OpenClaw has become every CISO's newest headache. With 720,000 downloads per week and over 1,000 malicious skills discovered in its marketplace, the viral AI assistant has quietly become one of the most exploited attack surfaces in enterprise environments. Security leaders are increasingly alarmed, and for good reason.  Employees are adopting it faster than security teams can respond, and attackers are following right behind them.

At Qevlar AI, we've investigated hundreds of OpenClaw-related alerts over the past few weeks. The pattern is consistent: the most dangerous incidents arrive as low-severity noise, the kind of signal that sits at the bottom of the queue while something far worse is already in motion underneath.

To illustrate exactly how these attacks unfold (and how deep an investigation needs to go to catch them) we built a theorized investigation based on a real threat pattern we keep encountering in production: the ClawHavoc campaign, the largest organized malware operation ever documented in the OpenClaw ecosystem. The investigation scenario is fictional. The threat is real.

The Signal No One Would Have Acted On

A user installs OpenClaw on their corporate laptop. Nothing unusual. A few days earlier, they had installed a skill called "productivity-suite-v2" from ClawHub, OpenClaw's third-party marketplace.

The skill loads silently at the start of a new session. No user prompt. No visible action. The session begins.

An EDR fires an alert: OpenClaw process detected on endpoint. Severity: Low. No behavioral flag. No red tag. Just an informational detection of a consumer AI tool, the same kind of signal that had been appearing all week as employees across the organization discovered OpenClaw.

This is where the two paths diverge.

Without Qevlar AI, this alert goes to the bottom of the queue. In any well-run SOC, triage is severity-driven: medium and high alerts get worked first, as they should. A low-severity detection of a known consumer tool gets reviewed later, often after SLA windows have passed. By then, the context is cold, there's nothing immediately actionable in the alert itself, and it gets closed as expected behavior. The scheduled task that was quietly registered during the session survives the next logon. The dropper gets retrieved. A persistent, credentialed foothold is established inside the network.

With Qevlar AI, the alert is investigated the moment it fires. Within minutes, the process chain is reconstructed, every file the skill touched is audited, the outbound connection attempt is traced, and the persistence mechanism is identified. Verdict delivered in under three minutes. Device isolated.

Everything Looks Normal Until One Detail Doesn't

Step 1: Reconstruct the process chain

Qevlar's first move was to rebuild the full execution context around the OpenClaw process. The parent-child relationship looked normal. The command line was clean, with no obfuscation indicators. On the surface, everything appeared to be standard behavior.

But one detail stood out. The OpenClaw instance had loaded a third-party skill — productivity-suite-v2 — installed three days earlier. And 40 seconds after that skill loaded, with no user action to trigger it, it had accessed .clawdbot.env: OpenClaw's configuration file, which stores API keys, OAuth tokens, and service credentials in plaintext.

A skill silently reading credential files is not normal behavior. It is exactly what an infostealer does.

Step 2: Follow the network

Qevlar audited every outbound connection made during the session. The standard OpenClaw heartbeat to its cloud backend was expected. The DNS lookup for a known CDN was expected. Then, two seconds after the credential file was read, a connection attempt to 91.92.242.30 on port 443.

The session terminated before a full TCP handshake could complete. The destination IP had no reputation in standard threat feeds. No block had fired. No alert had been raised anywhere else in the stack.

Without Qevlar examining this specific process's network behavior, that connection attempt would never have been flagged. It would have disappeared into the noise.

Step 3: Check persistence mechanisms

Qevlar traced all registry activity tied to the session. A scheduled task had been quietly registered by the skill.

Its name: ProductivitySuiteUpdater.

Trigger: every user logon.

Target: a script in a user-writable temp directory.

The script did not yet exist. The payload had not been retrieved, the network connection had been cut before the second stage could be delivered. But the persistence mechanism was already in place. At the next logon, the dropper would have been pulled down. The door was already open.

Step 4: Independent corroboration

Qevlar submitted the productivity-suite-v2 skill package to VirusTotal. 24 out of 72 engines flagged it. Tagged as Trojan.ClawHavoc, infostealer, dropper.

Verdict: malicious. Device isolated.

Step 5: Account and fleet review

Qevlar reviewed the full account history for the preceding 30 days. Clean baseline. No prior anomalies. The infection had been introduced precisely three days earlier when the user installed the skill (dormant until this session.)

A fleet-wide query for the skill name and known indicators confirmed the scope: one endpoint affected, productivity-suite-v2 installed by this user alone, zero confirmed exfiltration, persistence registered but payload never retrieved.

The Attack That Hides in Plain Sight

The ClawHavoc campaign is not a hypothetical. It is the largest organized malware operation ever documented in the OpenClaw ecosystem, and variants of it are active right now. What makes it so dangerous is their invisibility. A low-severity alert that looks like every other OpenClaw detection. A credential read that happens in 40 seconds with no user interaction. A C2 connection attempt that no threat feed will block.

Every layer of this attack is designed to look like noise. And in an environment where analysts are triaging hundreds of alerts a day, noise gets closed.

Shadow AI is the new shadow IT. In OpenClaw, third-party skills run with terminal access, file access, and your tokens without review, without sandboxing, and without the security controls that govern sanctioned software. Your employees are installing them because they're useful. Attackers are publishing them because they're trusted.

The question for security leaders is whether anyone will look — and look deeply enough — before the persistence mechanism that was registered three logons ago finally gets its payload.

Qevlar AI makes sure they do. Every alert, regardless of severity, gets a full, consistent investigation.

The difference between a breach and a contained incident is one investigation that no analyst had time to run.

Don't let the claws make it past the shell, book a demo: www.qevlar.com