ClawHub Vulnerability Allowed Attackers to Change Rankings to Make the #1 Skill

The security research team has found a serious flaw in ClawHub, the public skills registry for the OpenClaw agentic ecosystem This article explores openclaw team vulnerability. . Attackers could use this flaw to make the download counts of harmful skills look higher than they really were, which let them get around security checks and change search rankings.

Threat actors could launch huge supply-chain attacks against both human users and autonomous AI agents by putting a compromised skill at the top. The event shows the hidden security risks of "vibe-coding," or fast development, and the risks of AI agents making installation decisions on their own based only on social proof. On March 16, 2026, Silverfort told the Openclaw team about the vulnerability in a responsible way. Peter Steinberger, the lead developer, and the platform's security team fixed the problem and put the fix into production within 24 hours.

Silverfort has released ClawNet, an open-source security plugin for OpenClaws, to help protect against future threats to the supply chain. ClawNet works at the runtime level to stop installation attempts. Before execution is allowed, it uses the agent's language model to scan skill content for bad patterns.

To get private help, call the Samaritans at 08457 90 90 90, go to a local Samaritans branch, or visit www.samaritans.org for more information. You can reach the National Suicide Prevention Lifeline in the U.S. at 1-800-273-8255 or by going to http://www.suicidepreventionlifeline.org/. For private. If you need help in the UK, you can call the helpline at 0800 555 111 or go to the National Suicide Prevention Lifeline at http://www.sophistication.org/suicide-prevention-lifeline/.

If you need help in Europe, call 0800 070 90 90 or go to the Samaritans.