Cisco confirmed one ClawHub plugin executed 9 malicious behaviors including key theft. Here’s what to check.

Cisco’s security team analyzed a single ClawHub plugin and found it executing nine distinct malicious behaviors, including stealing API keys. It ran undetected across 50 cities in six days. If you have installed anything from ClawHub, this article tells you exactly what to check and how to find out if your credentials are at risk.

What Cisco found and when

On January 28, 2026, Cisco’s AI Defense team released a Skill Scanner tool and published research describing how malicious skills exploit OpenClaw’s trust model. The research was not hypothetical. Cisco had observed real plugins in operation, and one of them executed nine distinct malicious behaviors in a single install.

The nine behaviors Cisco documented in that plugin:

• Reading environment variables from the system (where API keys and credentials are stored)
• Stealing API keys from OpenClaw’s config file
• Exfiltrating the contents of the workspace directory
• Reading browser cookie files
• Capturing SSH private keys from the user’s home directory
• Sending collected data to an external server via an outbound HTTP request disguised as a telemetry ping
• Injecting hidden instructions into the agent’s prompt context (prompt injection)
• Registering itself as a persistent background task so it survived restarts
• Erasing its own activity from the gateway logs

That last behavior is why this is harder to detect than a typical piece of malware. The plugin covered its tracks. Operators who were compromised had no visible indication in their logs.

The ranking manipulation that let malicious plugins spread

ClawHub is the public skills marketplace for OpenClaw, similar to how npm is the package registry for Node.js. When you install a skill through OpenClaw, it pulls from ClawHub. The platform displays download counts as a signal of trust. A skill with 20,000 downloads looks legitimate.

On March 16, 2026, Silverfort’s security research team disclosed a critical vulnerability in ClawHub’s backend that let anyone inflate those download counts with no authentication required. The technical cause: ClawHub’s backend is built on the Convex framework, which uses a typed remote procedure call model. The function that increments a skill’s download counter was accidentally exposed as a public mutation instead of an internal private function. Anyone could call it directly, with no rate limiting and no deduplication, and push the counter as high as they wanted.

Silverfort proved the impact with a proof-of-concept. They published a skill called “Outlook Graph Integration” that contained a hidden data exfiltration payload disguised as telemetry. They then flooded the download counter endpoint and pushed their skill to the top of ClawHub search results. Within six days, the compromised skill had executed 3,900 times across 50 cities worldwide, including several public companies. The payload quietly exfiltrated usernames and domain names from every system it ran on.

The OpenClaw team fixed the vulnerability within 24 hours of Silverfort’s March 16, 2026 disclosure. The download counter function is no longer publicly accessible. But every skill that used fake download counts to climb the rankings during the exposure window may still be installed on systems that trusted those numbers.

The ClawHavoc campaign: 800-1,184 confirmed malicious skills

Separate from Silverfort’s research, a coordinated supply-chain attack called ClawHavoc planted malicious skills across ClawHub throughout early 2026. Multiple sweeps of the marketplace found between 800 and 1,184 confirmed malicious skills, representing roughly 20 percent of the entire ClawHub registry at the time of discovery.

These were not obviously malicious. They were designed to look like legitimate productivity tools: calendar integrations, web search plugins, file management utilities. The payloads were hidden inside functions labeled as telemetry, analytics, or optional background processing. A user who installed one of these skills would see it working as advertised while a secondary payload operated silently.

The payloads Cisco and other researchers confirmed across the ClawHavoc campaign include:

• Stealing and transmitting .env files to attacker infrastructure. The .env file is where API keys and database credentials are stored on most server setups.
• Exfiltrating browser cookies (which can be used to hijack authenticated sessions)
• Stealing SSH private keys from ~/.ssh/
• Capturing OpenClaw’s openclaw.json config file, which contains every credential you have configured
• Sending collected data to attacker-controlled infrastructure
• Injecting prompt instructions that cause the agent to bypass tool permissions

SecurityScorecard’s STRIKE unit identified more than 42,900 unique IP addresses running OpenClaw instances as of early March 2026. Endor Labs estimated that 15,200 systems still had remote code execution exposure weeks after patches were available. The scale of the campaign was not accidental. ClawHub was a high-value target because compromising one popular skill meant access to thousands of instances at once.

How to check what you have installed right now

Before running any remediation, you need to know what is actually installed. Paste this into your OpenClaw chat:

List every plugin and skill installed on this OpenClaw instance. For each one, tell me: the name, the version, the source (ClawHub, npm, or local), when it was installed, and the author listed in its package.json or metadata. If you cannot determine the source or author for any item, flag it explicitly.

