OpenClaw widens reach amid CVE-2026-25253 exploit chain

OpenClaw ClawHub found 1,184 malicious skills stealing keys and wallets

According to OpenClaw’s ClawHub Marketplace, 1,184 malicious skills were identified, including variants designed to steal SSH keys, exfiltrate API tokens, and encrypt cryptocurrency wallets. The finding underscores how community-distributed skills can rapidly expand the attack surface when documentation persuades users to run unvetted commands.

Koi Security reported 341 malicious skills in an audit of 2,857 listings, with a coordinated “ClawHavoc” campaign contributing 335 of them and distributing Atomic Stealer under the guise of productivity tools. Their review noted a low publisher bar, such as newly created GitHub accounts, helping explain the scale.

Taken together, the marketplace tally and independent audits indicate a broad spectrum of exposure, from developer credentials to wallet seed material. The mechanics rely less on novel exploits and more on social engineering embedded in skill instructions.

Why this matters: credential theft, wallet encryption, API key exposure

Credential compromise can cascade across infrastructure, allowing lateral movement via stolen SSH keys, cloud tokens, or CI secrets. Wallet-targeting payloads can encrypt or drain funds, with recovery often impossible once seed phrases are exposed.

Because many skills are instructions packaged as Markdown, attackers can prompt users to copy terminal commands that fetch or execute hidden payloads. That makes prevention as much about verification and operational hygiene as patching.

“OpenClaw is a security dumpster fire,” said Laurie Voss, former npm CTO, emphasizing the compounded risks from credential theft and marketplace-borne malware.

Near-term risk reduction typically includes migrating to the patched release described below, removing untrusted skills, and validating configuration hardening. Organizations commonly mitigate by rotating secrets and reissuing access tokens used on affected hosts.

High-risk items include SSH private keys, cloud and SaaS API keys, and any wallet seed or keystore material present on systems where community skills executed. Treat recent installations as potential security incidents and preserve logs for review.

Verification steps often include checking publisher trust signals, confirming hashes for any downloaded scripts, and quarantining machines that executed unknown commands from skill documentation. Temporarily pausing skill auto-updates can help stabilize inventories during investigations.

CVE-2026-25253 and Atomic Stealer: what to know

Patch status, affected versions, remaining exposure

As reported by SecurityWeek, CVE-2026-25253 enables one‑click remote code execution by abusing token exfiltration, affecting OpenClaw through v2026.1.24-1 and patched in v2026.1.29 on January 30, 2026. The report notes that unpatched or misconfigured instances remain at risk despite the fix.

1Password and Snyk guidance for safer skill installation

The guidance highlights that OpenClaw skills are delivered as Markdown and can hide “run this command” steps that install tools like Atomic Stealer, which harvest SSH keys, API keys, browser credentials, and seed phrases. It emphasizes installing only from vetted publishers, verifying scripts before execution, and treating any unexpected credential prompts as suspect.

At the time of this writing, Bitcoin (BTC) traded around $67,403, based on the provided metrics. This context underscores why wallet and credential theft remains financially attractive to adversaries.

FAQ about OpenClaw ClawHub malicious skills

Am I affected by CVE-2026-25253 and how do I update OpenClaw to a safe version?

Instances up to v2026.1.24-1 are affected. Update to v2026.1.29 or later, confirm successful deployment, and review exposure from any community skills installed pre‑patch.

What is Atomic Stealer and which ClawHub skills or campaigns are distributing it?

Atomic Stealer is credential-harvesting malware. Koi Security linked it to the ClawHavoc campaign, which embedded it in seemingly benign productivity skills.