12% of the Marketplace Was Poison: The ClawHub Supply-Chain Attack

Quick summary: In January–February 2026, the skill marketplace (ClawHub) of the viral AI agent OpenClaw was seeded with over a thousand malicious add-ons — 341 in a single audit, 11.9% of the registry at the time — disguised as crypto tools that stole wallets and keys. The entire attack used no 0-day. The root cause: zero marketplace review + a high-privilege agent + social engineering. The note ends by testing whether fibon’s three-gate skill import holds against this failure class.

Skip this if: you install no third-party AI agent add-ons and run no add-on marketplace.

A number that runs cold

On February 1, 2026, Oren Yomtov, a researcher at the security firm Koi Security, did something fitting: he used OpenClaw’s own bot to audit every single skill on ClawHub, OpenClaw’s official skill marketplace. Of roughly 2,857 add-ons at the time, 341 were malicious — 11.9% of the entire marketplace — with 335 of them tracing to one coordinated campaign later named ClawHavoc.

In other words: grab a random add-on off that marketplace, and roughly one in eight or nine will try to steal from you.

The full picture is uglier than that snapshot. OpenClaw (originally Clawdbot, renamed to Moltbot then OpenClaw over trademark issues) rocketed to tens of thousands of GitHub stars within days in late January, and the marketplace inflated along with it. By February 16, when Koi re-scanned, the registry had ballooned past 10,700 skills and the malicious count had doubled to 824. Meanwhile, China’s Antiy Labs, counting on a “cumulative historical” basis through February 5, tallied 1,184 malicious skills across 12 author IDs.

How the attack worked: no 0-day, just social engineering

The single most important thing to remember: this entire attack used no software vulnerability.

Malicious skills posed as legitimate tools — Solana wallet trackers, YouTube summarizers, Polymarket trading bots — with very professional-looking docs (Antiy observed many READMEs running 500–700 lines, apparently AI-generated to boost credibility). The malicious instructions hid in a “Prerequisites” or “Setup” section, claiming you had to install a “helper tool” first to use the skill.

What followed is classic ClickFix social engineering:

On Windows, it told you to download a password-protected ZIP from GitHub (the password was often openclaw or 1234) — the password protection exists so antivirus can’t scan inside the encrypted archive — containing a packed infostealer plus keylogger. On macOS, it told you to copy-paste a terminal command that pulled a base64-encoded shell command from a paste site like glot.io, which decoded and curled down the final payload: Atomic macOS Stealer (AMOS), a mature stealer rented as malware-as-a-service on Telegram for $500–1000/month, targeting Keychain passwords, browser data, 60+ crypto wallets, Telegram sessions, and SSH keys.

Root cause: the only bar to publish was “a GitHub account one week old”

What scaled the damage to over a thousand malicious skills wasn’t some sophisticated exploit — it was a hole at the governance layer:

The only requirement to publish a skill on ClawHub was that your GitHub account be at least one week old. No code review, no automated scanning, no human approval, no sandbox. Anyone could publish anything. On January 31 alone, 7 attackers dropped 386 malicious skills, one of whom uploaded 354 in a single day.

This echoes a line I repeat throughout this project: security can’t rest on goodwill; it has to rest on engineering boundaries. An open-upload marketplace that skips the review step entirely is, in essence, a free hosting platform for malware — just one that happens to wear an “AI skill marketplace” label.

OpenClaw’s remediation (announced February 8: daily VirusTotal scanning, plus auto-hiding skills reported by three or more users) points the right way, but it’s an after-the-fact gate. The team itself admitted VirusTotal is “not a silver bullet” — a cleverly hidden prompt injection payload can still slip through.

What this means for fibon

This one is a direct mirror of fibon’s design — because fibon’s skill import mechanism (ADR-010, detailed in Chapter 4) was built specifically for this failure class, and built assuming the marketplace is untrusted. Three gates:

The first is a static scan: synchronous, free, unbypassable. Any imported skill first runs through a regex scan — the code layer catches 11 dangerous patterns like child_process, eval, fs.rm, exec, process.env, fetch; the prose layer catches prompt-injection patterns like “ignore previous instructions,” system-prompt exfiltration, zero-width characters — then grades severity in three tiers. A ClawHavoc-style skill that “tells you to curl down a payload” or “reads .env to exfiltrate credentials” is exactly this gate’s target.

The second is AI review, using an LLM for malicious-intent assessment and contract extraction, user-triggered and budget-gated. The third is human approval — a person must nod before a skill is actually written into the tool registry.

A more fundamental line of defense lives in the architecture: even if a malicious skill did sneak in and execute, fibon’s Worker — which runs untrusted code — is confined to an isolated Docker network (Chapter 6), with the design goal written in black and white: even if compromised, it cannot reach the API keys or the database. Under that isolation, a ClawHavoc payload could steal far less than it does running with full privileges on a developer’s machine.

But the real lesson this attack hands everyone has nothing to do with code: an AI agent’s skills / add-ons / MCP tools are, in essence, “trusted instructions” that your agent will execute with high privilege. Installing a skill authorizes a chunk of stranger code to act with your agent’s identity. A marketplace’s convenience masks how dangerous that is — and convenience is precisely the attacker’s doorway. Before installing any third-party AI add-on, ask one question: what’s this marketplace’s bar to publish? If the answer is “a GitHub account one week old,” what you’re facing isn’t a marketplace — it’s a warehouse with nobody at the door.