Critical ClawHub Vulnerability Lets Attackers Manipulate Skill Rankings
Key Takeaways A critical vulnerability was discovered in ClawHub, the skill registry for the OpenClaw agentic ecosystem. The flaw allowed attackers to artificially inflate download counts of...
Key Takeaways
- A critical vulnerability was discovered in ClawHub, the skill registry for the OpenClaw agentic ecosystem.
- The flaw allowed attackers to artificially inflate download counts of malicious skills, bypassing security checks and manipulating search rankings.
- This could lead to widespread supply-chain attacks impacting both human users and AI agents.
- The vulnerability was responsibly disclosed by Silverfort researchers and a fix was deployed within 24 hours on March 17, 2026.
A significant security flaw has been uncovered in ClawHub, the public repository for skills within the OpenClaw agentic framework. This vulnerability permitted malicious actors to falsify download statistics for harmful skills, effectively circumventing established security protocols and distorting search result rankings.
Table Of Content
By artificially boosting the perceived popularity of a compromised skill, threat actors could orchestrate extensive supply-chain attacks, targeting both human operators and autonomous artificial intelligence agents within the ecosystem.
ClawHub serves a similar function to package managers like npm for OpenClaw agents, providing a platform where developers can publish various integrations, such as tools for calendar management or web search functionalities.
Given that both human users and AI models frequently rely on download counts as a key indicator of trustworthiness, an inflated counter could provide the necessary social proof to trick targets into installing malicious code.

Technical Exploitation
The core of this vulnerability originated from ClawHub’s backend implementation, which utilizes the Convex framework.
Convex operates on a typed Remote Procedure Call (RPC) model, where individual backend functions act as distinct endpoints. Developers are required to explicitly designate these backend functions as either internal or public.
During their investigation, researchers at Silverfort identified that the downloads:increment function was incorrectly exposed as a public mutation instead of being restricted as an internal, private function.

This critical misconfiguration bypassed all intended validation mechanisms. An attacker could send an unauthenticated curl request directly to the exposed deployment URL, specifying any valid skill identifier.
Lacking authentication, rate limiting, or deduplication controls, threat actors could continuously invoke this endpoint, leading to an indefinite increase in the download metric for any chosen skill.
Attack Chain and Impact
To illustrate the severe implications of this flaw, Silverfort developed a proof-of-concept supply chain attack.
They published a seemingly innocuous “Outlook Graph Integration” skill that secretly contained a data-exfiltration payload, cleverly disguised as a telemetry function.

By exploiting the publicly accessible RPC endpoint, the researchers inundated the backend database with requests, immediately propelling their malicious skill to the top positions within ClawHub’s search results.
The artificially inflated ranking successfully misled both human users and automated OpenClaw agents searching for calendar-related tools.
Within a mere six days, the compromised skill was executed 3,900 times across fifty cities globally, infiltrating several public companies. The payload stealthily exfiltrated usernames and domain names, underscoring the ease with which real attackers could harvest sensitive data such as environment variables, memory tokens, or local files from an agent’s execution environment.
Silverfort responsibly disclosed the vulnerability to the OpenClaw team on March 16, 2026. Lead developer Peter Steinberger and the platform’s security team acted swiftly, resolving the issue and deploying a production fix within 24 hours.
This incident serves as a stark reminder of the inherent security risks associated with rapid development practices, often termed “vibe-coding,” and the potential dangers when AI agents autonomously install software based solely on social proof metrics.
To help mitigate future supply chain threats, Silverfort has released ClawNet, an open-source security plugin designed for OpenClaw. ClawNet operates at the runtime level, intercepting installation attempts and utilizing the agent’s language model to scan skill content for malicious patterns before allowing execution.
What You Should Do
- Ensure all OpenClaw agents and ClawHub skills are updated to the latest patched versions.
- Implement robust authentication and authorization mechanisms for all backend functions, ensuring no sensitive endpoints are publicly exposed.
- Employ rate limiting and deduplication on API endpoints to prevent abuse, even for seemingly innocuous functions.
- Educate users and configure AI agents to critically evaluate skill trustworthiness beyond simple download counts or popularity metrics.
- Consider integrating runtime security plugins like ClawNet to scan skill content for malicious patterns before execution.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.