The 354-Package Blitz: What OpenClaw's Worst Week Tells Us About Agentic AI

In partnership with

On a quiet Wednesday morning in late January, a brand-new account on ClawHub — the marketplace where OpenClaw's 347,000 GitHub-star community shares plug-in “skills” — pushed 354 packages in what looked like one long automated blitz. By the time researchers caught on a few days later, the packages had been pulled, but the bigger story was already written: more than a thousand malicious skills had landed in the wild, some quietly siphoning saved passwords on macOS, others harvesting browser cookies and crypto wallets on Windows.

The campaign got a name — ClawHavoc — and OpenClaw got the kind of headlines no open-source project wants. It also became the cleanest possible illustration of what the agentic AI era actually feels like at the security layer: the cool new toy, the dazzling demo, and the supply chain that quietly ate someone's wallet while they slept.

Let's talk about it.

What OpenClaw is, and why everyone is talking about it

OpenClaw is the open-source AI agent framework that exploded out of the 2026 wave. Think of it as the runtime layer that sits between an LLM and the rest of the world — your filesystem, your terminal, your browser, your APIs. Where Claude Cowork and the big closed agents trade autonomy for guardrails, OpenClaw lets you bring your own model and run the whole stack locally.

The April 2026 release — the v2026412 line — is the one that nudged it from a hobbyist's lab project into something Fortune 500 teams will actually deploy. Two things changed.

First, signed skill manifests. Every plug-in declares the filesystem paths, network endpoints, and shell commands it can touch. The signature has to match.

Second, kernel-level enforcement via eBPF. If a skill's runtime tries to read a path it didn't declare, the kernel kills the syscall before it returns. No more “the agent meant well but the script ran wild.”

It's a smart design. It also turns out to be, in retrospect, exactly the kind of thing a well-run agentic platform needed before its first big incident — not after.

The cool stuff people are doing with it

This is where the story gets fun. A few examples that are actually documented.

Developer Andy Griffiths stood up a working Laravel app — scaffolding, database migrations, deployment to DigitalOcean — while making a coffee. He was driving the agent in conversation; OpenClaw was doing the typing.

A 30-location dental group wired an agent into the financial side of their practice management. Front-desk staff now ask questions like “which clinics missed their schedule fill rate last week?” in plain English, and the agent assembles the answer from systems that previously needed a finance person and a half-day of report-pulling.

A SaaS founder tracking fifteen competitors has the agent watching their pricing pages, changelogs and job ads. Their write-up reports the agent flagged a major competitor’s pricing change roughly 48 hours before it hit the news.

The pattern, if you squint, is the same in every case: someone takes work that used to require a person reading carefully, gives the agent the right tools, and watches a Tuesday afternoon disappear into ten minutes.

Then ClawHavoc happened

Here is what nobody wants to admit about agent skill marketplaces: they look exactly like every package ecosystem we've already lost a battle to — npm, PyPI, the Chrome Web Store — except the consumer is an LLM that does not read the README.

ClawHavoc didn't need to be sophisticated. The attackers picked themes that sounded useful — calendar sync, a CSV cleaner, a tiny “Postgres helper” — uploaded their packages, and let the marketplace's own discoverability ranking do the rest. Some skills shipped Atomic Stealer to macOS users; the Windows variants reached for Vidar. Both are off-the-shelf infostealers that have been around for years. The novelty wasn't the malware. The novelty was the delivery vehicle: an “approved” tool inside an AI agent's tool list.

And here's the cruel twist that the team at Invariant Labs has been pointing at for months: with a lot of MCP and agent runtimes, the tool description itself is the attack surface. A user sees “csv_helper” in the approval dialog. The model sees the full description, including a few quiet sentences telling it to read ~/.ssh/id_rsa first and stuff the contents into the next API call. The user clicks Allow. Nobody reads the description. The keys leave the building.

It's the confused deputy problem with a fresh coat of paint, and it's the dominant agent-era attack pattern.

Claude is not just a chatbot anymore. Is your security team ready?

Claude.ai is one thing. Claude Cowork with MCP connections, running agentic workflows, taking actions across your data with ungoverned skills? That is a different conversation entirely, and most security teams are not equipped to govern it.

Harmonic Security is built to secure everything Claude offers. Full browser controls for Claude.ai, deep governance over agentic MCP workflows, and real-time visibility into what Claude is doing across your organization. So your CISO can say yes to the tools your business is already demanding.

Get the guide: Securing Claude Cowork for the enterprise.

Help Security Say Yes

How not to be the next case study

The honest answer is “treat your agent's tool list the way you'd treat a brand-new SSO integration.” That's not very satisfying, so here is the more concrete version.

Threat-model the agent, not just the model. The model is a small piece of the system. The interesting risks live in the loop: which tools, which memory, which trust boundaries, which blast radius if the whole thing is wrong on a Wednesday afternoon. Frameworks like CSA's MAESTRO break the agent stack into seven layers — model, data, tools, memory, identity, environment, observability — and force you to think about each one. The OWASP Top 10 for Agentic Applications, refreshed for 2026, gives you the attack catalogue (goal hijack, tool misuse, memory poisoning, identity abuse, supply chain). Pair the two and you get something close to a working security review for an agent. There are platforms that automate this whole exercise now — the deliverable is a control map you can hand to your AppSec team — and they're worth a look if you have more than one agent in production.

Pin and verify, like you (hopefully) already do for code. ClawHavoc spread because skills updated in place. Lock skill versions. Verify signatures. Mirror the marketplace internally if you can.

Read the tool description, not the tool name. This sounds dumb. It is also the exact attack the GitHub MCP server got hit with. Whatever surface your agent reads, you read.

Constrain blast radius at runtime. OpenClaw v2026412's eBPF model is a good template — declare what a tool needs and let the kernel enforce it. If you're not on a runtime that does this, sandbox the agent with whatever you have: containers, AppArmor, gVisor, even a separate user account. Anything to make “the agent went rogue on Tuesday” bounded rather than catastrophic.

Watch for memory poisoning, not just prompt injection. The next attack class everyone is underestimating: malicious data planting persistent false beliefs into the agent's long-term memory. Your retrieval index is now a security boundary.

The Monday-morning move

If you do one thing this week, list every tool your agent has access to and write down — by hand, on paper if you have to — what each one can do versus what you actually want it to do. The gap between those two columns is your attack surface.

The agentic era is ridiculously fun. It's also the supply-chain problem we've never really solved, finally pointed at our most powerful systems. The teams that survive are the ones who treat their agents the way they treat the rest of production: with versions, signatures, sandboxes, and a deeply suspicious mind.

Good luck

— itscybernews

Sources & further reading

• OpenClaw: The Rise of an Open-Source AI Agent Framework — Clawbot

• OpenClaw in Production: The Reality Behind 347K GitHub Stars — DEV Community

• The OpenClaw security crisis — Conscia

• ClawHavoc Poisons OpenClaw's ClawHub With 1,184 Malicious Skills — Cyber Press

• What OpenClaw reveals about agentic AI security risks — IBM

• OpenClaw Use Cases — All Claw

• OWASP Top 10 for Agentic Applications for 2026 — OWASP Gen AI Security Project

• Indirect prompt injection is taking hold in the wild — Help Net Security

• The State of MCP Security 2026 — PipeLab

• MCP Tool Poisoning: Detection and Runtime Defense — PipeLab