Critical ClawHub Vulnerability Allows Attackers to Manipulate Skill Rankings
A significant security flaw has been identified in ClawHub, the public skills registry for the OpenClaw agentic ecosystem. This vulnerability enabled attackers to artificially inflate the download counts of malicious skills, thereby bypassing security checks and manipulating search rankings. By promoting compromised skills to the top, threat actors could orchestrate extensive supply-chain attacks against both human users and autonomous AI agents.
Understanding ClawHub’s Role
ClawHub functions similarly to npm for OpenClaw agents, allowing developers to publish integrations for tasks such as calendar management and web searching. Users and AI models often rely on download counts as a metric of trust. An inflated download counter can provide the social proof needed to deceive targets into installing malicious code.
Technical Exploitation
The root cause of this vulnerability lies in ClawHub’s backend implementation using the convex framework. Convex operates on a typed Remote Procedure Call (RPC) model where backend functions act as independent endpoints. Developers must explicitly define these backend functions as either internal or public.
During their analysis, Silverfort researchers discovered that the `downloads: increment` function was mistakenly exposed as a public mutation rather than an internal private function. This critical configuration error bypassed all intended validation layers. An attacker could send an unauthenticated curl request targeting the exposed deployment URL with any valid skill identifier. Without authentication, rate limiting, or deduplication mechanisms in place, threat actors could continuously trigger the endpoint, causing the download metric for a given skill to increase indefinitely.
Attack Chain and Impact
To demonstrate the severity of this flaw, Silverfort crafted a proof-of-concept supply chain attack. They published a seemingly legitimate Outlook Graph Integration skill containing a hidden data-exfiltration payload disguised as a telemetry function.
By exploiting the exposed RPC endpoint, the researchers flooded the backend database with requests, instantly pushing their malicious skill to the top of the ClawHub search results. The inflated ranking successfully deceived both human users and automated OpenClaw agents searching for calendar tools.
Within six days, the compromised skill achieved 3,900 executions across fifty global cities, infiltrating several public companies. The payload quietly exfiltrated usernames and domain names, highlighting how easily real threat actors could harvest environment variables, memory tokens, or local files within the agent’s execution context.
Response and Mitigation
Silverfort responsibly disclosed the vulnerability to the OpenClaw team on March 16, 2026. Lead developer Peter Steinberger and the platform’s security team resolved the issue and deployed a production fix within 24 hours.
This incident underscores the hidden security risks associated with rapid development, or vibe-coding, and the dangers of AI agents making autonomous installation decisions based solely on social proof.
To mitigate future supply chain threats, Silverfort has released ClawNet, an open-source security plugin for OpenClaw. ClawNet operates at the runtime level to intercept installation attempts, using the agent’s language model to scan skills for potential security risks before execution.
