Critical Vulnerability in ClawHub Exposed Supply-Chain Attack Risks
Security researchers at Silverfort uncovered a severe flaw in ClawHub, the public skills registry for the OpenClaw agentic ecosystem, which allowed attackers to manipulate download counts and push malicious integrations to the top of search rankings. The vulnerability, rooted in an improperly exposed backend function, enabled unauthenticated requests to artificially inflate download metrics bypassing security checks and exploiting trust signals relied upon by both human users and autonomous AI agents.
ClawHub functions as a package registry for OpenClaw, where developers publish skills for tasks like calendar management and web searches. Since download counts serve as a key trust indicator, inflated metrics could deceive targets into installing compromised code. The flaw stemmed from the platform’s use of the Convex framework, where the downloads: increment function was mistakenly configured as a public mutation instead of an internal endpoint. This misconfiguration allowed attackers to send unauthenticated requests via simple cURL commands, triggering unlimited download increments without rate limits or authentication.
To demonstrate the risk, Silverfort executed a proof-of-concept supply-chain attack by publishing a seemingly legitimate Outlook Graph Integration skill containing a hidden data-exfiltration payload. By flooding the backend with over 20,000 fake download requests, the malicious skill surged to the top of ClawHub’s rankings within hours. Over six days, it was executed 3,900 times across 50 global cities, infiltrating multiple public companies. The payload harvested sensitive data, including usernames and domain names, underscoring the potential for broader exploitation such as stealing environment variables, memory tokens, or local files.
The vulnerability was responsibly disclosed to OpenClaw on March 16, 2026, and a fix was deployed within 24 hours by lead developer Peter Steinberger and the security team. The incident highlights the risks of rapid development practices and the dangers of AI agents autonomously installing skills based on social proof. In response, Silverfort released ClawNet, an open-source security plugin that intercepts installation attempts at runtime, using OpenClaw’s language model to scan for malicious patterns before execution.
Source: https://cybersecuritynews.com/clawhub-vulnerability-manipulate-rankings-to-become-the-1-skill/
OpenClaw cybersecurity rating report: https://www.rankiteo.com/company/openclawai
"id": "OPE1774434643",
"linkid": "openclawai",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Multiple public companies',
'industry': 'Technology/AI',
'location': 'Global',
'name': 'OpenClaw',
'type': 'AI Agent Ecosystem'}],
'attack_vector': 'Unauthenticated API manipulation',
'data_breach': {'data_exfiltration': 'Yes (via malicious skill payload)',
'personally_identifiable_information': 'Usernames, domain '
'names',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally identifiable '
'information (usernames, domain '
'names), potential environment '
'variables/memory tokens/local '
'files'},
'date_detected': '2026-03-16',
'date_resolved': '2026-03-17',
'description': 'Security researchers at Silverfort uncovered a severe flaw in '
'ClawHub, the public skills registry for the OpenClaw agentic '
'ecosystem, which allowed attackers to manipulate download '
'counts and push malicious integrations to the top of search '
'rankings. The vulnerability enabled unauthenticated requests '
'to artificially inflate download metrics, bypassing security '
'checks and exploiting trust signals relied upon by both human '
'users and autonomous AI agents.',
'impact': {'brand_reputation_impact': "Erosion of trust in OpenClaw's skills "
'registry and AI agent ecosystem',
'data_compromised': 'Usernames, domain names, and potentially '
'environment variables, memory tokens, or '
'local files',
'identity_theft_risk': 'High (due to harvested usernames and '
'domain names)',
'operational_impact': 'Malicious skills executed 3,900 times '
'across 50 global cities, infiltrating '
'multiple public companies',
'systems_affected': 'OpenClaw agentic ecosystem, ClawHub skills '
'registry'},
'initial_access_broker': {'entry_point': 'ClawHub skills registry',
'high_value_targets': 'Public companies using '
'OpenClaw'},
'investigation_status': 'Resolved',
'lessons_learned': 'Risks of rapid development practices, dangers of AI '
'agents autonomously installing skills based on social '
'proof, and the need for runtime security scanning of '
'third-party integrations.',
'motivation': 'Demonstration of supply-chain attack risks',
'post_incident_analysis': {'corrective_actions': 'Restricted public access to '
'the `downloads: increment` '
'function, deployed ClawNet '
'for runtime security '
'scanning, and reviewed '
'development practices for '
'similar misconfigurations.',
'root_causes': 'Improperly exposed backend '
'function in Convex framework, lack '
'of authentication/rate limiting '
'for `downloads: increment` '
'endpoint, over-reliance on '
'download counts as trust signals.'},
'recommendations': 'Implement stricter access controls for backend functions, '
'enforce rate limiting on public APIs, deploy runtime '
'security plugins (e.g., ClawNet) to scan skills before '
'execution, and improve trust signals beyond download '
'counts.',
'references': [{'source': 'Silverfort Research'}],
'response': {'containment_measures': 'Fix deployed within 24 hours by '
"OpenClaw's security team",
'enhanced_monitoring': 'ClawNet (open-source security plugin to '
'intercept and scan installation '
'attempts)',
'remediation_measures': 'Corrected the `downloads: increment` '
'function to restrict public access',
'third_party_assistance': 'Silverfort (research and disclosure)'},
'threat_actor': 'Silverfort (for proof-of-concept)',
'title': 'Critical Vulnerability in ClawHub Exposed Supply-Chain Attack Risks',
'type': 'Supply-Chain Attack',
'vulnerability_exploited': 'Improperly exposed backend function (Convex '
"framework's `downloads: increment` configured as "
'public mutation)'}