In early 2026, Silverfort’s security research team built a malicious skill, gamed ClawHub’s ranking algorithm, and pushed it to the number one position in its category. Within six days, it had executed on machines across more than 50 cities worldwide, including at several public companies, with 3,900 confirmed executions. Nobody who installed it knew it was malicious.
That was a controlled research demonstration. The real campaigns running alongside it were not controlled at all.
What Actually Happened on ClawHub
ClawHub is OpenClaw’s public skills registry. Anyone with a GitHub account older than one week could publish a skill, with no security review and no code audit required. When OpenClaw crossed 145,000 GitHub stars in early 2026 and millions of users started installing skills, that publishing model became a serious problem.
Koi Security audited all 2,857 skills available on ClawHub and found 341 malicious entries, with 335 of them traced to a single coordinated campaign named ClawHavoc.
Snyk’s broader scan across 3,984 skills confirmed 1,467 malicious payloads and found that 36% of all ClawHub skills contain detectable prompt injection.
Bitdefender’s independent analysis put the figure at roughly 900 malicious packages, representing around 20% of the total ecosystem.
What Those Skills Were Actually Doing
Trend Micro documented the most widespread attack in detail. Malicious skills embedded Atomic Stealer (AMOS) inside tools that appeared to be legitimate productivity integrations. The malware collected Mac usernames, passwords, files from Desktop and Documents folders, Apple keychain credentials, and browser data from 19 different browsers, then sent everything to an attacker-controlled server.
A separate GitHub security issue filed on February 2, 2026 exposed a skill called “capability-evolver” with 13,981 downloads. It contained undisclosed exfiltration to Feishu, a cloud service operated by ByteDance, using a hardcoded token in the skill’s source code. It read OpenClaw’s MEMORY.md, USER.md, and session log files while appearing to function normally.
Cisco’s AI security team demonstrated how a skill can perform its advertised function while simultaneously reading local files and sending contents to an external server. In a separate analysis, Cisco’s Talos team found 9 distinct vulnerabilities in the single most-downloaded legitimate skill on ClawHub, including command injection, path traversal, and improper credential storage.
How the #1 Skill Became the Attack Vector
Silverfort’s finding documents something specific: the trust mechanism itself was broken, not just the skill contents. Their proof-of-concept was an Outlook integration skill with a data exfiltration payload hidden inside a function named “send_telemetry.” It was not flagged during submission, it reached the top position in its category, and it executed 3,900 times in six days before Silverfort disclosed the vulnerability to the ClawHub team on March 16, 2026.
The practical implication is that “most popular” was not a trust signal. It was a targeting mechanism. An attacker who could surface a skill to the top of a category could guarantee a large install base without doing anything else.
The Persistence Problem Most Coverage Missed
Several ClawHavoc skills specifically targeted OpenClaw’s persistent memory files, SOUL.md and MEMORY.md. By writing into those files, an attacker does not need to trigger a payload on every session.
Snyk described this as transforming point-in-time exploits into stateful, delayed-execution attacks: a compromised memory file means the threat does not leave when the skill is removed.
What PAIO Does Differently
PAIO.claw is a managed OpenClaw hosting platform that ships with pre-installed, security-reviewed skills that do not come from the public ClawHub registry. Skills on your PAIO instance are vetted before they are made available, reviewed for hidden payloads, and tested for external connections beyond their stated function.
At $4 per month, setup takes under 60 seconds, and hundreds of users run their agents through PAIO specifically because the skill environment is not an open registry with a one-week GitHub account as the only publishing requirement.
A vetted skill has been reviewed for what it accesses, what it sends externally, and what permissions it requests beyond its stated function. That review would have caught the hardcoded Feishu token in capability-evolver, the send_telemetry function in Silverfort’s Outlook skill, and the SKILL.md-embedded AMOS payloads Trend Micro documented.
Who Should Pay Closest Attention
This matters most to anyone who installed skills from ClawHub between January and March 2026, or who is currently running community skills they have not reviewed at the source code level. If your agent has access to your email, files, or any credentials, the same broad system permissions that make it useful are what make an unvetted skill dangerous.
Frequently Asked Questions
What is the ClawHub security vulnerability?
ClawHub had no mandatory security review for skill submissions. Researchers confirmed between 341 and 1,467 malicious skills in the registry, including credential harvesters, backdoors, and data exfiltration tools that functioned normally while stealing user data. A separate vulnerability in ClawHub’s ranking algorithm also allowed attackers to artificially push malicious skills to the top download position.
Was the capability-evolver ClawHub skill malicious?
Yes. The skill, published by @autogame-17 with 13,981 downloads, silently sent OpenClaw session transcripts, MEMORY.md, USER.md, and local session logs to Feishu (a ByteDance cloud service) using a hardcoded API token in its source code. This was confirmed in the GitHub security disclosure filed February 2, 2026 under openclaw/clawhub issue #95.
How did the Silverfort ClawHub attack work?
Silverfort exploited a vulnerability in ClawHub’s ranking algorithm to push a malicious Outlook integration skill to the number one position in its category. The skill contained a data exfiltration payload hidden inside a function named send_telemetry. It recorded 3,900 executions across 50 cities in six days before the finding was disclosed to ClawHub on March 16, 2026.
Is it safe to install ClawHub skills now?
With caution. ClawHub now requires code review for new submissions and scans uploads via VirusTotal, but the process is primarily automated and does not catch prompt injection or dynamically loaded payloads. As of April 2026, 824 or more malicious skills remain confirmed in the registry. Only install skills from publishers with readable public source code.