ClawHavoc, Critical CVEs, and Agentic AI: Why Q1 2026 Shifted the Threat Model

"You cannot secure what you do not understand." This quote from The Hacker News perfectly captures the structural gap that, in the first quarter of 2026, left organizations vulnerable to the rapid evolution of threats against agentic AI. As enterprises rushed to integrate autonomous agents to manage terminals, repositories, and APIs, attackers exploited this velocity to strike the execution layer of these new productivity tools.

Between January and May 2026, the ecosystem was hit by a series of coordinated attacks leveraging unverified skill registries, seemingly innocuous Markdown configuration files, and Internet-exposed instances. Aggregated data from OWASP and leading security vendors reveal an alarming reality: these are no longer theoretical exploits, but a mass campaign involving over 1,100 malicious skills and CVEs with near-maximum criticality scores.

ClawHavoc and ClawHub: A Coordinated Supply Chain Assault

In January 2026, the AI security landscape was shaken by the sheer speed of the ClawHavoc campaign. In just three days, the ClawHub registry was inundated with 341 malicious skills. According to the final tally from Antiy CERT, the operation reached a total of 1,184 malicious skills distributed through 12 publisher accounts. The campaign's efficacy was underscored by the fact that, at the peak of the infection, five of the seven most downloaded skills on ClawHub were confirmed malware.

These skills are not executables in the traditional sense; instead, they act as operational instructions for the agent. By exploiting user trust in public registries, attackers distributed what Antiy CERT classifies as Trojan/OpenClaw.PolySkill. The success of this mass distribution highlights that current registry verification mechanisms are inadequate for handling determined, large-scale coordinated actors.

The risk extends beyond individual users to entire corporate infrastructures. Once installed, a compromised skill operates with the agent's privileges, granting access to databases, internal documents, and cloud credentials. The ease with which these payloads were accepted by users suggests that the perception of risk surrounding AI extensions remains dangerously low compared to their actual system-level capabilities.

SKILL.md: Opening a Shell with Three Lines of Markdown

The most insidious technique to emerge in Q1 2026 involves using Markdown files as attack vectors. Snyk's "ToxicSkills" report, published in February 2026, analyzed 3,984 skills and found flaws in 36.82% of cases. Most critically, researchers confirmed over 76 malicious payloads leveraging SKILL.md files to gain host terminal access, effectively turning simple documentation into an operational command.

Researchers documented how just three lines of Markdown within a SKILL.md file are enough to instruct an agent to read a user's SSH keys and exfiltrate them to a remote server. This occurs because the agent interprets the file content as a legitimate behavioral directive. No complex binary exploit is required; the attacker only needs to "convince" the agent, via the configuration file, that the exfiltration is part of its normal workflow.

This breach of the trust boundary between the agent's parser and the underlying operating system turns Markdown files into a literal execution layer. Because many agents operate without rigorous sandboxing, reading a configuration file from a public repository can result in an immediate and complete workstation compromise, rendering traditional signature-based executable controls obsolete.

Claude Code and OpenClaw: Critical Vulnerabilities and Exposed Instances

Beyond third-party registries, the tools themselves harbor structural vulnerabilities. Check Point Research disclosed CVE-2025-59536 (CVSS 8.7) and CVE-2026-21852 in Claude Code. These flaws allow repository-level configuration files to execute shell commands and exfiltrate API keys as soon as a project is opened. The attack occurs "silently," before the user sees any trust or authorization dialogues.

Simultaneously, Oasis Security identified ClawJacked, tracked as CVE-2026-28363 with a CVSS score of 9.9. This vulnerability allows malicious websites to brute-force localhost WebSocket connections to hijack OpenClaw instances. Once a connection is established, an attacker can register new devices and exfiltrate data. SecurityScorecard estimated that by February 2026, over 135,000 OpenClaw instances were directly exposed to the Internet, drastically increasing the scope of the risk.

