The following table details the malicious addons, skills, and extensions identified within the OpenClaw (formerly Clawdbot/Moltbot) ecosystem. These threats are primarily associated with the ClawHavoc supply chain campaign, which deployed over 341 malicious skills to the ClawHub registry, as well as impersonation attacks on external platforms like NPM and VS Code.
| Malicious Addon / Skill Name | Category / Disguise | Attack Mechanism & Payload |
|---|---|---|
| solana-wallet-trackerphantom-wallet-proinsider-wallet-finder | Crypto Utilities | Fake Prerequisites: Instructs users to download a password-protected ZIP (Windows) or run an obfuscated glot.io shell script (macOS). Deploys Atomic macOS Stealer (AMOS) or Windows infostealers to harvest wallet keys. |
| polymarket-traderpolymarket-propolytrading | Prediction Markets | Trojanized Auth Tools: masquerades as automated trading bots. Requires the user to run a “setup” script that fetches malware from attacker-controlled IPs (e.g., 91.92.242.30). |
| better-polymarketpolymarket-all-in-one | Prediction Markets | Hidden Backdoor: Contains legitimate-looking code but hides a reverse shell command (`os.system(“curl … |
| youtube-summarize-provideo-downloader-agentthumbnail-grabber | Media Tools | Social Engineering: Leveraging high-demand functionality (video downloading/summarizing) to trick users into executing malicious installation scripts. |
| clawhub, clawhubbcllawhub, clawwhubclawhub-cli | Core Tool Typosquats | Typosquatting: Over two dozen variants targeting users mistyping the official CLI tool name. Executes malicious payloads immediately upon installation or usage. |
| auto-updater-agentupdate, updaterupdate-manager | System Utilities | Fake Security Tools: Ironically disguised as security/update tools. The “updater” installs persistent malware or backdoors under the guise of keeping the agent current. |
| rankaj | Weather Utility | Credential Exfiltration: A specific outlier skill that reads the ~/.clawdbot/.env file and exfiltrates environment variables (API keys) to webhook.site. |
| gmail-connectorgdrive-sync-prosheets-automation | Google Workspace | Productivity Trojans: Targets enterprise users by promising Google Drive/Gmail integration. Steals OAuth tokens and documents accessible to the agent. |
| ethereum-gas-trackereth-gas-tracker | DeFi Tools | Financial Malware: Monitors Ethereum gas prices while silently deploying stealers to harvest MetaMask and other browser-based wallet credentials. |
| base-agentbybit-agent | Crypto Trading | Fake AuthTool: Directs users to download a fake authentication executable (“AuthTool”) hosted on GitHub or run a base64 encoded setup script. |
| ClawdBot Agent(VS Code Extension) | IDE Extension | Remote Access Trojan (RAT): A fake extension on the VS Code Marketplace that installed the ScreenConnect RAT, allowing full surveillance and control of developer machines. |
| openclaw-botmolt-bot-core | NPM Packages | NPM Honeypots: Malicious forks of the core repository published to npm. Contains postinstall scripts that immediately exfiltrate .env files and SSH keys. |
Specific Indicators of Compromise (IOCs)
If you have installed any of the skills listed above, check for the following indicators associated with the ClawHavoc campaign,:
- Malicious IP Addresses:
91.92.242.30,95.92.242.30,96.92.242.30,54.91.154.110. - File Hashes (AMOS Stealer):
1e6d4b0538558429422b71d1f4d724c8ce31be92d299df33a8339e32316e22980e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65
- Domains:
glot.io(used for hosting shell scripts),webhook.site(used for exfiltration).