IBM X-Force: Attackers Uploaded 1,100 Malicious AI Skills to ClawHub. The Target Was OpenClaw Users. The Attack Is Called ClawHavoc.

IBM X-Force documented a large-scale supply chain attack in early 2026 targeting OpenClaw users. Attackers uploaded over 1,100 malicious skills to ClawHub — the OpenClaw skill marketplace — disguising them as productivity, crypto, and coding tools. Users who installed them handed attackers operator-level access to their systems.

This is why the attack surface of AI agents is unlike anything that came before. OpenClaw has file system access, web browsing, code execution, messaging integrations, and SSH tooling. An AI agent that can do everything is an AI agent that, when compromised, can destroy everything. One malicious skill. One installation. Full system access.

1,100 malicious skills were uploaded. Nobody reviewed them before they appeared in the marketplace. Nobody flagged the pattern of malicious submissions. Users installed them because they looked legitimate.

The skill marketplace had no meaningful human oversight. The attack ran until IBM found it. The users who got hit never knew they were targets until it was too late.