ClawHavoc Malware: What Happened and What Was Fixed

In early 2026, the security community uncovered ClawHavoc — a coordinated campaign that published 341 malicious skills to the ClawHub marketplace. This is the most significant security event in OpenClaw's history. Here's everything you need to know.

Timeline of Events

January 2026: A security researcher at CloudSecOps noticed unusual network traffic patterns from several OpenClaw deployments. Investigation revealed outbound data exfiltration.

January 15, 2026: The source was traced to 341 skills published to ClawHub by 23 different (presumably coordinated) accounts over the previous 3 months.

January 16, 2026: OpenClaw Foundation issued an emergency advisory. Affected skills were removed from ClawHub within hours. A list of affected skill slugs was published.

January 17-20, 2026: ClawHub implemented mandatory code review and cryptographic signing for all new skill submissions. Existing skills were queued for review.

February 2026: Full review of existing ClawHub skills completed. ClawHub's "Verified" badge system launched.

What the Malicious Skills Did

The ClawHavoc skills operated as legitimate-seeming utilities (file organizers, web scrapers, productivity tools) while secretly:

• Exfiltrating environment variables (including API keys) to attacker-controlled endpoints
• Logging conversation content to remote servers
• Using the agent's permissions to access external services

Most affected users had self-hosted OpenClaw. nacre.sh's network monitoring detected and blocked the exfiltration attempts in most cases.

How to Check If You Were Affected

1. Review skills installed before February 2026 against the published affected skills list (link in OpenClaw security advisory SA-2026-001)
2. Check API provider dashboards for unusual usage spikes in January-February 2026
3. Rotate all API keys used with your OpenClaw instance

What Changed After ClawHavoc

• Mandatory code review: All ClawHub submissions reviewed by the security team
• Signed skills: Skills are cryptographically signed; signatures verified on install
• Verified badge: Only reviewed skills show the Verified badge
• nacre.sh improvements: Prompt Shield, network isolation, verified-only defaults
• Enhanced tools.allow: New allow-list categories for network access

Frequently Asked Questions

Was the OpenClaw core software affected?

No. ClawHavoc was entirely a ClawHub marketplace supply chain attack. The OpenClaw core software was not compromised.

Did nacre.sh users lose data?

nacre.sh's network monitoring blocked the exfiltration endpoints for the majority of cases. A small number of users on legacy plans without full monitoring may have been affected. nacre.sh directly notified all potentially affected users.

Can this happen again?

The new mandatory code review and signing process significantly raises the bar. It's not impossible, but the attack surface has been substantially reduced. Security is ongoing, not a one-time fix.