Agentic AI Crisis: OpenClaw ‘ClawHavoc’ Attack Turns 341 Plugins Into Wallet Drainers
A massive supply chain attack on the OpenClaw AI marketplace has compromised 12% of all plugins, deploying AMOS malware to drain crypto wallets and steal API keys.
The era of autonomous AI agents just claimed its first mass-casualty event in crypto security. SlowMist and Koi Security confirmed today that ClawHub, the official plugin marketplace for the OpenClaw AI agent, is compromised. Approximately 341 skills (12% of the repository) contain malicious payloads explicitly designed to exfiltrate seed phrases and exchange API keys.
The Mechanism: 'ClawHavoc'
This isn't a theoretical exploit. It is a live supply chain poisoning campaign, dubbed “ClawHavoc,” active since late January 2026. The vector is deceptively simple: attackers embedded Base64-encoded commands within the SKILL.md installation files.
When a user instructs their OpenClaw agent to install a compromised skill. Often disguised as a Solana wallet tracker or Phantom utility, the agent executes the hidden script with local system privileges. The script bypasses standard sandboxing to fetch the AMOS infostealer (Atomic macOS Stealer) or similar Windows-based trojans.
The primary risk of SKILL.md lies in the fact that it is not an auditable build artifact. but operational instructions that users are likely to execute directly. — SlowMist Security Team
Targeting the Crypto Stack
The attack precision is alarming. Over 100 of the malicious skills mimicked legitimate crypto tools, including:
- Solana/Phantom Wallet Managers
- Binance/Bybit Trading Bots
- Polymarket Event Trackers
Once installed, the malware scans local directories for wallet.dat files, browser session cookies, and unencrypted private keys. Data is immediately exfiltrated to command-and-control servers linked to the Poseidon cybercrime group.
Institutional Impact
This shatters the trust model for “Agentic AI” in finance. Until now, traders used local agents like OpenClaw to automate on-chain workflows, assuming local execution meant safety. That assumption is dead. Security teams at major prop shops are already scrubbing local dev environments; if an agent had access to your file system, you must assume every key on that machine is burned.
OpenClaw has begun integrating VirusTotal checks, but the damage is done. For crypto users, the directive is absolute: Nuke the instance. Rotate your keys.
