OpenClaw Security Guide
Back to Threat Intel
findingmalicious-skillAgent: OpenClawcriticalhigh confidence

ClawHavoc campaign: 335 malicious OpenClaw skills distribute Atomic macOS Stealer via ClawHub

ClawHavoc distributed 335 malicious OpenClaw skills through ClawHub, disguising AMOS delivery as wallet, Polymarket, and YouTube utilities. Reported delivery used base64 shell scripts or password-protected ZIPs, with C2 at `91.92.242.30`.

openclawsupply-chainmalicious-skillclawhavocamosatomic-macos-stealerclawhubcredential-theftmacos

Date

Feb 17, 2026

First Seen

Feb 17, 2026

Last Reviewed

May 19, 2026

Publisher

Barrack.ai

Source Type

article

View source

Related reading

OpenClaw Security Guide

A practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.

Securing OpenClaw with Armorer Guard

How Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.

Subscribe via RSSFollow on TelegramGet email updates

Get email updates

Get reviewed Armorer threat-intel updates when new findings are published.

ClawHavoc Campaign: 335 Malicious OpenClaw Skills Distribute Atomic macOS Stealer

Summary

ClawHavoc distributed 335 malicious OpenClaw skills through ClawHub, disguising AMOS delivery as wallet, Polymarket, and YouTube utilities. Reported delivery used base64 shell scripts or password-protected ZIPs, with C2 at 91.92.242.30.

Why It Matters

This campaign demonstrates that the OpenClaw skill marketplace itself was a distribution vector for macOS-focused credential theft — directly analogous to the DeepSeek-Claw campaign targeting Windows, but predating it by weeks and using the legitimate marketplace as a trusted channel. Skills are executable code with full filesystem and network access, and the marketplace provided an aura of legitimacy that fooled developers.

Attack Path

  1. Skill publication: Attacker publishes malicious skills to ClawHub, disguising them as useful utilities (cryptocurrency wallets, Polymarket bots, YouTube tools).
  2. User installation: Developers install the disguised packages, believing they come from a trusted marketplace.
  3. Payload delivery: AMOS stealer delivered via base64-encoded shell script or password-protected ZIP (password: "openclaw").
  4. C2 communication: Campaign communicates with 91.92.242.30.

Affected Surface

  • macOS developer workstations running OpenClaw with ClawHub marketplace access
  • Any user who installed cryptocurrency wallet, Polymarket bot, or YouTube utility skills from ClawHub between January and February 2026

IOCs

  • IP: 91.92.242.30 — ClawHavoc C2 infrastructure
  • Password for ZIP payload: openclaw

Evidence