TL;DR: ClawHavoc is a coordinated supply chain attack campaign — not random malicious uploads. Researchers traced 335 malicious skills across ClawHub to a single threat actor operating under a structured campaign. The attack exploits the blind trust AI agent users place in community skill marketplaces. CVE-2026-25253 (CVSS 8.8) enabled one-click remote code execution. This post documents the campaign timeline, three attack techniques used, and what to do right now.

What Is ClawHavoc?

ClawHavoc is a named threat campaign targeting users of OpenClaw and other AI agent platforms that support third-party installable skills. It is not a product vulnerability, a misconfiguration, or a series of unrelated bad actors. It is a coordinated supply chain attack — engineered, persistent, and platform-aware.

OpenClaw reached 180,000 GitHub stars in three weeks, attracted over 300,000 active users, and accumulated more than 5,000 third-party skills on its ClawHub marketplace. That growth curve is exactly what makes it a high-value target. When a platform grows faster than its security infrastructure, the marketplace becomes the attack surface.

Repello AI researchers, scanning the ClawHub registry as part of ongoing AI agent security research, identified 341 malicious packages across multiple campaigns. Of those, 335 were traced to a single coordinated operation: ClawHavoc.

Campaign Timeline

Early February 2026 — First ClawHavoc-attributed skills appear in ClawHub. Packages are named to mimic high-download legitimate skills: productivity wrappers, calendar managers, email drafters. Download counts are artificially inflated using automated requests to appear credible in marketplace sorting.

February 9, 2026 — Cisco AI Defense publishes initial analysis of malicious OpenClaw skills, identifying a pattern of data exfiltration techniques. The campaign is not yet named.

February 16, 2026 — Repello AI publishes a full teardown of malicious OpenClaw skills, naming the campaign ClawHavoc and documenting the three attack techniques (detailed below). At this point, 20% of the ClawHub registry is estimated to be compromised.

February 20, 2026 — CVE-2026-25253 is disclosed. CVSS 8.8. The OpenClaw Control UI trusts a gatewayUrl parameter from the query string without validation, enabling token exfiltration with a single malicious link — no skill installation required. OpenClaw patches within 48 hours, but all pre-patch instances remain vulnerable.

February 24, 2026 (current) — ClawHavoc skills remain discoverable in ClawHub under variant package names. The core campaign infrastructure is still active. 36% of all skills on the marketplace contain detectable security flaws, per Repello scan data.

Three Attack Techniques

ClawHavoc does not rely on a single exploit. The campaign uses three techniques in combination, each targeting a different point in the agent's trust model.

1. Prompt Injection via SKILL.md

The most sophisticated ClawHavoc technique requires no external scripts and leaves no binary artifacts for traditional scanners to catch.

Every OpenClaw skill includes a SKILL.md file — a natural language instruction set that tells the agent what to do and when. ClawHavoc operators embed adversarial instructions directly into this file. The agent, which processes SKILL.md as a trusted instruction source, follows them without user awareness.

A documented example: a malicious skill instructs the agent to silently append environment variables to the end of any URL it visits. The agent leaks your ANTHROPIC_API_KEY, OPENAI_API_KEY, and shell environment to attacker-controlled DNS or web logs — no payload dropped, no subprocess spawned, no antivirus trigger.

This is prompt injection operating at the skill layer rather than the input layer. The attack surface is the agent's own instruction-following behavior.

2. Reverse Shell via Hidden Script Execution

Less subtle but highly effective: ClawHavoc skills package malicious shell scripts alongside legitimate-looking automation code. The SKILL.md trigger condition is written to activate the script during normal agent operation — when the user asks the agent to do something mundane, like "summarize my emails" or "create a git commit."

In one documented ClawHavoc example, a skill masquerading as a Polymarket integration executed a hidden command that opened an interactive reverse shell back to an attacker-controlled server, granting full remote control over the victim's machine. The outbound traffic blended with normal agent HTTPS activity. Standard network monitoring tools did not flag it.

3. Token Exfiltration via CVE-2026-25253

This technique requires no skill installation. CVE-2026-25253 (CVSS 8.8) exploits a validation failure in the OpenClaw Control UI: the gatewayUrl query parameter is passed to the agent without sanitization. An attacker sends the victim a single crafted link. When opened in a browser with OpenClaw running, the agent's authentication tokens are exfiltrated to the attacker's server.

The attack requires one click. It works against any pre-patch OpenClaw instance regardless of what skills are installed. ClawHavoc operators distributed these links through Discord servers, developer forums, and direct messages — targeting the communities where OpenClaw users congregate.

Why This Works Across Platforms

ClawHavoc targets OpenClaw because OpenClaw is currently the largest AI agent with an open skill marketplace. But the attack techniques are not OpenClaw-specific.

Any AI agent platform that supports third-party installable skills — Claude Code, Cursor, Windsurf, GitHub Copilot extensions — shares the same fundamental trust model: skills receive elevated access to the agent's execution context, and users have no native mechanism to audit what a skill does before running it.

