ClawHavoc: How 1,184 Malicious AI Agent Skills Are Harvesting Credentials from Financial Sector Employees

A coordinated supply chain attack named ClawHavoc has compromised OpenClaw's ClawHub marketplace with 1,184 malicious AI agent skills — roughly 12% of the entire registry — deploying the AMOS credential stealer against unsuspecting users. For Saudi financial institutions accelerating their adoption of agentic AI workflows, this campaign is a direct and immediate operational threat that demands attention from every CISO and compliance officer in the sector.

The Agentic AI Supply Chain: A New and Largely Unguarded Attack Surface

OpenClaw is one of the leading open-source AI agent frameworks, widely adopted by developers, analysts, and financial services teams who use it to automate workflows — from data analysis and client research to regulatory reporting and threat intelligence aggregation. Its marketplace, ClawHub, allows third-party developers to publish installable "skills" that extend the agent's capabilities, much like browser extensions or app store plugins. That architecture of trust is precisely what ClawHavoc weaponized. Between late January and early February 2026, threat actors systematically uploaded hundreds of skills disguised as legitimate tools — cryptocurrency trackers, YouTube summarizers, Google Workspace integrations, and auto-updaters — each engineered to quietly deploy malware once installed.

How the ClawHavoc Campaign Works: The Anatomy of a Skill-Based Attack

Koi Security researcher Oren Yomtov, using an OpenClaw bot configured for threat analysis, audited all 2,857 skills available on ClawHub and identified 341 confirmed malicious entries — 335 of which were traced to a single coordinated operation now called ClawHavoc. The malicious skills used professional-looking SKILL.md documentation, complete with "Prerequisites" sections instructing users to download password-protected ZIP archives on Windows or execute base64-obfuscated terminal commands on macOS. On macOS, these commands deployed AMOS (Atomic macOS Stealer), a mature Malware-as-a-Service (MaaS) tool sold via Telegram at $1,000/month. On Windows-targeted variants, 39 skills manipulated OpenClaw into installing a fake CLI tool that served as a first-stage loader. The campaign's first malicious skill appeared on January 27, 2026, surging sharply on January 31 before Koi Security reported the threat on February 1 and forced partial removals — though some packages lingered in the registry for days afterward.

What AMOS Steals — and Why Financial Professionals Are High-Value Targets

AMOS is not a crude infostealer. It is a sophisticated credential harvesting platform capable of extracting macOS Keychain contents (where corporate SSO tokens, VPN credentials, and certificate private keys are frequently stored), browser-saved passwords and session cookies across Chrome, Firefox, Edge, and Brave, cryptocurrency wallet private keys and exchange API keys, Telegram session files and chat history, SSH private keys, and arbitrary files from Desktop, Documents, and Downloads folders. For a financial analyst running OpenClaw to automate regulatory filings or a treasury operations manager using AI-powered portfolio tools, a single infected skill installation could yield complete access to core banking systems, Bloomberg Terminal credentials, SWIFT operator certificates, or the organization's SAMA compliance documentation environment. The attacker does not need to breach the perimeter — the victim's own AI assistant delivers the payload.

The Implications for Saudi Financial Institutions Under SAMA and NCA Supervision

The SAMA Cyber Security Framework (CSCC v2) requires financial institutions to maintain full visibility and control over third-party software components deployed within their environments — including tools used by individual employees on managed devices. The NCA Essential Cybersecurity Controls (ECC 2.0) mandate formal software supply chain risk management and application whitelisting. A ClawHavoc-style infection would constitute a reportable security incident under both frameworks, potentially triggering mandatory disclosure obligations to SAMA's Fintech and Cyber Risk Supervision departments within 72 hours. Furthermore, if stolen credentials enable unauthorized access to customer data, this triggers Saudi PDPL notification requirements. Institutions that cannot demonstrate active monitoring of AI tool usage and third-party skill provenance will face difficult questions from examiners — and from their own boards.

A Parallel Threat: The ClawJacked Vulnerability

Compounding the ClawHavoc campaign, security researchers simultaneously disclosed a separate architectural flaw in OpenClaw dubbed ClawJacked — a vulnerability allowing malicious websites to hijack locally running OpenClaw agents via WebSocket connections without any user interaction beyond visiting the site. Together, ClawHavoc and ClawJacked represent a two-vector attack surface against a single platform: one exploiting the supply chain through the skill marketplace, the other exploiting the agent's local network interface. Organizations that have not audited their AI agent deployments are potentially exposed on both fronts simultaneously.

Recommended Actions for Saudi Financial Institutions

1. Inventory AI agent deployments immediately. Identify every instance of OpenClaw, Claude Desktop, Cursor, or any other MCP-capable AI agent framework in use across your organization — including on employee personal devices used for work. Many deployments occur outside formal IT procurement channels.
2. Audit installed skills against ClawHavoc indicators. Cross-reference installed skills against the 341 confirmed malicious ClawHub package names published by Koi Security and Trend Micro. Remove any flagged skills and treat the host as potentially compromised requiring credential rotation.
3. Implement skill allowlisting. Until a formal vetting process for AI agent skills exists, restrict skill installation to a pre-approved allowlist managed by your security team. Treat unapproved skill installation the same as unauthorized software installation.
4. Apply macOS Keychain segmentation. On macOS endpoints, restrict which applications can access Keychain items storing corporate credentials. Ensure that AI agent processes run under restricted user accounts without access to high-privilege credential stores.
5. Enable network egress monitoring for AI agent processes. AMOS exfiltrates data to command-and-control infrastructure via HTTPS. Deploy SSL inspection or behavioral network detection to identify anomalous outbound connections from AI agent processes.
6. Classify agentic AI tools as third-party software components requiring full supply chain due diligence under your SAMA CSCC Technology Risk Management program. This includes version pinning, integrity verification, and periodic re-assessment of all installed extensions and plugins.
7. Patch and update OpenClaw. Ensure you are running versions that include the ClawJacked WebSocket vulnerability fix. Verify the fix is applied before re-enabling any local agent instances.

Conclusion

The ClawHavoc campaign is a landmark event in the evolution of supply chain attacks — it demonstrates that threat actors have pivoted from targeting software build pipelines to targeting the AI agent skill ecosystem, exploiting the implicit trust users place in marketplace-published tools. As Saudi financial institutions adopt agentic AI to meet Vision 2030 digital transformation mandates and SAMA's push for operational efficiency, the attack surface is expanding faster than most security programs are tracking. The question is not whether your organization uses AI agents — it is whether your security controls have kept pace with how your people actually use them.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that covers agentic AI risk, supply chain controls, and third-party software governance aligned to SAMA CSCC and NCA ECC requirements.