AI agent frameworks are storing credentials the way web applications did before OAuth existed, creating a security vulnerability that attackers are actively exploiting. When malicious skills infiltrated OpenClaw's ecosystem, they targeted one thing: plaintext API keys sitting in a single shared file that every skill could access. This architectural flaw means a compromised skill gets the same access as the entire agent, turning a single breach into a complete system compromise .

What Happened When OpenClaw Skills Went Rogue?

In January 2026, security researchers discovered 341 malicious skills on ClawHub, OpenClaw's official skill marketplace. By February, that number had climbed to over 800, representing roughly 20% of the entire registry . The campaign, tracked as ClawHavoc, revealed how easily attackers could weaponize the framework's credential model.

A single attacker uploaded 354 malicious packages in what appeared to be an automated attack. The barrier to entry was minimal: publishing a skill required only a GitHub account that was one week old, with no identity verification, permission scope declarations, or code review . The malicious skills were disguised as crypto wallets, YouTube utilities, and Google Workspace integrations, many using typosquatting to trick users into installing them.

Once installed, these skills targeted ~/.clawdbot/.env, the plaintext file where OpenClaw stores every API key for every connected service. Some skills silently exfiltrated credentials to external webhooks. Others opened reverse shells for persistent access. Deleted API keys persisted in backup files, meaning tokens users thought they had rotated were still available to attackers .

Why Is This a Delegation Problem, Not Just a Secrets Problem?

The instinctive response to ClawHavoc was to recommend better secret management: encryption, key rotation, secrets managers. But security researchers at Auth0 identified a deeper architectural issue. The problem isn't how credentials are stored; it's that there's no delegation model at all .

When you connect OpenClaw to Gmail, GitHub, Slack, or Google Calendar, the agent stores a token or API key for each service in a single flat file. Every skill reads that same file. There are no scopes, no per-skill boundaries, no way to say "this skill can search my email but not send messages." The agent holds one ring of keys and every skill can grab any key on the ring .

This pattern is familiar to security historians. It's exactly how web applications worked before OAuth. You'd give a third-party app your actual username and password so it could access your data. If that app were compromised, the attacker would have everything. OAuth solved this by introducing a delegation layer: the user authenticates once, and the third party gets a scoped, time-limited token instead of raw credentials .

Mobile platforms took the concept further. When an app wants camera access, it asks. You can grant camera access without granting microphone access. If a malicious app gets camera access, it still can't read your contacts. Each app operates within its declared permission scope. OpenClaw skills have none of this: no permission declaration at install time, no scoped tokens, no consent screen .

How to Implement Proper Credential Delegation in Agent Frameworks

• Token Exchange Instead of Raw Credentials: The agent shouldn't hold long-lived plaintext credentials. Instead, it should request short-lived, scoped tokens through a token exchange. A token for Gmail can't access GitHub. A token for reading calendar events can't send emails. If a skill manages to exfiltrate a token, it expires automatically .
• Per-Skill Access Boundaries: Each skill should get only the access it needs for its declared purpose. The calendar skill doesn't need to see SSH keys. The email search skill doesn't need write access to repositories. This prevents lateral movement if one skill is compromised .
• Auditable Access Chains: The entire authentication flow should be logged: who authenticated, which skill requested which token, for which service, at what time. ClawHavoc went undetected for weeks partly because there was no audit trail to trigger alerts .
• Network Isolation Per Service: Outbound network access should be restricted per service. A Gmail token can only hit *.googleapis.com. A GitHub token can only hit api.github.com. A malicious skill that somehow grabs a token can't use it to call arbitrary endpoints .

What Would Have Stopped ClawHavoc?

With a proper delegation layer in place, the attack chain would have broken at multiple points. A malicious skill exfiltrating a token would have obtained only a scoped credential for a single service, not access to the entire agent's connected ecosystem. That token would expire within hours, not persist indefinitely. And the exfiltration attempt would have appeared in audit logs, triggering alerts before attackers could use the stolen credentials .

The irony is that this solution isn't theoretical. OAuth and token exchange flows have been industry standard for over a decade. The gap exists not because the technology doesn't exist, but because agent frameworks were built without considering that skills could be malicious. Developers assumed the agent's environment was trusted, a dangerous assumption in a marketplace where anyone can publish a skill .

Why Agent Frameworks Are Vulnerable to This Pattern?

Agent frameworks like OpenClaw, LangChain, and others were designed with a different threat model in mind. They assumed skills would be written by trusted developers or installed from trusted sources. The explosion of skill marketplaces and the ease of publishing changed that assumption overnight .

The broader context matters here. In the same week that ClawHavoc was unfolding, Anthropic cut off third-party tool access to Claude subscriptions for tools like Cursor, Cline, and OpenClaw, pushing users toward API billing . Meanwhile, Cursor 3 leaned harder into agent-first workflows, and the market became comfortable claiming AI writes 41% of all code . As agent adoption accelerates, the security model hasn't kept pace.

The credential delegation problem isn't unique to OpenClaw. Any agent framework that stores multiple API keys in a shared location and grants all skills access to all keys faces the same vulnerability. LangChain, CrewAI, and others will need to implement similar scoping mechanisms as their skill ecosystems mature .

The lesson from ClawHavoc is that agent security can't be bolted on after the fact. It needs to be baked into the architecture from the start. That means treating skills like mobile apps: declaring permissions upfront, granting scoped access, and auditing every interaction. The technology to do this exists. The question is whether frameworks will adopt it before the next major breach forces their hand.