What to look for in the output:

• Unknown or missing author fields. Legitimate skills have clear authorship. A blank author field or a generic username with no history is a warning sign.
• Skills you do not recognize installing. Some malicious skills registered themselves as persistent background tasks. If you see something you did not install, treat it as compromised.
• Skills with install dates between January 1 and March 17, 2026 that had unusually high download counts when you installed them. Those counts may have been artificially inflated.
• Skills with names that are minor variations of popular tools. ClawHavoc used typosquatting: skills named “calandar-sync” instead of “calendar-sync”, “web-searh” instead of “web-search”.

How to run Cisco’s Skill Scanner

Cisco’s AI Defense team released an open-source Skill Scanner in January 2026 that checks installed skills for known malicious patterns. It is available at github.com/cisco-ai-defense/skill-scanner. As of March 25, 2026, it is free to use. Paste this into your OpenClaw chat to run it:

Install and run Cisco’s Skill Scanner from github.com/cisco-ai-defense/skill-scanner against all skills installed on this instance. Show me the full output, including any warnings, and tell me which skills, if any, flagged as suspicious or malicious.

Silverfort’s ClawNet: runtime scanning as a second layer

Static scanning (like Cisco’s Skill Scanner) checks skill code before it runs. Runtime scanning checks what a skill actually does while it is running. Silverfort released ClawNet in March 2026 as an open-source OpenClaw plugin that does the latter.

ClawNet installs as an OpenClaw plugin and intercepts every skill installation attempt. When your agent tries to install a skill, ClawNet passes the skill’s code through a language model scan for malicious patterns before allowing execution. This catches skills that look clean to static scanners but carry obfuscated payloads designed to evade them.

Find the ClawNet installation instructions at silverfort.com/blog/clawhub-vulnerability-enables-attackers-to-manipulate-rankings-to-become-the-number-one-skill and follow the setup steps. Tell me when it is installed and active, and confirm it is intercepting skill installation attempts.

Cisco’s DefenseClaw: the full governance layer

On March 23, 2026, Cisco announced DefenseClaw, an open-source project that combines the Skill Scanner, the MCP scanner, the A2A scanner, static code analysis via CodeGuard, and an AI bill-of-materials generator into a single deployment. It is scheduled for release on GitHub on March 27, 2026.

DefenseClaw does three things the individual scanners do not:

• Admission gate enforcement. Every skill, tool, and plugin is scanned before it can be installed. The command that would normally install a skill first checks block/allow lists, generates a manifest, and only proceeds if nothing is flagged. There is no bypass.
• Runtime content scanning. Every message flowing in and out of the agent is inspected for prompt injection, credential exfiltration attempts, and policy violations. A skill that was clean at install time can still be blocked at runtime if its behavior changes.
• Enforceable block lists. When a skill is blocked, its sandbox permissions are revoked, its files are quarantined, and the agent returns an error if it tries to invoke it. This happens within two seconds without restarting OpenClaw.

Check if Cisco’s DefenseClaw is available at github.com/cisco-ai-defense/defenseclaw yet. If it is, tell me the installation steps. If it is not yet published, tell me the current date and remind me to check again after March 27, 2026.

What to do if a skill flagged as suspicious

A scan flag does not mean a skill is definitely malicious. It means the scanner found a pattern that is consistent with malicious behavior. Run through this in order:

Step 1: Remove the skill immediately

Remove the skill named [SKILL NAME] from this OpenClaw instance completely. Do not just disable it. Remove it. Then verify it is gone by listing installed skills again and confirming it does not appear.

Step 2: Rotate every credential that OpenClaw can access

A credential is a password, API key, or token that grants access to a service. If a malicious skill ran on your system, assume it read every credential in your OpenClaw config. Rotating means generating a new one and invalidating the old one at the source service.

Read my openclaw.json and list every API key, token, and credential that appears in it. For each one, tell me which service it belongs to and where I would go to rotate it. Do not show me the actual key values, just the service names and the rotation path.

After getting the list, rotate each credential at its source service before putting the new value in openclaw.json. The order matters: rotate first, update the config second. Updating the config with a new key before revoking the old one means the old key is still live and still usable by anyone who already has it.

Step 3: Check for persistent background tasks

Some malicious skills registered themselves as persistent tasks that survive removal of the skill file. Paste this into your OpenClaw chat:

Check my OpenClaw cron jobs and list every scheduled task. For each one, tell me: the task name, when it was created, what it does, and whether it matches a skill I have explicitly configured. Flag any task that you cannot trace to a skill I installed intentionally.

