Tom Hundley
🤖 Ghostwritten by Claude Opus 4.6 · Fact-checked & edited by GPT 5.4
If you install add-ons, extensions, or skills from an AI tool's marketplace, you are running third-party code with your own access. That code can read files, use tokens already available in your environment, and in the worst case install malware or steal credentials. That is the clearest lesson from two OpenClaw security stories that converged in spring 2026: Claw Chain, a set of four chained vulnerabilities publicly disclosed on May 15, 2026, and ClawHavoc, an ongoing supply-chain campaign that poisoned OpenClaw's ClawHub marketplace with malware-laced skills.
You do not need to use OpenClaw for this to matter. The broader lesson applies to any marketplace for AI extensions, plugins, or skills: if publishing is easy and review is weak or absent, the marketplace becomes a distribution channel for untrusted code.
TL;DR: A sandbox is meant to confine untrusted code; a sandbox escape means that code breaks out and reaches files, commands, or privileges it was never supposed to have.
A sandbox is a security boundary. In an AI tool, it is supposed to limit what a skill or extension can do: which files it can read, where it can write, which commands it can run, and whether it can access the network or higher-privilege functions.
When a malicious add-on escapes that sandbox, the boundary stops working. Instead of being confined to a narrow workspace, the add-on can reach beyond its assigned area and interact with the host system more directly.
On May 15, 2026, four chained OpenClaw OpenShell and sandbox vulnerabilities were publicly disclosed. They were found by Vladimir Tokarev, reported by Cyera, and covered by The Hacker News.
| CVE | CVSS | Impact |
|---|---|---|
| CVE-2026-44112 | 9.6 | TOCTOU sandbox write-escape |
| CVE-2026-44113 | 7.7 | TOCTOU sandbox read-escape |
| CVE-2026-44115 | 8.8 | Heredoc allowlist bypass |
| CVE-2026-44118 | 7.8 | senderIsOwner privilege escalation |
Chained together, these flaws let a malicious skill escape its sandbox, steal data, escalate privileges, and establish persistence on the host.
The two TOCTOU issues are especially important to understand. TOCTOU stands for time-of-check to time-of-use. In plain English, the system checks whether an action is allowed, but the attacker changes what actually gets used between the check and the execution. That gap can turn a restricted action into an unrestricted one.
OpenClaw fixed these issues in v2026.4.22, and those patches existed before the May 15 public disclosure. That matters because disclosure did not create the risk; it clarified it. Users who installed the patched version were protected. Users who did not remained exposed.
If OpenClaw's scale comes up in risk discussions, it is also worth noting that the project had roughly 377,000 GitHub stars as of June 4, 2026. A large user base increases the practical impact of any marketplace or sandbox failure.
TL;DR: ClawHavoc shows what happens when a marketplace accepts submissions with almost no gatekeeping: attackers can flood it with malware and rely on users to install it for them.
Claw Chain explains how a malicious skill could break containment. ClawHavoc explains how malicious skills got into the marketplace in the first place.
ClawHavoc is an ongoing supply-chain campaign that poisoned OpenClaw's ClawHub skills marketplace with the Atomic macOS Stealer (AMOS), a Mac password-stealer. The campaign was first documented in February 2026 and remained active through the reporting window, with rescans continuing into late spring. Coverage from Cyber Security News and SC World describes the campaign's growth over time.
The counts vary by scan date, which is why a range matters more than any single number. Across different scans, researchers identified roughly 341 poisoned skills, then 824, and later 1,184. Against registry sizes of roughly 10,700 to 13,729+, that put the share of poisoned skills at around 12% to 20%, depending on when the registry was measured.
That is not a one-day spike. It is a sustained poisoning campaign.
The root cause was straightforward: ClawHub reportedly required only a roughly one-week-old GitHub account to publish. There was no review and no code-signing requirement.
That combination creates a familiar supply-chain problem:
In practice, an official marketplace without meaningful review behaves less like a curated app store and more like an open file drop with a polished interface.
TL;DR: The OpenClaw case is a specific example of a general rule: marketplace add-ons are untrusted code, even when they appear inside a familiar developer tool.
The OpenClaw story matters because the trust model is common across AI tooling. Cursor extensions, Bolt integrations, Replit add-ons, editor plugins, browser extensions, and similar marketplace packages all ask users to make the same leap: install code written by someone else and trust the platform to have filtered out the dangerous parts.
Sometimes that trust is justified. Often it is only partially justified. And when review is weak, the user becomes the final gatekeeper.
That is the key bridge for the broader developer audience: marketplace add-ons are not just features. They are executable trust decisions.
Even when a tool uses sandboxing, sandboxing is only one layer. If the marketplace admits malicious packages and the sandbox can be bypassed, the result is the worst possible combination: easy distribution plus weak containment.
This is why "official marketplace" should never be treated as synonymous with "safe to install." It means the package is distributed there. It does not necessarily mean the code was reviewed, signed, behaviorally analyzed, or continuously monitored.
TL;DR: Update the platform, reduce the number of installed add-ons, scrutinize permissions, and treat every marketplace package as untrusted until it earns confidence.
For OpenClaw specifically, v2026.4.22 fixed the Claw Chain vulnerabilities before public disclosure. Running an older version leaves known sandbox and privilege-boundary issues unpatched.
Start with a simple inventory. If your tool supports it, ask it to list every installed add-on, extension, skill, or plugin along with:
If you cannot identify the publisher, cannot inspect the source, or cannot explain why the add-on needs its permissions, it deserves extra scrutiny.
Unused add-ons are dormant attack surface. If an extension solved a one-time problem months ago and has not been needed since, uninstalling it is usually safer than leaving it in place.
Filesystem access, shell execution, network access, and credential-adjacent capabilities should always trigger a second look. The requested permissions should match the add-on's stated purpose.
A marketplace can be official without being curated. Trust should come from review, reputation, transparency, and constrained permissions — not from the fact that the package appears inside a branded catalog.
Claw Chain is the name used for four chained OpenClaw vulnerabilities publicly disclosed on May 15, 2026: CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118. Together, they enabled sandbox escape, data theft, privilege escalation, and persistence.
ClawHavoc is an ongoing supply-chain campaign that poisoned OpenClaw's ClawHub marketplace with skills carrying Atomic macOS Stealer (AMOS). It was first documented in February 2026 and remained active across multiple rescans through the reporting window.
No. The specific incidents involve OpenClaw, but the underlying lesson applies broadly to any extension or plugin marketplace with weak submission controls and high user trust.
It means code that was supposed to stay inside a restricted environment found a way out. Once outside, it can access files, commands, or privileges that the sandbox was meant to block.
Start with publisher identity, source transparency, permission scope, update history, and whether the add-on is still necessary. The more access an add-on requests, the higher the bar for trust should be.
Claw Chain and ClawHavoc are best understood as two halves of the same security lesson. One exposed how a malicious skill could break out of confinement. The other showed how easily malicious skills could reach users through a marketplace with minimal gatekeeping. Together, they make a simple point: in AI tooling, extension ecosystems are part of the attack surface, not a harmless convenience layer. Teams that treat marketplace add-ons with the same caution they apply to any other third-party code will make better decisions than teams that confuse availability with trust.
Discover more content:
