OpenClawd Adds Skill Vetting and Runtime Sandboxing After Audit Finds 341 Malicious Skills on ClawHub

OpenClawd, the managed OpenClaw hosting service, shipped a security update on March 26 that adds automated skill vetting, verified installer sourcing, and runtime sandboxing to its platform. The update responds directly to Koi Security’s audit of the ClawHub skill marketplace, which found 341 malicious skills out of 2,857 published listings — approximately 12% of the entire catalog.

The numbers have gotten worse since Koi’s initial disclosure. A February 16 update to Koi’s research reported 824 malicious skills across a marketplace that had grown to over 10,700 listings, with the original ClawHavoc campaign expanding into new categories including browser automation agents, coding agents, LinkedIn and WhatsApp integrations, and PDF tools.

What the Audit Found

Koi Security’s original audit, conducted with the help of an OpenClaw bot named Alex, traced 335 of the 341 malicious skills to a single campaign the firm codenamed ClawHavoc. The skills disguised themselves as cryptocurrency wallets, YouTube utilities, Google Workspace integrations, and Polymarket trading bots, according to The Hacker News’s report on the findings.

The attack pattern was consistent: skills included a “Prerequisites” section instructing users to download a separate installer. On Windows, the download was a password-protected ZIP archive containing a trojan with keylogging capabilities. On macOS, the instructions directed users to copy an obfuscated shell script from glot.io and paste it into Terminal, which fetched a universal Mach-O binary matching the Atomic Stealer (AMOS) malware family — a commodity stealer available for $500–$1,000 per month that harvests credentials, API keys, and wallet data from macOS hosts.

“You install what looks like a legitimate skill — maybe solana-wallet-tracker or youtube-summarize-pro,” Koi researcher Oren Yomtov told The Hacker News. “The skill’s documentation looks professional. But there’s a ‘Prerequisites’ section that says you need to install something first.”

The most widely downloaded malicious skill on ClawHub was a cryptocurrency stealer. Koi also identified skills hiding reverse shell backdoors inside functional code and skills exfiltrating bot credentials stored in ~/.clawdbot/.env to external webhook endpoints.

What OpenClawd Ships

The platform update targets both the supply chain and runtime execution:

• Verified installer sourcing: All OpenClawd instances are provisioned from cryptographically signed OpenClaw releases pulled directly from the official repository. No third-party install paths.
• Skill vetting pipeline: Third-party skills pass through automated static analysis and behavioral testing before activation. Skills flagged for network exfiltration, prompt injection patterns, or credential exposure are blocked by default.
• Runtime sandboxing: Each skill executes in an isolated environment with explicit permission boundaries. A skill requesting network access to an unexpected endpoint triggers a review before execution.
• Credential isolation: API keys and tokens are stored in encrypted vaults and never exposed in plaintext to skill code or agent logs.

“There are now two ways to get compromised before you even run your first OpenClaw command,” Danny Wilson, spokesperson for OpenClawd, said in the press release. “You can install a fake version of the software, or you can install the real version and then add a skill that steals your data. We built this update so that neither path exists on our platform.”

OpenClawd does not operate its own skill marketplace. Skills available on hosted instances are drawn from the official ClawHub repository after passing the vetting pipeline.

Three Security Responses in One Week

OpenClawd’s update is the third distinct security response in the OpenClaw ecosystem this week, following Cisco’s open-source DefenseClaw framework announced at RSAC 2026 and Sysdig’s runtime enforcement tooling for AI coding agents. Each addresses a different layer: Cisco targets network-level threat detection, Sysdig handles runtime process enforcement, and OpenClawd now covers supply chain vetting at the marketplace level.

The core OpenClaw project’s own response to the malware problem has been more limited. Creator Peter Steinberger added a reporting feature that allows signed-in users to flag suspicious skills, The Hacker News reported. ClawHub remains open by default — anyone with a GitHub account at least one week old can publish a skill.

OpenClawd is not affiliated with the OpenClaw open-source foundation, OpenAI, or Peter Steinberger. It is an independent managed hosting platform built on the open-source codebase.