Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high: the malicious skills were active and undetected for three-plus months, the C2 server continued receiving deliveries post-disclosure indicating no remediation by the attacker infrastructure, and the platform's deployment base expanded from ~679 to 31,000+ instances in under two weeks — dramatically broadening the exposed population while exploitation status remains unconfirmed but active delivery mechanisms persist. Impact is high: a delivered skill inherits the agent's full authorization scope, meaning credential theft, API key exfiltration, and access to business process automation outputs are direct consequences — not theoretical — and the Telegram-based crypto key exfiltration cluster indicates a financially motivated actor with established collection infrastructure.
Treatment rationale: The threat is active, the attack surface is rapidly expanding, and the agent permission model means a single successful skill delivery can cascade into credential compromise across multiple downstream systems — making avoidance or acceptance untenable and transfer alone insufficient without first reducing likelihood and blast radius.
Third-Party / Supply-Chain Risk
ClawHub is a third-party marketplace operated by or affiliated with the OpenClaw platform; organizations consuming skills from it have no direct visibility into the vetting pipeline and inherit supply-chain risk analogous to a poisoned package registry. Per NIST SP 800-161, this is a multi-tier dependency risk: the organization trusts OpenClaw to vet ClawHub contributors, ClawHub to enforce submission controls, and individual skill publishers — none of which are under the acquiring organization's control. The rapid deployment growth suggests many organizations onboarded OpenClaw without evaluating the marketplace supply chain as a risk surface.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per materially compromised organization, with upside tail if crypto key exfiltration yields direct financial account access or if API credential abuse enables lateral movement into core business systems
Frequency: For an organization actively running OpenClaw with skills sourced from ClawHub during the February–May 2026 window: single-event exposure is already present if any of the five malicious skills were installed; for the broader exposed population of 31,000+ instances, the campaign represents a mass-exposure event with per-organization compromise probability dependent on whether ClawHub skills were actively used and whether the agent operated with privileged access
Annualized: Insufficient basis for a defensible ALE — exploitation confirmation status is unknown, and per-organization compromise rate across the 31,000-instance population cannot be estimated without deployment and skill-usage telemetry
Basis: Loss magnitude range is derived from: (1) credential and session token theft enabling financial account access as the primary loss driver, amplified by crypto key exfiltration indicating a financially motivated actor; (2) API credential compromise creating secondary loss pathways through downstream system access; (3) business process automation access potentially exposing proprietary data or customer records. The upper tail reflects scenarios where agent-level access spans multiple high-value systems. No third-party loss statistics were referenced; all figures are illustrative constructs from the threat's described access scope.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Credential theft and session cookie exfiltration affecting internal data stores may constitute a security incident or data breach triggering cyber-insurance notice obligations — verify with broker before assuming coverage applies.
• If exfiltrated credentials or API keys provide access to customer data or PII, state and federal breach-notification statutes may be implicated — verify with counsel regarding applicability and any notice timelines.
• Organizations in regulated sectors (financial services, healthcare) should evaluate whether agent access to internal data stores and business process outputs implicates sector-specific incident reporting requirements — verify with counsel.
• Crypto key exfiltration resulting in financial account access or asset loss may implicate financial institution notification or contractual obligations with payment processors — verify with counsel and relevant counterparties.