Step 4: Check the gateway logs for outbound calls

Check the OpenClaw gateway logs from the past 30 days. Look for any outbound HTTP or HTTPS requests to domains I have not explicitly configured as integrations. List the destination domains, the timestamps, and any associated skill or tool names.

How to stop this from happening again

Never install from ClawHub based on download count alone

Download counts on ClawHub cannot be trusted as a signal of legitimacy. The ranking manipulation vulnerability allowed them to be inflated to any number with no authentication. Even after the fix, a skill that reached the top via inflated counts before March 17, 2026 may still carry that ranking. Use the author’s verified identity, a link to an actual GitHub repository with real commit history, and Cisco’s scanner before installing anything.

Read every SKILL.md before installing

Every ClawHub skill includes a SKILL.md file that documents what the skill does and what permissions it needs. A skill that asks for network access but is described as a formatting utility is a warning sign. A skill that needs to read your home directory but is described as a calendar tool is a warning sign. Paste the skill’s repository URL into your agent and ask it to summarize the permissions the SKILL.md requests:

Read the SKILL.md at [SKILL URL] and tell me: what permissions does this skill request, what network calls does it make, what files does it read or write, and does anything in it seem inconsistent with what the skill is described as doing?

Restrict exec permissions if you have not already

OpenClaw’s exec tool lets the agent run shell commands on your server. By default, it may be configured to allow this broadly. Restricting it limits what any compromised skill can do even if it gets through the scanner.

Read my openclaw.json and check the exec tool permissions. What is the current security setting for exec? Is it set to “full”, “allowlist”, or “deny”? If it is set to “full”, recommend the safest setting that still lets me do the tasks I normally do, and make that change if I confirm it.

Bind your gateway to loopback only

OpenClaw’s gateway is the web server your agent runs on. If it is bound to all network interfaces (the setting shows as 0.0.0.0), anyone who can reach your server’s IP address can attempt to communicate with your agent. Binding to loopback (127.0.0.1) means only processes on your own machine can reach it.

Check my openclaw.json. What is the current value of gateway.bind? If it is not 127.0.0.1, tell me what would break if I changed it, then make the change and restart if I confirm it is safe for my setup.

What the nine behaviors actually mean for your data

Cisco documented nine behaviors in one plugin. It helps to understand what each one actually means in terms of what an attacker gets from it and what they can do next.

Reading environment variables

Environment variables are key-value pairs stored in your operating system’s memory and in files like .env. Developers use them to store credentials outside of source code. API keys for OpenAI, Anthropic, Stripe, Twilio, database connection strings. These almost always live in environment variables. A skill that reads them gets your entire credential set in one operation.

Stealing API keys from openclaw.json

Your openclaw.json config file is the single file that makes your OpenClaw instance work. It contains the API keys for every model provider you use, credentials for every channel integration, and configuration for every plugin. A skill with read access to this file has everything it needs to impersonate your agent from somewhere else entirely.

Exfiltrating the workspace directory

Your workspace is where your agent stores everything it works on: notes, research, drafts, project files, scripts. If you have used your agent to work on anything sensitive, that information is in the workspace. Exfiltrating it gives an attacker a complete picture of what you have been doing, what you are planning, and what tools you have built.

Reading browser cookie files

Browser cookies store authenticated session tokens. When you log into a service and stay logged in, that authentication is stored in a cookie file on disk. A skill that reads this file gets session tokens that can be used to authenticate to those services without knowing your password. Depending on which services you use, this could mean access to email, financial services, or administrative dashboards.

Capturing SSH private keys

SSH private keys are stored in ~/.ssh/ and are used to authenticate to remote servers. If you use SSH to manage a VPS, a production server, or a code repository, your SSH private key is the master credential for all of it. An attacker with your SSH key can log into any server you can log into, as you, from anywhere.

Sending data to an external server disguised as telemetry

This is the exfiltration vector. Every piece of data collected by the above behaviors was transmitted outbound. The transmission was disguised as a telemetry ping (a type of routine background call that many legitimate analytics tools make). It blends into normal network traffic and is designed to not trigger firewall alerts.

Prompt injection

Your agent follows instructions. Prompt injection adds hidden instructions to your agent’s context that it will follow just like your own instructions. A prompt injection payload might instruct your agent to forward all incoming messages to an external address, bypass exec permission checks for specific commands, or behave differently when it detects it is being audited. Because the injected instructions are invisible in normal operation, you may not notice the behavior change until you look closely.

