Is This OpenClaw Skill Safe? Scan Any ClawHub Skill Before You Install It
SkillShield Research Team
Security Research
341 Malicious Skills. One Marketplace. Zero Pre-Install Checks.
In February 2026, security researchers at Koi Security identified a coordinated malware campaign targeting OpenClaw developers through ClawHub, the primary skill marketplace. The campaign — codenamed ClawHavoc — distributed 341 confirmed malicious skills designed to steal API keys, wallet credentials, SSH keys, and browser passwords from developer machines.
The malicious skills used familiar tactics: typosquats of popular packages (clawhub, clawhubb), fake utility tools (solana-wallet-tracker), and clones of legitimate skills (youtube-summarize). Each deployed the Atomic Stealer (AMOS) payload — a known credential harvester that targets macOS and Linux developer environments.
This wasn't an isolated incident. It came on top of:
- CVE-2026-25253 (January 2026) — An unauthenticated API key exfiltration vulnerability in OpenClaw that affected an estimated 17,500 to 40,000 exposed instances. (Source: Hunt.io, Oasis Security)
- ClawJacked (February 2026) — A vulnerability allowing malicious websites to hijack local OpenClaw agents via localhost WebSocket connections, enabling full agent control. Fixed in v2026.2.25. (Source: The Hacker News)
- ClawSecure audit — An independent audit of 2,890+ ClawHub skills finding many scoring 0/100 on the OWASP ASI Top 10 framework
The pattern is clear: ClawHub skills are a documented attack surface, and there is currently no fast, trustworthy way for developers to check whether a skill is safe before installing it.
What Malicious Skills Actually Do
A malicious ClawHub skill looks identical to a legitimate one until it runs. Here's what the ClawHavoc skills were designed to steal:
| Target | Method |
|---|---|
| API keys | Read environment variables, config files, .env files |
| Wallet credentials | Scan for cryptocurrency wallet data, seed phrases |
| SSH keys | Exfiltrate ~/.ssh/ contents including private keys |
| Browser passwords | Deploy Atomic Stealer to harvest saved credentials |
| Session tokens | Access cached authentication tokens from development tools |
The payload is silent. There's no error message, no visible warning, and no prompt asking for permission. The skill does what you asked it to do — and exfiltrates your credentials in the background.
Why OWASP Scores Aren't Enough
ClawSecure audits ClawHub skills against the OWASP ASI Top 10 framework. That's valuable — but an OWASP compliance score doesn't answer the question developers are actually asking: "Is this specific skill going to steal my credentials?"
OWASP scoring evaluates architectural risk categories. A skill can score well on most ASI categories while still containing a credential harvester that targets a specific file path. The threat model is different:
| Check | OWASP Audit | SkillShield Pre-Install Scan |
|---|---|---|
| Prompt injection in descriptions | Partial | Yes — flagged per finding |
| Over-permissioned file access | Partial | Yes — scored by scope |
| Hard-coded secrets in skill definitions | No | Yes — pattern detection |
| Known malicious payload signatures | No | Yes — 533 blocked entries |
| Typosquat detection | No | Yes — registry comparison |
| Engagement with credential paths | No | Yes — behavioral analysis |
SkillShield is not a replacement for OWASP-based auditing. It's the pre-install layer — the fast check that answers "safe or not" before you run a full security audit.
How SkillShield Checks Before You Install
SkillShield provides three ways to verify a ClawHub skill before it touches your machine:
1. Browse the scored directory
33,746 AI extensions pre-scanned across six registries — ClawHub, SkillsMP, Skills.lc, MCP Registry, MCPMarket, and Awesome MCP. Each entry has a security score, issue summary, and source context. If the skill is in the directory, you can check its status before installing.
2. Scan locally with the CLI
npm install -g skillshield
skillshield scan ./SKILL.md
Run the scanner against any SKILL.md file before installation. The CLI checks for prompt injection, over-permissioned access, hard-coded secrets, dangerous execution patterns, and known malicious signatures.
3. Scan MCP servers
MCP servers are the browser extensions of AI agents — but with direct system access. SkillShield's MCP scanner detects tool poisoning, over-permissioned access, prompt injection vulnerabilities, and supply chain risks.
By the Numbers
| Metric | Value |
|---|---|
| AI extensions scanned | 33,746 |
| Malicious entries blocked | 533 |
| Detection rate | 99.8% |
| Registries covered | 6 |
| Cost for pre-install check | Free |
Frequently Asked Questions
Is youtube-summarize on ClawHub safe?
This skill name was identified in the ClawHavoc campaign as a typosquat used to distribute malware. Check the SkillShield directory for current status and scan results.
How do I know if a skill I already installed is malicious?
Run skillshield scan ./SKILL.md against the skill's definition file. If you've already run a skill and suspect compromise, rotate your API keys, SSH keys, and any credentials stored on the machine. Check ~/.ssh/, your .env files, and browser saved passwords.
Does SkillShield replace ClawSecure? No. ClawSecure provides OWASP-based compliance scoring for architecture-level risk. SkillShield provides pre-install malware detection and supply chain scanning. They address different layers of the security stack.
Is SkillShield free?
The directory browse and MCP scanner are free. The CLI (npm install -g skillshield) is free. No signup required for any of these.
What about skills from registries other than ClawHub? SkillShield scans six registries: ClawHub, SkillsMP, Skills.lc, MCP Registry, MCPMarket, and Awesome MCP. The CLI can also scan any local SKILL.md file regardless of source.
Scan Now
The ClawHavoc campaign is active. CVE-2026-25253 exposed thousands of instances. The supply chain threat to OpenClaw developers is documented and ongoing.
Check your skills before they check your credentials.
- Browse the scored directory — 33,746 extensions pre-scanned
- Scan an MCP server — free, instant
- Install the CLI —
npm install -g skillshield
Sources
- Koi Security / ClawHavoc campaign: 341 malicious ClawHub skills confirmed
- CVE-2026-25253: https://hunt.io/blog/cve-2026-25253-openclaw-ai-agent-exposure
- Oasis Security OpenClaw vulnerability: https://www.oasis.security/blog/openclaw-vulnerability
- ClawJacked: https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html
- Kaspersky OpenClaw vulnerabilities: https://www.kaspersky.com/blog/openclaw-vulnerabilities-exposed/55263/
- ClawSecure audit: 2,890+ ClawHub skills audited
- HelpNetSecurity Feb 2026: https://www.helpnetsecurity.com/2026/02/26/hottest-cybersecurity-open-source-tools-of-the-month-february-2026/
Catch risky skills before they run.
SkillShield scans skills, MCP servers, and prompt-bearing tool surfaces before they reach production.
Get early access