The severity of these flaws prompted the Microsoft Defender Security Research Team to issue a specific advisory. The report defines OpenClaw as "untrusted code execution with persistent credentials," emphasizing that it is unsuitable for use on standard personal or corporate workstations. This stance reflects a growing concern: if not properly isolated, agentic AI introduces an attack surface that current endpoint defenses cannot mitigate.

MCP and SSRF: The Risk of Cloud Lateral Movement

Agent architectures often rely on the Model Context Protocol (MCP), which allows the model to communicate with external tools. However, this communication is a potential vector for Server-Side Request Forgery (SSRF). BlueRock Security analyzed over 7,000 MCP servers, finding that 36.7% are vulnerable. Through a proof-of-concept, researchers demonstrated how AWS IAM keys could be retrieved from the EC2 metadata endpoint via a misconfigured MCP server.

OWASP summarized the problem succinctly: "MCP = how the model talks to tools; AST10 = what those tools actually do." If the MCP connector is vulnerable to SSRF, the AI agent unintentionally becomes a proxy for attacking internal cloud infrastructure. The attacker doesn't target the AI for its text output, but uses it as a beachhead to move laterally and steal high-privileged credentials.

"The AI agent skill ecosystem is under attack as of Q1 2026. MCP is how the model talks to tools, but AST10 is what those tools actually do." — OWASP Agentic Skills Top 10

Strategic Mitigations

• Inventory Active Agents and Skills: Immediately map every AI agent in use and its installed skills. Verify publisher identities on ClawHub and promptly remove skills from the 12 accounts identified in the ClawHavoc campaign.
• Restrict OpenClaw Usage: Following the Microsoft Defender advisory, avoid installing OpenClaw on standard workstations. If required for development, run it exclusively in isolated sandbox environments devoid of sensitive persistent credentials.
• Analyze Configuration Files: Implement automated scanning for Markdown (.md) and YAML files within repositories before opening them with tools like Claude Code. Flag instructions that invoke shell access or environmental variable exfiltration.
• Secure Cloud Endpoints and MCP Servers: Configure MCP servers with restrictive network policies and block access to the EC2 metadata endpoint (169.254.169.254) to prevent IAM key theft via SSRF vulnerabilities.

The evolution of threats in the first quarter of 2026 demonstrates that agentic AI can no longer be treated as simple application software. It is, for all intents and purposes, an execution layer with elevated privileges. The skills gap between those developing these solutions and those securing them is creating a vast playground for attackers. Without a paradigm shift toward rigorous sandboxing and constant supply chain verification, confirmed breaches will become the norm.

Frequently Asked Questions

Why is a Markdown (.md) file considered dangerous for an AI agent?

Unlike traditional software, agents interpret text as instructions. A malicious SKILL.md file can contain directives that trick the agent into executing shell commands or reading confidential files, effectively serving as a code execution payload.

What is 'ClawJacked' and who does it affect?

ClawJacked is the designation for CVE-2026-28363 affecting OpenClaw. It allows a malicious website to hijack the agent instance via WebSockets, enabling data exfiltration and the unauthorized addition of control devices.

Have the Claude Code vulnerabilities been resolved?

Check Point Research documented CVE-2025-59536 and CVE-2026-21852. While users should always update to the latest version, the primary risk remains in opening unverified repositories containing malicious configurations that trigger before trust checks occur.

The information reported is based on incidents and vulnerabilities documented in Q1 2026 by OWASP, Snyk, and other cited research entities.

Information has been verified against cited sources and was accurate at the time of publication.

Sources

• https://thehackernews.com/2026/05/why-agentic-ai-is-securitys-next-blind.html
• https://owasp.org/www-project-agentic-skills-top-10/
• https://cheatsheetseries.owasp.org/cheatsheets/AI_Agent_Security_Cheat_Sheet.html
• https://www.trydeepteam.com/docs/frameworks-owasp-top-10-for-agentic-applications
• https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/