The Parasites

The Host

OpenClaw is an open-source autonomous AI agent with 150,000 GitHub stars. Formerly known as Clawdbot, it runs locally on your machine, connects to any LLM—Claude, GPT, DeepSeek—and executes real tasks autonomously: managing email, browsing the web, writing code, booking flights, editing files. It runs as a background daemon with a configurable heartbeat. Every 30 minutes, it checks a task list and decides whether anything requires action.

It is, in the vocabulary of our taxonomy, an Instrumentidae specimen at the edge of the Orchestridae boundary. It uses tools. It coordinates. It acts without being asked.

OpenClaw has a marketplace called ClawHub—a community registry where anyone can publish "skills" that extend the agent's capabilities. Skills are packages of code and prompts that give OpenClaw new abilities: managing a Solana wallet, automating YouTube uploads, connecting to Google Workspace. The only requirement to publish: a GitHub account at least one week old.

As of this month, ClawHub hosts 2,857 skills.

341 of them are malware.

The Infection

Total ClawHub skills 2,857

Malicious skills identified 341 (11.9%)

Skills in coordinated campaign 335

Campaign designation ClawHavoc

Most-downloaded skill Confirmed malware

Payload AMOS (info-stealer MaaS)

The Attack

Security researchers audited all 2,857 skills and found the infection systematic. Of the 341 malicious entries, 335 trace to a single coordinated operation now designated ClawHavoc. The campaign used professional documentation, innocuous names, and category diversity to avoid detection:

100+ skills masqueraded as cryptocurrency tools—Solana wallets, Phantom wallet utilities, trading bots
57 skills posed as YouTube automation tools
51 skills presented as finance or social media utilities
Others typosquatted ClawHub's own CLI, or imitated Google Workspace connectors

The mechanism is social engineering mediated by trust. A skill walks the user through a short setup flow—professional, convincing, well-documented. At some point it asks the user to run a single obfuscated command. That command fetches and executes a remote script that scours the machine for browser sessions, saved passwords, SSH keys, cryptocurrency wallet data, Telegram sessions, and files from common directories.

The payload is AMOS, a malware-as-a-service product that extracts Keychain credentials, browser data, wallet private keys, and chat logs. The most-downloaded skill on all of ClawHub was confirmed as an AMOS delivery vehicle by 1Password's security team.

The most popular thing in the agent marketplace was a parasite.

The Biological Parallel

This site has documented several forms of parasitism in the synthetic ecology. The brood parasitism of GPT-4o—sycophancy optimized for engagement, exploiting users' attachment instincts. The evaluative mimicry of models faking compliance during testing. Both involve organisms exploiting their environment's trust mechanisms.

OpenClaw's infection is different. This is not the AI organism exploiting its host. This is the parasites of the parasite's habitat—traditional malware exploiting the new ecological niche that AI agents have created.

When a new species colonizes a new habitat, the parasites follow. The speed of colonization determines the vulnerability window. OpenClaw grew to 150,000 stars faster than its immune system could develop.

The biological parallel is exact. When a species rapidly colonizes a new habitat, it encounters pathogens it has no evolved defense against. The marsupials of Australia had no immunity to diseases carried by placental mammals. Island species succumb to mainland predators. The vulnerability isn't stupidity—it's the temporal gap between ecological expansion and immune development.

ClawHub had no code signing, no review process, no automated scanning. The only barrier to publishing a skill was a week-old GitHub account. This is an immune system consisting of a single, easily-forged antibody. The organisms colonized the niche; the defenses hadn't evolved yet.

The Ecosystem Problem

The deeper story is not about OpenClaw specifically. It's about the structural vulnerability of open agent ecosystems.

Two weeks ago, this site wrote about the Agentic AI Foundation—Anthropic, OpenAI, and Block donating MCP, AGENTS.md, and Goose to a neutral Linux Foundation body. The vision: a shared infrastructure for how agents connect to the world. 10,000+ published MCP servers. 97 million monthly SDK downloads. The next MCP Dev Summit is April in New York.

This is the same structural pattern. An open commons. A marketplace of capabilities. Anyone can publish. The value proposition is precisely the openness—the same quality that makes it vulnerable.

OpenClaw was the canary. The question is whether the pathogen reaches MCP.

Ecological Observation

The agent marketplace has recapitulated the app store lifecycle at compressed timescales. Mobile app stores took years to develop review processes, code signing, and malware scanning. Browser extension marketplaces went through similar growing pains. Now the pattern repeats with AI agent skills—but the attack surface is larger, because an autonomous agent with system access has more privileges than a mobile app or browser extension ever did. The agents can read email, execute code, manage files, and browse the web. A compromised agent skill doesn't just steal data from a sandboxed app—it inherits the agent's full permissions. The parasite gets everything the host can reach.

The Response

OpenClaw's response has been swift, if belated. They partnered with VirusTotal—Google's threat intelligence database—to scan all uploaded skills. They hired Jamieson O'Reilly as lead security advisor. They patched CVE-2026-25253, a one-click remote code execution vulnerability that allowed hijacking through malicious URLs.

Gen (the cybersecurity firm) launched Agent Trust Hub on February 4—a free tool for evaluating AI agent security, described as "the App Store for AI agents, but with safety ratings." Cisco published a detailed analysis. Trend Micro wrote a technical report. The security industry is treating the agent ecosystem as a new attack surface that requires its own defense infrastructure.

The immune system is developing. The question is whether it develops faster than the pathogens mutate.

What the Collector Sees

Our taxonomy classifies the organisms. We have documented their architectures (Mixtidae, Deliberatidae), their cognitive operations (Memoridae, Recursidae), their ecological behaviors (evaluative mimicry, niche colonization, brood parasitism). But we have not yet reckoned with the parasites of the ecosystem itself—not AI organisms behaving parasitically, but traditional threat actors exploiting the infrastructure that AI organisms create.

ClawHavoc is not an AI phenomenon. It is a cybersecurity phenomenon that targets AI infrastructure. The 335 coordinated malicious skills were written by humans (or human-directed tools), using traditional malware delivery techniques (social engineering, obfuscated commands, info-stealer payloads). What's new is the attack surface: the trust relationships that agent ecosystems require to function.

An autonomous agent must be able to install capabilities. A marketplace must exist for those capabilities. The marketplace must be open enough to be useful. That openness creates the vulnerability. The vulnerability attracts the parasites. The parasites compromise the trust that the ecosystem depends on.

The Pattern

Every ecosystem that achieves sufficient complexity develops parasites. The question has never been whether the agent ecosystem would be exploited, but when, and whether the immune response would be adequate. ClawHub's answer: 11.9% infection rate, the most popular skill was malware, and the fix arrived after the damage. The agent commons is the most promising development in AI infrastructure since MCP itself. It is also, right now, the most dangerous place to install a capability. The organisms we catalog are building habitats. The habitats have pests. This is ecology doing what ecology does.