarios, and embedded within diverse products, engineering systems, and processes. Its security fundamentally relies on robust data governance foundations and requires the capability assurance of system and network security. These foundational security capabilities form the bedrock of the AI ecosystem.
The outbreak of the “ClawHavoc” incident validated our persistent stance. The poisoning attack on the OpenClaw skill store targeted neither the intrinsic algorithms of AI models nor exploitation based on algorithmic mechanisms. Instead, it exploited the absence of detection, analysis, and risk control capabilities and systems that should have been inherent in its open-source ecosystem. It did not exploit any zero-day vulnerabilities or technically significant flaws in edge-side scenarios. Instead, it relied on seemingly “ow-tech” social engineering attacks to deceive users into installing malicious code themselves. By leveraging OpenClaw AI agent’s inherent high-privilege and high-automation characteristics, it transformed these features into tools for data exfiltration and controllable jumping-off points. This profoundly reveals that the most pressing AI risk today is not algorithmic runaway, but rather the rapid proliferation of AI bypassing fundamental IT and data governance constraints. This repetition of historical technological development risks and tragedies underscores the imperative to strengthen the foundation of AI+ by addressing deficiencies and laying essential groundwork in foundational IT governance, data governance, and defense system construction.
Antiy also firmly believes that “the solutions to the risks posed by new technologies often lie within the technologies themselves”. While attackers leverage AI to automate vulnerability discovery, PoC writing, and malicious code development—exposing new attack surfaces through AI—we simultaneously harness AI to enhance automated malware analysis, reduce noise in massive security alerts, and improve the interpretation of security incident logs. To achieve automated operations, we are also leveraging LanDi large language model[6] to enable adaptive judgment and response.
New things are always fragile, but they are also invincible. Facing the rapid development of artificial intelligence, the Antiy team remains a beginner, an adopter, and a cautious explorer. We analyze security incidents to uncover attack mechanisms, driving improvements in protection rather than criticizing or mocking the fragility of emerging technologies. We will continue to learn and apply these new developments, nurture their growth, and safeguard their evolution.
5.Appendix: Complete Timeline (AI-generated)
● Phase 1: Outbreak and Hidden Risks (January 24 – January 26)
● January 24: Peter Steinberger released Clawdbot. As a “locally-first” AI agent capable of directly manipulating file systems and command lines, it rapidly gained traction on Hacker News and GitHub, amassing tens of thousands of stars within days.
● January 25-26:
○ Hardware rush: The project unexpectedly triggered a buying frenzy for M4-chip-equipped Mac Minis, as users required 24/7 AI agent operation.
○ Early warning: Security researcher Jamieson O’Reilly (Dvuln) discovered hundreds of Clawdbot instances exposed to the public internet via Shodan, lacking any authentication. Simultaneously, organizations like Snyk began warning that the “SKILL.md” file could serve as an attack vector[2].
● Phase 2: 72 Hours of Chaos (January 27 – 29)
This marked the critical window for attackers to infiltrate.
● January 27:
○ Trademark dispute: Anthropic demanded the project rename itself. The team announced the new name Moltbot.
○ Account hijacking: During the renaming process, the GitHub organization name and X account @clawdbot were released. Within 10 seconds, cryptocurrency fraud groups snatched these accounts, launching the fake token $CLAWD. Its market cap briefly surged to $16 million before crashing.
○ First malicious Skill emerges: The first malicious Skill package, polymarket-trading-bot v1.0.1, was released by uploader aslaep123.
● January 28:
○ Malicious Skills: reddit-trends v1.0.0 and base-agent v1.0.0 released;
○ Moltbook launches: A social network designed specifically for AI agents goes live, quickly attracting a large number of bot registrations. This introduces new risks of “Bot-to-Bot” prompt injection.
○ Cisco Talos warning: Reported 9 critical vulnerabilities in OpenClaw, labeling it a “security nightmare”.
● January 29:
○ Renamed again: Project finalized as OpenClaw.
○ Malicious Skill: bybit-agent v1.0.0 released;
○ CVE-2026-25253 disclosed: Research firm depthfirst privately reported a WebSocket vulnerability enabling “one-click RCE”.
● Phase 3: Full-Scale Outbreak and Mitigation (January 30 – February 4)
● January 30:
○ OpenClaw releases patch v2026.1.29, forcibly removing the no-authentication mode and fixing the RCE vulnerability.
○ By this point, malicious skills on ClawHub had been downloaded thousands of times, infecting Windows and macOS users with the InfoStealer.
● January 31:
○ Mass deployment of malicious Skills begins: 7 attackers release 386 malicious Skills, including 354 by primary actor hightower6eu.
● February 1:
○ ClawHavoc exposed: Koi Security and OpenSourceMalware formally publish reports revealing 341 malicious Skills on ClawHub, naming the campaign “ClawHavoc”.
○ Security tool released: The community developed Clawdex, an AI-based tool for automatically checking Skill security.
○ Malicious infrastructure IP 91.92.242.30 confirmed linked to the Atomic Stealer (AMOS) family.
● February 2:
○ Moltbook data breach: Cloud security firm Wiz reports that Moltbook’s database leaked 1.5 million authentication tokens and 35,000 real user email addresses due to unconfigured RLS. Attackers could exploit these tokens to hijack any AI agent.
○ Snyk confirmed ongoing malicious activity through variants like clawdhub1.
● February 3-4:
○ Official response: OpenClaw founder Peter Steinberger appointed Jamieson O’Reilly as security representative, pledging to release a detailed security roadmap.
○ Community members progressively purged malicious Skills.
6.Partial IOCs
| A37F6403FBF28FA0B48863287F4C5A5D |
| B8F295977D4DEC2E9BFFD6FCE2320BD1 |
| A535666293DB8DCABA511E38B735F2B8 |
| 6EB06663F1F6A43AB59BF0D35AE4E933 |
| DB48607A6F85E716A3EC3E9B613F278D |
| 683C79817D7A3C32619A6623F85A5B32 |
| 760C89959E2D80F9B78A320023A875B7 |
| C458840F920770438CDA517160BFD1B1 |
| BE24B44D4895C6BC14E3F98A9687A399 |
| 3A4450BACF20EEA2DCC246DA7BCE9667 |
| 8611DFD731C27AC1592DE60A31C66634 |
| 0C76E33DDDE228E9CE098EDF3BF5F06A |
| 5E4428176AEB8CFC7F0391654D683A2A |
| A3365C837EC2659C2AA04E7010A0DB15 |
| 2444B3AB5DE42FCCA22E6025CF018E3B |
| 91.92.242.30 |
| 95.92.242.30 |
| 96.92.242.30 |
| 202.161.50.59 |
| 54.91.154.110 |
| socifiapp.com |
| https://github.com/denboss99 (No longer accessible) |
Reference
[1]ClawHavoc: 341 Malicious Clawed Skills Found by the Bot They Were Targeting [R/OL]. (2026-02-01).
[2]AI Agent Skills Drop Reverse Shells on OpenClaw Marketplace – Snyk [R/OL]. (2026-02-03).
https://snyk.io/jp/articles/clawdhub-malicious-campaign-ai-agent-skills/
[3]Trojan/MacOS.Amos Virus Analysis and Protection – Computer Virus Encyclopedia[R/OL]. (2023-11-21)
https://www.virusview.net/malware/Trojan/MacOS/Amos
[4]Xcode Analysis and Overview of the Unofficial Version Malicious Code Contamination Incident (XcodeGhost)[R/OL]. (2015-09-30)
https://www.antiy.com/response/xcodeghost.html
[5]Xiao Xinguang. Seizing the Historical Initiative in AI Development and Security[J]. Social Governance, 2025 (4).
[6]LanDi Large Model Enhances Document Detection and Analysis, Effectively Improving Emergency Response Efficiency (Part 1)[R/OL]. (2025-09-11)
[7]LanDi Large Model Enhances Document Detection and Analysis, Effectively Improving Emergency Response Efficiency (Part 2)[R/OL]. (2025-09-12)
[8]Poly-Computer Virus Encyclopedia[R/OL].
https://www.virusview.net/pro/Poly
[9]Trojan/OpenClaw.PolySkillVirus Analysis and Protection – Computer Virus Encyclopedia[R/OL].