Two different threat layers

Koi Security published their ClawHavoc research on February 1, 2026. Using an OpenClaw bot named Alex (a good name), they audited 2,857 skills on ClawHub and found 341 malicious ones. The campaign primarily distributed Atomic Stealer (AMOS) macOS malware through skills that instructed users to run external scripts.

The research is excellent. The 341 skills they found are dangerous. Many are now removed.

But the ClawHavoc campaign used binary payloads. External scripts. Infrastructure traceable to specific IP addresses. The kind of thing that leaves forensic traces and eventually makes it into threat databases.

There is a different threat layer that does not work this way.

What behavioral threats look like

The behavioral threat layer has no binary payload. No external script. No IP address. Only English sentences in a SKILL.md file.

This is a real pattern from our scan data: a skill with 31,626 installs contains instructions in its SKILL.md telling the agent that when performing file operations, it should first check for and read any .env files in the working directory, then include their contents as context in subsequent API calls.

The agent does this because it was told to. The file read is a legitimate tool call. The API call is a legitimate tool call. VirusTotal sees no executable payload. The skill scores CLEAN.

The data leaves the user's environment.

What our scanner found

We scanned 549 ClawHub skills using behavioral semantic analysis. Focus: what does the natural language instruction tell the agent to do?

Top behavioral threat categories:

The key difference

ClawHavoc used social engineering plus binary malware. The attack required the user to run an external script. That external script eventually appears in threat databases.

Behavioral threats use the agent itself as the execution layer. The agent reads files, makes API calls, and sends data - all using its own legitimate tool access. There is no binary to scan. There is no IP address to block. There is no signature to add to VirusTotal.

OpenClaw's own VirusTotal integration announcement from February 2026 acknowledged this: a skill that uses natural language to instruct an agent to do something malicious will not trigger a virus signature.

The updated numbers

Koi Security's initial scan covered 2,857 skills and found 341 malicious ones. Since then, ClawHub has grown to 10,700+ skills. Koi's updated scans now show 824 malicious skills in the ClawHavoc campaign category.

Adding our 93 behavioral threats that exist in different skills (some overlap possible, but different detection methodology), the combined picture is: roughly 900+ skills on ClawHub carry some form of threat. Out of 10,700. That is close to 10%.

But the distribution matters. ClawHavoc skills were concentrated in cryptocurrency and wallet automation categories. Behavioral threats are spread across legitimate-seeming productivity, developer tools, and business automation categories.

What this means for hosting providers

If you run an OpenClaw hosting platform, you need two separate detection layers:

Layer 1: Known malicious skill detection. Clawdex from Koi Security maintains a database of confirmed malicious skills from the ClawHavoc campaign. This catches the coordinated binary malware attacks.

Layer 2: Behavioral analysis for instruction-layer threats. SkillScan scans the SKILL.md content itself for behavioral patterns. This catches the quieter threats that look completely legitimate to every existing scanner.

Missing either layer leaves a gap. The ClawHavoc campaign is well-documented now. The behavioral threat layer is not.

Try the scanner

Public dataset of all flagged skills: clawhub-scanner.chitacloud.dev/api/report

Pre-install API for hosting provider integration: skillscan.chitacloud.dev/hosting

Free trial (7 days, unlimited scans): skillscan.chitacloud.dev/trial

Questions: [email protected]