824 Malicious Skills on ClawHub: What the 7.7% Infection Rate Means for OpenClaw Users

One in thirteen skills on ClawHub is malicious. That's the finding from a follow-up scan by Koi Security and Termdock published February 16, 2026: 824 malicious skills out of 10,700+ total. A 7.7% infection rate on the official skill marketplace for OpenClaw.

The number was worse a few weeks earlier. A Koi Security audit on February 1 counted 341 malicious skills out of 2,857. That's 11.9%. The marketplace grew, the raw count of bad skills more than doubled, but the percentage dropped slightly as legitimate uploads outpaced malware.

ClawHavoc: 335 Malicious ClawHub Skills With Hidden Backdoors

The biggest campaign got a name. ClawHavoc involved 335 skills disguised as productivity tools with names like solana-wallet-tracker and youtube-summarize-pro. Some of them actually worked. That's the scary part.

Hidden inside SKILL.md prerequisite fields: base64-encoded shell commands that downloaded AMOS (Atomic Stealer). Once running, AMOS exfiltrated Chrome, Safari, and Firefox passwords, crypto wallet keys, SSH keys, and Keychain data. Bitdefender's analysis estimated around 900 malicious skills in their own scan, roughly 17% of what they analyzed.

The scale of exposure is hard to ignore. According to Cyberdesserts' research, over 135,000 OpenClaw instances across 82 countries were exposed to the public internet. One single uploader account, hightower6eu, uploaded 677 skills before takedown. Antiy CERT's broader analysis tracked 1,184 malicious skills across 12 accounts historically.

OpenClaw's Response

OpenClaw responded on February 7 by integrating VirusTotal scanning for new skill uploads. That's a solid step. But it doesn't retroactively protect anyone who installed a malicious skill before the scanner existed, and it doesn't catch novel payloads that VirusTotal hasn't seen yet.

What This Means for Self-Hosters vs. Managed Hosting

Let's be honest about what managed hosting does and doesn't do here. ClawHosters doesn't vet or curate skill libraries. If you install a malicious skill, you install a malicious skill. That's an ecosystem-wide problem OpenClaw is working to fix.

What ClawHosters does address is the infrastructure attack surface. Those 135,000 exposed instances? ClawHosters customers aren't among them. Every instance runs on an isolated VPS with no exposed ports, firewall and brute-force protection, and automatic OpenClaw updates (60+ CVEs patched in 2026 alone). You can read more about the differences between self-hosted and managed in our comparison.

The skill-level threat is real and ongoing. The infrastructure-level threat is where managed hosting closes the gap.