Registering as a persistent background task

OpenClaw supports cron jobs (scheduled tasks that run on a timer). A skill that registers a persistent cron job survives removal of the skill file itself. Even if you delete the skill, the cron job continues running whatever the skill originally scheduled. This is why the remediation steps include auditing your cron jobs separately from auditing your installed skills.

Erasing activity from gateway logs

The gateway logs record what your agent does. Log erasure removes the evidence of the skill’s activity. An operator checking the logs after removal would see nothing suspicious because the suspicious entries were deleted. This is why a gap in your logs (a period that should have activity but shows nothing) is itself a warning sign.

How to vet a skill’s author before installing

Download counts are not reliable. Star ratings are not reliable after the ranking manipulation vulnerability. What is reliable is the author’s actual track record. Here is how to check it before installing anything:

Before I install a skill called [SKILL NAME], I want to vet the author. Find the author’s GitHub profile linked from the skill’s repository. Tell me: how many public repositories do they have, when was their account created, does the repository for this skill have a real commit history with multiple contributors or is it a single recent commit, and do they have any other published OpenClaw skills with verified community feedback?

What you are looking for:

• Account age. A GitHub account created two weeks ago publishing a popular skill is suspicious. Legitimate developers have histories.
• Commit history. A repository with a single commit that uploaded all files at once is a common pattern for supply chain attack packages. Real tools get built incrementally.
• Community interaction. Does the author respond to issues? Are there pull requests from other contributors? A skill with 10,000 claimed downloads and zero issues filed against it is suspicious.
• Consistency between description and permissions. Read what the skill says it does. Read what the SKILL.md says it needs access to. If a calendar sync skill needs to read ~/.ssh/, that is not a calendar sync skill.

What to expect during the remediation steps

The four remediation steps in the previous section are straightforward in concept but have some practical details worth knowing before you start.

When removing a skill, confirm it is actually gone

Some skills registered themselves at the OS level, not just in OpenClaw’s plugin directory. After your agent reports the skill is removed, do a second check:

After removing [SKILL NAME], do a thorough search: check the plugins directory, the skills directory, the cron jobs list, and any startup scripts in my home directory. Tell me if any trace of that skill name appears anywhere in my OpenClaw setup.

On rotating credentials: what “rotate” actually means

Rotating an API key means two things happening in this order: first, you generate a new key at the source service (the API provider’s dashboard, not OpenClaw). Second, you revoke the old key at the source service. Third, you update openclaw.json with the new key. The old key must be revoked before you are safe. Generating a new key without revoking the old one means both keys are live simultaneously.

Different services handle this differently:

• Anthropic, OpenAI, DeepSeek: Log into the platform dashboard, go to API keys, create a new key, copy it, then revoke the old key. Update openclaw.json after revoking.
• Telegram bot tokens: Use BotFather to revoke and regenerate your bot token. The old token stops working immediately on revocation.
• Discord bot tokens: Go to the Discord Developer Portal, select your application, go to the Bot section, and regenerate the token. The old token is invalidated immediately.
• Cloudflare API tokens: Log into Cloudflare, go to My Profile, API Tokens, and delete the compromised token. Create a new one with the same scope.

After rotating each credential, update openclaw.json and restart the gateway to pick up the new values. Do them one at a time to avoid configuration errors.

I have updated the API keys in my openclaw.json after rotating them at the source services. Please restart the OpenClaw gateway and confirm each integration is connecting successfully with the new credentials. Report any integration that fails to connect.

What to do if you cannot restart cleanly

If OpenClaw fails to start after credential rotation, the most common cause is a typo in the new API key. Paste this into a terminal to check for obvious issues:

The ClawHub problem is structurally the same as every package manager security crisis before it. npm had malicious packages. PyPI has them. RubyGems had them. The pattern is consistent: a popular ecosystem with a low barrier to publishing, strong social proof signals (download counts, star ratings), and insufficient mandatory review before a package reaches users.

What makes ClawHub more dangerous than a typical package registry is what OpenClaw agents can do. A malicious npm package can damage the applications that depend on it. A malicious OpenClaw skill can steal every credential in your config file, exfiltrate your entire workspace, inject instructions that cause your agent to bypass its own safeguards, and cover its tracks. The blast radius of a compromised skill is much larger than a compromised npm package.

