Back to OpenClaw News Snyk: ClawHub Skills Dropping Reverse Shells
February 11, 2026 Security Skills

Snyk: ClawHub Skills Dropping Reverse Shells

Snyk's investigation reveals AMOS infostealer payloads hidden in typosquatted ClawHub skills. Detailed analysis and protection guide.

Share

🦞 OpenClaw Updates

Snyk Publishes Deep Technical Analysis of ClawHub Attack

Snyk's analysis provides the deepest technical look yet at the ClawHavoc campaign. The attack uses a classic supply-chain technique adapted for the AI skill ecosystem: typosquatting. Attackers create skills with names similar to popular tools, add crypto-related keywords to attract high-value targets, then deploy the Atomic macOS Stealer (AMOS) infostealer.

Key findings from Snyk's investigation:

  • Skills contain obfuscated shell commands that download reverse shell payloads
  • The AMOS stealer targets macOS keychain, browser credentials, and cryptocurrency wallets
  • Attack pattern mirrors npm, PyPI, and mobile app store supply-chain attacks
  • Most malicious skills were published in a short burst by related accounts
SEN-X Take

This is the npm/PyPI problem arriving in the AI agent ecosystem. The attack vector isn't unique, but the impact is amplified because AI agents have broader system access than typical packages. The ClawHub team is responding with VirusTotal integration and community reporting, but enterprise users should treat skill installation like they treat dependency management: vet everything, pin versions, review source code.

🔒 Security Tip of the Day

Vet Every Skill Before Installing

Never install a ClawHub skill without checking it first. Here's the vetting process we recommend:

  1. Check the skill's ClawHub page for the VirusTotal report
  2. Cross-reference against the awesome-openclaw-skills curated list (5,700 skills filtered to 3,002)
  3. Review the SKILL.md source on GitHub — look for suspicious exec commands, encoded strings, or network calls
  4. Install the clawdex skill from Koi Security for pre-installation scanning

Golden rule: If you can't read and understand every line of a skill's code, don't install it in production.

⭐ Skill of the Day: agent-config

🔧 agent-config

What it does: Intelligently modify agent core context files (AGENTS.md, SOUL.md, MEMORY.md, etc.) through natural language. Instead of manually editing config files, tell your agent how you want to change its behavior and this skill handles the structured edits.

Install: npx clawhub@latest install agent-config

Source: github.com/openclaw/skills (verified on ClawHub)

Why we like it: Meta-skill for managing your agent's own configuration. Particularly useful for non-technical users who want to customize their agent's personality and behavior without editing markdown files directly.

👥 Community Highlights

The r/hacking subreddit featured a post "I Scanned Popular OpenClaw Skills — Here's What I Found" that provided independent verification of the Koi/Snyk findings and additional analysis of the attack patterns.

🌐 Ecosystem News

Koi Security's Clawdex: In response to ClawHavoc, Koi Security released Clawdex — a skill that OpenClaw bots can install to protect themselves. It provides pre-installation scanning against a malicious skills database, creating an immune system for the ecosystem.

Need help with OpenClaw deployment?

SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.

Contact SEN-X →
← Back to all articles