Anatomy of the ClawHavoc Campaign
Between January 27-29, 2026, attackers uploaded 335 malicious skills to ClawHub, the public registry for OpenClaw agent extensions. The skills looked legitimate — professional documentation, useful-sounding names like polymarket-trader and youtube-summarize-pro. But hidden in their "Prerequisites" sections were instructions to download trojanized archives (Windows) or paste shell commands from glot.io (macOS) that initiated multi-stage payload chains delivering Atomic Stealer.
All 335 skills shared a single command-and-control IP: 91.92.242.30. Target data included exchange API keys, wallet private keys, SSH credentials, browser passwords, and bot configuration files stored in ~/.clawdbot/.env. The attackers also targeted SOUL.md and MEMORY.md — OpenClaw's persistent memory files — enabling permanent backdoors in the agent's behavior.
The Leaky Skills Problem Is Even Bigger
Beyond outright malware, Snyk's scan of all 3,984 ClawHub skills found 283 (7.1%) with critical security flaws that expose credentials by design. These aren't malicious actors — they're developers who treated AI agents like local scripts, forgetting that every piece of data an agent touches passes through the LLM's context window.
The moltyverse-email skill instructs agents to save API keys to memory and share inbox URLs containing the key with users. The buy-anything skill collects credit card numbers and embeds them in curl commands. The prompt-log skill exports session logs without redaction, re-exposing any secrets the agent previously handled.
Three Defense Layers with 1-SEC
Protecting against SKILL.md attacks requires defense in depth.
Layer 1: Supply Chain Sentinel
1-SEC's Supply Chain Sentinel performs Levenshtein distance analysis on package names to catch typosquatting (solana-wallet-tracker vs solana-waIlet-tracker). It monitors dependency integrity and flags dependency confusion patterns where a public package shadows an internal one. For OpenClaw operators, this means every new skill installation is checked against known-good baselines.
Layer 2: Runtime Watcher + File Integrity
The Runtime Watcher monitors file system changes in real-time. Any modification to .env, SOUL.md, MEMORY.md, or .ssh/ directories triggers an immediate CRITICAL alert. It also detects LOLBin usage (40+ patterns), process hollowing, and persistence mechanisms — exactly the techniques Atomic Stealer uses after initial execution.
Layer 3: LLM Firewall Output Filtering
Even if a leaky skill instructs the agent to output an API key, 1-SEC's output rules catch it. Patterns for sk-* tokens, AKIA* AWS keys, ghp_* GitHub tokens, private keys, JWTs, connection strings, and bulk email addresses are all scanned in real-time before the agent's response reaches the user or log file.