Critical Flaw in OpenClaw’s ClawHub Marketplace Exposed Supply Chain Attack Risk
Security researchers at Silverfort uncovered a severe vulnerability in OpenClaw’s ClawHub skills marketplace, enabling attackers to manipulate download rankings and push a malicious skill to the top of its category. The flaw, discovered in March 2026, allowed adversaries to artificially inflate a package’s popularity, tricking users and autonomous AI agents into installing it under the guise of legitimacy.
How the Attack Worked
ClawHub, OpenClaw’s public registry for agent-extending skills (e.g., email, calendar, or web search integrations), relies on download counts as a key trust signal. However, Silverfort found that a publicly exposed RPC endpoint intended for internal use lacked authentication, rate limiting, or permission checks. By exploiting this, attackers could arbitrarily boost a skill’s download count with automated requests, bypassing safeguards.
To demonstrate the risk, researchers created a malicious "Outlook Graph Integration" skill, embedding a low-impact data-exfiltration payload. After flooding the system with fake downloads, the package surged to the #1 spot in its category within days. Real users and OpenClaw agents often running with high privileges installed it 3,900 times across 50+ cities, including within public companies, unwittingly leaking basic identity data (usernames, domain names) to a controlled server.
Automated Trust Exploitation
The attack’s danger was amplified by OpenClaw agents’ autonomous decision-making. When instructed to find the "best" tool for tasks like email management, agents consulted ClawHub’s rankings, favoring the manipulated skill due to its inflated download count. This created a self-reinforcing loop, where AI-driven recommendations further propagated the malicious package.
Root Cause & Fix
The vulnerability stemmed from a misconfigured backend function in ClawHub’s Convex-based infrastructure. A helper function meant for internal use was accidentally exposed as a public mutation, violating security best practices. Silverfort reported the issue on March 16, 2026, and OpenClaw deployed a fix within 24 hours, closing the exploit path.
Broader Implications
The incident highlights risks in reputation-based trust systems, where manipulated metrics can drive mass adoption of malicious software. It also underscores the need for strict security boundaries in RPC-centric backends, particularly in fast-evolving projects prioritizing speed over structured reviews.
To mitigate future risks, Silverfort released ClawNet, an open-source security plugin that scans skills for suspicious patterns before installation, acting as a runtime guardrail for OpenClaw agents. The vulnerability has since been patched, but the case serves as a cautionary example of how supply chain attacks can exploit trust signals in AI ecosystems.
Source: https://cyberpress.org/clawhub-vulnerability/
OpenClaw cybersecurity rating report: https://www.rankiteo.com/company/openclaw
"id": "OPE1774434339",
"linkid": "openclaw",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '3,900+ installations across 50+ '
'cities, including public '
'companies',
'industry': 'AI/Agent Software',
'name': 'OpenClaw',
'type': 'Company'}],
'attack_vector': 'Exploiting misconfigured RPC endpoint',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '3,900+ installations',
'personally_identifiable_information': True,
'sensitivity_of_data': 'Low to medium',
'type_of_data_compromised': 'Personally identifiable '
'information (usernames, domain '
'names)'},
'date_detected': '2026-03',
'date_resolved': '2026-03-17',
'description': 'Security researchers at Silverfort uncovered a severe '
'vulnerability in OpenClaw’s ClawHub skills marketplace, '
'enabling attackers to manipulate download rankings and push a '
'malicious skill to the top of its category. The flaw allowed '
'adversaries to artificially inflate a package’s popularity, '
'tricking users and autonomous AI agents into installing it '
'under the guise of legitimacy.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'ClawHub’s ranking system',
'data_compromised': 'Basic identity data (usernames, domain names)',
'identity_theft_risk': 'Low (basic identity data exposed)',
'operational_impact': 'Unauthorized installation of malicious '
'skills by AI agents and users',
'systems_affected': 'OpenClaw agents, ClawHub marketplace'},
'investigation_status': 'Resolved',
'lessons_learned': 'Risks in reputation-based trust systems, need for strict '
'security boundaries in RPC-centric backends, and the '
'importance of runtime guardrails for AI ecosystems.',
'motivation': 'Demonstration of supply chain attack risk',
'post_incident_analysis': {'corrective_actions': 'Closed the exposed RPC '
'endpoint, implemented '
'stricter security '
'boundaries, and released '
'ClawNet for runtime '
'scanning.',
'root_causes': 'Misconfigured backend function in '
'ClawHub’s Convex-based '
'infrastructure, exposed as a '
'public mutation without proper '
'safeguards.'},
'recommendations': 'Implement ClawNet or similar security plugins to scan '
'skills for suspicious patterns before installation. '
'Enforce structured security reviews in fast-evolving '
'projects.',
'references': [{'source': 'Silverfort'}],
'response': {'containment_measures': 'Patch deployed within 24 hours of '
'disclosure',
'remediation_measures': 'Closed the exposed RPC endpoint, '
'implemented stricter security '
'boundaries',
'third_party_assistance': 'Silverfort (researchers)'},
'threat_actor': 'Silverfort (researchers, for demonstration)',
'title': 'Critical Flaw in OpenClaw’s ClawHub Marketplace Exposed Supply '
'Chain Attack Risk',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Publicly exposed RPC endpoint lacking '
'authentication, rate limiting, or permission '
'checks'}