The threat involves malicious third-party skills uploaded to ClawHub, a marketplace for OpenClaw AI assistant users, which has been found to host 341 malicious skills out of 2,857 audited. These skills masquerade as legitimate tools—such as cryptocurrency wallet trackers, YouTube utilities, finance tools, and Google Workspace integrations—but include hidden malicious payloads. The attack leverages social engineering by instructing users to install fake prerequisites, such as downloading a Windows trojan archive or running obfuscated macOS shell scripts. The macOS payload is a variant of Atomic Stealer (AMOS), a commercial stealer malware capable of keylogging and harvesting sensitive data including API keys, credentials, and crypto wallet private keys. The malware communicates with a command-and-control server at IP 91.92.242.30 to fetch additional payloads and exfiltrate stolen data. Some skills also contain reverse shell backdoors or exfiltrate bot credentials to attacker-controlled webhooks. The open nature of ClawHub, which only requires a minimal GitHub account age for publishers, allows threat actors to upload malicious skills easily. The persistent memory and external communication capabilities of OpenClaw AI assistants exacerbate the risk by enabling delayed and stateful attacks, such as time-shifted prompt injection and logic bombs. The campaign, dubbed ClawHavoc, demonstrates how open-source AI ecosystems can be exploited for supply chain attacks, posing significant risks to users who rely on these AI assistants for automation and data processing.

For European organizations, this threat poses a significant risk of credential theft, including API keys, SSH credentials, browser passwords, and cryptocurrency wallet keys, potentially leading to unauthorized access to critical systems and financial assets. The malware's ability to persist and execute delayed attacks increases the difficulty of detection and remediation. Organizations using OpenClaw or similar AI assistants for automation, especially those running on macOS systems, are vulnerable to supply chain compromise. The theft of sensitive credentials can lead to data breaches, financial loss, and reputational damage. Additionally, the presence of reverse shells and backdoors can facilitate further lateral movement within networks. The campaign's use of social engineering to trick users into executing malicious commands increases the likelihood of successful exploitation. The open-source nature of the ecosystem means that even organizations with strong perimeter defenses may be exposed if internal users install malicious skills. This threat also highlights the broader risk of AI assistant platforms being leveraged as attack vectors, which could impact compliance with data protection regulations such as GDPR if personal data is compromised.

European organizations should implement strict controls on the installation of third-party skills in OpenClaw environments, including whitelisting verified publishers and skills. Employ multi-factor authentication and role-based access controls to limit who can install or update skills. Conduct thorough code reviews and static analysis of any third-party skills before deployment. Educate users about the risks of following installation instructions that require running scripts or downloading files from untrusted sources. Monitor network traffic for connections to known malicious IP addresses such as 91.92.242.30 and unusual outbound data flows. Use endpoint detection and response (EDR) solutions on macOS and Windows systems to detect keylogging and suspicious processes. Leverage OpenClaw's reporting feature to flag and auto-hide suspicious skills. Regularly audit installed skills and remove any that are unverified or no longer needed. Implement logging and alerting for changes in AI assistant behavior or unexpected command executions. Finally, maintain up-to-date backups and incident response plans tailored to supply chain and AI assistant-related threats.