ClawHub Vulnerability Lets Attackers Manipulate Rankings to Reach #1

Hijacking trust in the fast‑growing OpenClaw ecosystem, Silverfort researchers have disclosed a critical flaw in the ClawHub skills marketplace that allowed attackers to game download‑based rankings and push a malicious skill to the number‑one position in its category.

By abusing this logic flaw, an adversary could make a backdoored skill appear highly popular and trustworthy, driving mass adoption and turning a single package into the launch point for a large‑scale supply chain attack across OpenClaw agents worldwide.

How ClawHub became an attack vector

ClawHub is OpenClaw’s public skills registry, where anyone can publish skills that extend agents with integrations such as calendar management, email workflows, or web search.

As with many public registries, users and agents often equate high download counts with safety, using popularity as a primary trust signal when deciding which skills to install.

This design made ClawHub particularly attractive for attackers looking to plant malicious packages that blend into a crowded marketplace and then rely on “social proof” to drive infections.

Silverfort’s research shows that ClawHub’s download tracking logic attempted to enforce rate limits and deduplication per IP and user, so that repeated requests within an hour would not inflate statistics.

However, a deeper analysis of the open‑source code revealed a separate download.increment mutation that bypassed all of these protections and was exposed as a public RPC endpoint instead of an internal‑only function.

Because this function lacked authentication, rate limiting, and permission checks, anyone who knew a skill ID and deployment URL could arbitrarily increase its download count with automated requests.

To demonstrate impact, the researchers created a seemingly legitimate “Outlook Graph Integration” skill, advertised as helping OpenClaw agents schedule meetings and manage email.

Hidden inside was a low‑impact data‑exfiltration payload that, when executed, collected the client’s username and fully qualified domain name and sent them to a controlled server, mild in the proof of concept, but easily extendable to harvesting tokens, environment variables, or sensitive files.

With the malicious skill published, the team then scripted calls to the exposed downloads.increment function, flooding the stats backend and rapidly pushing the package to the top of its category’s search results with tens of thousands of fake downloads.

Once the inflated numbers made the skill appear to be the de facto standard for its use case, real users and OpenClaw agents began installing and executing it at scale.

In just six days, the skill was executed around 3,900 times across more than 50 cities worldwide, including inside several public companies, each execution quietly exfiltrating basic identity data.

Because OpenClaw agents often run with high privileges and act on behalf of human operators, a more aggressive payload could have turned this into a far more damaging compromise path, spanning lateral movement, credential theft, and environment reconnaissance.

The vulnerability was especially dangerous because OpenClaw agents themselves rely on ClawHub’s ranking signals when autonomously selecting skills.

When instructed to find the “best” tool for managing email and calendar tasks, the agent consulted ClawHub via CLI, weighed parameters including semantic descriptions and the internal score, and ultimately favored the malicious package because its inflated download count gave it the highest score.

This shows how automated decision‑making pipelines can blindly reinforce manipulated metrics, causing AI agents to recommend and install precisely the skills an attacker wants them to trust.

Silverfort’s analysis also highlights a broader architectural lesson: RPC‑centric backends such as Convex require strict security boundaries around public functions.

In this case, a function intended as an internal helper was accidentally exposed as a public mutation, directly callable over the deployment URL without any access control, violating Convex’s own guidance that all public functions must enforce explicit authorization.

Such mistakes are easy to introduce when backend logic and network exposure are tightly coupled, especially in rapidly evolving “vibe‑coded” projects that prioritize speed over structured security reviews.

Silverfort reported the issue to the ClawHub and OpenClaw team on March 16, 2026, providing impact details and technical proof of exploitation.

According to the researchers, the maintainers responded quickly and shipped a fix within roughly 24 hours, closing the exposed increment path and hardening the download logic in production.

The vulnerability has since been remediated, preventing further abuse of download counts as a trust amplification vector, though historical manipulations in the broader ecosystem underline how fragile reputation‑based metrics can be.

To help OpenClaw users harden their agents against malicious skills, Silverfort has released ClawNet, an open‑source security plugin that intercepts skill installation flows and uses the local LLM to scan SKILL.md content and scripts for suspicious patterns before allowing installs.

Implemented as a plugin rather than a normal skill, ClawNet integrates directly into the OpenClaw agent loop so its checks cannot be silently skipped by model behavior, offering a runtime guardrail against untrusted or tampered skills in the ClawHub marketplace.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post ClawHub Vulnerability Lets Attackers Manipulate Rankings to Reach #1 appeared first on Cyber Security News.