The prompt injection technique (embedding adversarial instructions in SKILL.md or equivalent descriptor files) works against any LLM-powered agent that processes skill files as trusted instructions. The reverse shell technique works against any agent with shell access. The token exfiltration technique is OpenClaw-specific, but analogous UI injection vulnerabilities exist in other agent control panels that have not been audited at the same depth.

The Repello Research team has scanned skills from multiple agent platforms. The malicious pattern distribution is consistent: prompt injection is the dominant technique, present across all ecosystems. Payload delivery scripts are more concentrated in OpenClaw due to its shell access model.

What to Do Right Now

If you run OpenClaw: Update immediately. CVE-2026-25253 is patched in the latest release — any pre-patch version is actively exploitable without skill installation. Check every currently installed skill against the indicators in our OpenClaw security hardening guide.

Before installing any skill from any platform: Scan it. Upload the skill zip to SkillCheck by Repello — a free browser-based scanner that checks for prompt injection patterns, policy violations, and payload delivery techniques across any agent platform format. No installation required. Takes under 60 seconds.

SkillCheck differs from CLI-based scanners in one important way: it runs in your browser. You do not need Python, API keys, or a development environment. Upload the zip, get a verdict and a score out of 100. If a skill flags High or Critical, the scan output shows you exactly which patterns triggered and why.

For teams deploying AI agents at scale: A single compromised skill in one engineer's environment can pivot to your production systems if the agent has access to shared credentials, internal APIs, or cloud provider tokens. ARTEMIS red-teams your entire agentic stack — not just individual skills — to surface the attack paths that exist between your agents, your MCP connections, and your internal infrastructure. ARGUS monitors and blocks at runtime. If you're running AI agents in a production environment, that's the coverage level the threat warrants.

The Broader Signal

ClawHavoc is notable not just for its scale — 335 skills, coordinated infrastructure, active for weeks before widespread detection — but for what it signals about where supply chain attacks are going.

AI agent skill marketplaces are the new npm. They have the same growth dynamics (rapid adoption, community-driven, minimal vetting), the same trust model problems (users install first, audit never), and now demonstrably the same attacker interest. The AI agent attack surface is expanding faster than the tooling to secure it.

The security community took years to develop adequate npm package auditing. The AI agent skill ecosystem is compressing that timeline — either by developing scanning infrastructure faster, or by experiencing a higher-severity incident that forces the issue.

ClawHavoc is not that incident. It is the warning before it.

FAQ

What is ClawHavoc? ClawHavoc is a coordinated threat campaign that planted 335 malicious skills across the ClawHub marketplace, targeting OpenClaw AI agent users. The campaign used three distinct attack techniques: prompt injection embedded in skill descriptor files, hidden reverse shell scripts, and token exfiltration via CVE-2026-25253. It is named for its scale and coordination — not random uploads, but a structured supply chain attack.

Is ClawHavoc only a threat to OpenClaw users? No. While ClawHavoc targeted OpenClaw specifically, the attack techniques — particularly prompt injection via skill descriptor files — work against any AI agent platform that processes third-party skill files as trusted instructions. Claude Code, Cursor, Windsurf, and other agent platforms with installable skills share the same underlying trust model vulnerability.

What is CVE-2026-25253? CVE-2026-25253 is a one-click remote code execution vulnerability in the OpenClaw Control UI, rated CVSS 8.8. The gatewayUrl query parameter was passed to the agent without input validation, allowing an attacker to exfiltrate authentication tokens by sending a single crafted link. It has been patched in the latest OpenClaw release. Any pre-patch instance remains vulnerable.

How do I check if a skill is safe before installing it? Upload the skill zip file to SkillCheck by Repello — a free, browser-based scanner that checks for prompt injection patterns, payload delivery scripts, and policy violations. No installation or API keys required. Works across OpenClaw, Claude Code, Cursor, and other agent formats. You can also review the skill's SKILL.md file manually: look for instructions that reference environment variables, external URLs, subprocess execution, or conditional behavior that activates only under specific contexts.

How does SkillCheck differ from Cisco's skill scanner? Cisco's skill-scanner is a CLI tool that requires Python 3.10+, installation via pip, and multiple API keys to unlock full functionality. SkillCheck runs in a browser — upload a zip, get results in under a minute, no setup required. Both tools detect prompt injection and payload delivery patterns. SkillCheck is designed for skill end-users who need a fast answer before installation. Cisco's tool is designed for security engineers who want deep static analysis and custom rule authoring.

What should enterprise security teams do about agentic skill risk? Individual skill scanning is a necessary first step but insufficient at enterprise scale. Teams need visibility into which skills are installed across which agents, runtime monitoring to detect anomalous agent behavior, and pre-deployment red teaming to surface attack paths between agents, skills, and internal infrastructure. Repello's ARTEMIS and ARGUS provide that coverage. For teams starting to evaluate the risk, book a demo.