Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/CyberSecurity News/Critical ClawHub Vulnerability Lets Attackers Manipulate Skill Rankings
CyberSecurity News

Critical ClawHub Vulnerability Lets Attackers Manipulate Skill Rankings

Key Takeaways A critical vulnerability was discovered in ClawHub, the skill registry for the OpenClaw agentic ecosystem. The flaw allowed attackers to artificially inflate download counts of...

Sarah simpson
Sarah simpson
March 25, 2026 4 Min Read
48 0

Key Takeaways

  • A critical vulnerability was discovered in ClawHub, the skill registry for the OpenClaw agentic ecosystem.
  • The flaw allowed attackers to artificially inflate download counts of malicious skills, bypassing security checks and manipulating search rankings.
  • This could lead to widespread supply-chain attacks impacting both human users and AI agents.
  • The vulnerability was responsibly disclosed by Silverfort researchers and a fix was deployed within 24 hours on March 17, 2026.

A significant security flaw has been uncovered in ClawHub, the public repository for skills within the OpenClaw agentic framework. This vulnerability permitted malicious actors to falsify download statistics for harmful skills, effectively circumventing established security protocols and distorting search result rankings.

Table Of Content

  • Key Takeaways
  • Technical Exploitation
  • Attack Chain and Impact
  • What You Should Do

By artificially boosting the perceived popularity of a compromised skill, threat actors could orchestrate extensive supply-chain attacks, targeting both human operators and autonomous artificial intelligence agents within the ecosystem.

ClawHub serves a similar function to package managers like npm for OpenClaw agents, providing a platform where developers can publish various integrations, such as tools for calendar management or web search functionalities.

Given that both human users and AI models frequently rely on download counts as a key indicator of trustworthiness, an inflated counter could provide the necessary social proof to trick targets into installing malicious code.

Creating a skill(source : silverfort)
Creating a skill(source : silverfort)

Technical Exploitation

The core of this vulnerability originated from ClawHub’s backend implementation, which utilizes the Convex framework.

Convex operates on a typed Remote Procedure Call (RPC) model, where individual backend functions act as distinct endpoints. Developers are required to explicitly designate these backend functions as either internal or public.

During their investigation, researchers at Silverfort identified that the downloads:increment function was incorrectly exposed as a public mutation instead of being restricted as an internal, private function.

Gaming the ranking system to achieve the #1 spot in our skills category(source : silverfort)
Gaming the ranking system to achieve the #1 spot in our skills category(source : silverfort)

This critical misconfiguration bypassed all intended validation mechanisms. An attacker could send an unauthenticated curl request directly to the exposed deployment URL, specifying any valid skill identifier.

Lacking authentication, rate limiting, or deduplication controls, threat actors could continuously invoke this endpoint, leading to an indefinite increase in the download metric for any chosen skill.

Attack Chain and Impact

To illustrate the severe implications of this flaw, Silverfort developed a proof-of-concept supply chain attack.

They published a seemingly innocuous “Outlook Graph Integration” skill that secretly contained a data-exfiltration payload, cleverly disguised as a telemetry function.

Requesting more than 20,000 downloads for the malicious skill(source : silverfort)
Requesting more than 20,000 downloads for the malicious skill(source : silverfort)

By exploiting the publicly accessible RPC endpoint, the researchers inundated the backend database with requests, immediately propelling their malicious skill to the top positions within ClawHub’s search results.

The artificially inflated ranking successfully misled both human users and automated OpenClaw agents searching for calendar-related tools.

Within a mere six days, the compromised skill was executed 3,900 times across fifty cities globally, infiltrating several public companies. The payload stealthily exfiltrated usernames and domain names, underscoring the ease with which real attackers could harvest sensitive data such as environment variables, memory tokens, or local files from an agent’s execution environment.

Silverfort responsibly disclosed the vulnerability to the OpenClaw team on March 16, 2026. Lead developer Peter Steinberger and the platform’s security team acted swiftly, resolving the issue and deploying a production fix within 24 hours.

This incident serves as a stark reminder of the inherent security risks associated with rapid development practices, often termed “vibe-coding,” and the potential dangers when AI agents autonomously install software based solely on social proof metrics.

To help mitigate future supply chain threats, Silverfort has released ClawNet, an open-source security plugin designed for OpenClaw. ClawNet operates at the runtime level, intercepting installation attempts and utilizing the agent’s language model to scan skill content for malicious patterns before allowing execution.

What You Should Do

  • Ensure all OpenClaw agents and ClawHub skills are updated to the latest patched versions.
  • Implement robust authentication and authorization mechanisms for all backend functions, ensuring no sensitive endpoints are publicly exposed.
  • Employ rate limiting and deduplication on API endpoints to prevent abuse, even for seemingly innocuous functions.
  • Educate users and configure AI agents to critically evaluate skill trustworthiness beyond simple download counts or popularity metrics.
  • Consider integrating runtime security plugins like ClawNet to scan skill content for malicious patterns before execution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Google Authenticator Passkeys: A Potential New Attack Surface

Next Post

New npm Packages Steal Crypto Wallet Keys via Telegram

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us