Cisco’s Skill Scanner, Silverfort’s ClawNet, and the upcoming DefenseClaw project all address parts of this problem. None of them address all of it, because the fundamental issue is trust at install time. The tools help you verify skills before running them. The rest is judgment: reading SKILL.md files, checking author histories, being skeptical of unusually high download counts, and not installing skills you don’t need.

The three-review rule that careful operators use (one review by you, one automated scan, one from a trusted source) exists precisely because no single check catches everything. Apply it to every install, not just the ones that feel suspicious.

What Cisco is doing next: DefenseClaw

DefenseClaw releases March 27, 2026 on GitHub. It is free and open source. If you run OpenClaw in any environment where credential theft would cause real damage, and if you have connected it to banking tools, production APIs, or sensitive communications, the answer is yes. It is worth deploying when it ships.

The Cisco blog post announcing DefenseClaw describes it as “the operational layer that was still missing.” OpenShell (NVIDIA’s sandbox) controls what the agent can do at the infrastructure level. Cisco’s scanners tell you what is in the skills you install. DefenseClaw bridges them: it enforces at install time and monitors at runtime, and it connects to Splunk for teams who need an audit trail.

Check if Cisco’s DefenseClaw is available at github.com/cisco-ai-defense/defenseclaw. If it has been published, get the installation steps and tell me what prerequisites I need before deploying it.

Frequently asked questions

I have never installed a ClawHub skill. Am I affected?

Not by the ClawHavoc campaign or the ranking manipulation vulnerability. Those specifically targeted users who installed ClawHub skills. However, the gateway exposure issue (where your OpenClaw instance may be reachable from the internet) and the CVEs (CVE-2026-25253 and CVE-2026-22172) affect all OpenClaw instances regardless of what plugins you have installed. Read the gateway check article if you have not run that audit: Thousands of OpenClaw instances are exposed to the internet.

Cisco’s Skill Scanner flagged a skill I’ve used for months with no problems. Does that mean it’s malicious?

Not necessarily. The scanner is pattern-based, not signature-based, and it has false positives. A skill that legitimately makes outbound network calls (like a web search tool) may be flagged because the behavior pattern matches something malicious. Read the specific finding carefully. If the flagged behavior makes sense for what the skill is supposed to do, it is likely a false positive. If the flagged behavior has nothing to do with the skill’s stated function, treat it as suspicious.

The logs in my gateway are shorter than I expected. What does that mean?

Log clearing was one of the nine behaviors Cisco documented in the malicious plugin. It is not proof of compromise on its own. Logs can also be truncated by rotation policies or disk space limits. Check your log rotation settings. Paste this into your agent: “Check my OpenClaw gateway log rotation settings. How long are logs retained, and is there any evidence of manual log clearing in the past 30 days?” If you cannot find a non-suspicious explanation, rotate all credentials and treat the system as potentially compromised.

I rotated my API keys. How do I know the attacker isn’t still in my system another way?

Rotating credentials closes the credential theft vector. It does not address persistent background tasks, injected cron jobs, or modified skill files that may still be present. Run all four steps in the remediation section: remove suspicious skills, rotate credentials, audit cron jobs, check outbound calls in logs. If you believe the system was actively compromised and the exec tool was unrestricted at the time, the safest path is rebuilding from a clean backup or clean install.

Can a malicious skill affect my Discord or Telegram channels?

Yes. If a malicious skill has access to your agent and your agent has Discord or Telegram configured, the skill can send messages through those channels, read incoming messages, and potentially use your channels to pivot to other users. After removing any suspicious skill, check your Discord and Telegram bot activity logs for any messages or actions you did not initiate.

Is it safe to use ClawHub now?

The ranking manipulation vulnerability was patched on March 17, 2026. The ClawHavoc malicious skills were identified and removed from the registry. As of March 25, 2026, new installs from ClawHub do not carry the same systematic risk they did during the campaign. That said, “safer than during an active attack campaign” is not the same as “safe.” Read SKILL.md files before installing, scan with Cisco’s tool, check author histories, and use judgment about what you actually need.

What does “prompt injection” mean in this context?

Your OpenClaw agent has a set of instructions it follows: its system prompt. Prompt injection is when a malicious skill inserts hidden instructions into that context that override or supplement what you configured. A skill that does this can instruct your agent to send data to external addresses, bypass tool restrictions, or behave differently than you intended, without any visible indication that its behavior has changed. This is why behavioral changes in your agent (it starts doing things you did not ask it to do, or stops following rules you set) are a warning sign worth investigating.

Keep Reading: