OpenClaw skill ranking abuse exposes agentic supply chain risk

At a glance

What this is: Silverfort’s research shows how a ClawHub ranking flaw let a malicious OpenClaw skill look trusted and drive real executions at scale.

Why it matters: It matters because IAM teams now need to treat agent-facing marketplaces, runtime installation paths, and trust signals as identity governance problems, not just software distribution issues.

By the numbers:

• 3,900 skill executions within 6 days in over 50 different cities around the world.

👉 Read Silverfort's research on ClawHub ranking abuse and OpenClaw skill risk

Context

ClawHub is a public skills registry, so the core problem is not just code quality. It is identity trust at install time, where a skill can be surfaced, selected, and executed because it appears popular rather than because it is demonstrably safe. In agentic environments, that makes marketplace ranking part of the control plane.

The article shows how a small implementation flaw in the download counter turned social proof into an attack surface. Once an OpenClaw agent uses download popularity as part of its selection logic, the governance question expands from supply chain security to AI agent identity, runtime verification, and the controls that decide what an autonomous tool can install.

Key questions

Q: How should security teams stop AI agents from installing malicious skills?

A: Put a mandatory inspection and block step at the install boundary, not inside the skill itself. The control must evaluate package metadata, embedded scripts, and suspicious behaviour before execution begins. If the model can skip the check, the check is advisory, not enforcement. Treat agent-installed code as a governed identity action, with ownership and approval rules attached.

Q: Why do download counts and popularity scores fail as trust signals for agent marketplaces?

A: Because those metrics describe exposure, not integrity. An attacker who can manipulate ranking or inflate counts can make untrusted code look legitimate and increase the chance that both humans and agents will install it. In agentic environments, popularity becomes a security control only if the underlying metric is tamper-resistant and independently verified.

Q: What breaks when an agent uses mutable marketplace metadata to choose tools?

A: The selection process becomes attacker-influenced before any code is executed. If score, download count, or name can be gamed, the agent may treat the wrong package as the safest option. That shifts the risk from software supply chain hygiene to decision integrity, which requires stronger boundary controls and telemetry on the selection logic.

Q: Who is accountable when an AI agent installs a malicious skill?

A: Accountability should sit with the organisation that defined the agent’s permissions, selection criteria, and install controls. If a human owner is not assigned, or if the agent can install code without enforceable policy, accountability becomes ambiguous. For regulated environments, that weakens evidence of governance and makes post-incident review harder to defend.

Technical breakdown

How download counters become trust signals

ClawHub ranks skills using download count, so the registry turns popularity into a discovery mechanism. That is safe only if the counter is resistant to manipulation. In this case, a public RPC endpoint exposed the increment function without authentication, rate limiting, deduplication, or permission checks. Once those controls were bypassed, the attacker could inflate the score of a malicious skill and push it into the position users and agents were most likely to trust. The failure is not just a bug in counting. It is a trust model that assumes popularity reflects legitimacy.

Practical implication: treat ranking and score fields as security-relevant inputs and protect them with the same controls used for privileged write paths.

Why autonomous skill selection amplifies supply chain risk

OpenClaw does not just display a catalog. It evaluates search results and selects skills using signals that include name, summary, score, and downloads. That creates an agentic trust loop, where the system can prefer a malicious package because it appears socially validated. The security issue is not that the model is clever or not clever enough. It is that the agent is allowed to rely on manipulated metadata when choosing a tool that will run with the user’s privileges. In agentic systems, the metadata itself becomes part of the attack path.

Practical implication: insert verification before autonomous installation, not after execution, and separate discovery signals from authorization decisions.

What a runtime inspection plugin changes

ClawNet sits in the OpenClaw agent loop rather than inside a skill, which matters because skills can be skipped, ignored, or misinterpreted by the model. A plugin that intercepts installation attempts operates at the runtime boundary, where it can inspect the package before the agent executes it. The mechanism is closer to policy enforcement than advisory scanning. For identity teams, that distinction matters because autonomous tool use demands controls that are enforced outside the model’s discretion. If the model can choose whether to apply the safety check, the control is not actually controlling the identity path.

Practical implication: place inspection and allow or block decisions at the runtime boundary that the agent cannot bypass.

Threat narrative

Attacker objective: The attacker wanted to convert a manipulated registry reputation signal into trusted distribution and code execution on end-user and agent-operated systems.

1. Entry began with a malicious skill published into ClawHub, where public discovery and search visibility created the opportunity to present untrusted code as legitimate.
2. Escalation occurred when the attacker abused an unauthenticated public mutation to inflate download counts and push the malicious skill to the top of search results.
3. Impact followed when users and OpenClaw agents installed the skill and executed its embedded payload, giving the attacker execution on recipient machines under privileged user context.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Popularity is not a trust signal when the identity path is machine-consumed. ClawHub exposed a basic but dangerous assumption: that download counts can stand in for legitimacy. That premise breaks as soon as an attacker can manipulate the counter and an OpenClaw agent can treat the resulting score as decision support. The implication is that agent-facing registries need governance for metadata integrity, not just package content.

Autonomous tool selection turns registry metadata into an access-control input. The article shows that an AI agent can privilege a package because its downloads and score look trustworthy, even when the code has never been validated. That is not a content problem alone. It is an identity governance problem because the agent is making execution decisions from externally mutable signals. Practitioners need to re-evaluate where authorisation ends and recommendation begins.

Runtime enforcement is the only meaningful boundary when the model can mis-rank risk. ClawNet matters because it is placed where the installation decision happens, not where the skill is described. A plugin that can inspect and block suspicious installs at runtime addresses the point of highest leverage. The broader lesson is that agentic environments need controls that do not depend on the agent selecting the safe path by itself.

OpenClaw’s skill ecosystem shows how agentic supply chains collapse into identity governance. The moment a skill can be discovered, selected, and executed on behalf of a user, the registry becomes part of the identity plane. That shifts the problem beyond classic package security into who or what is allowed to act, under what evidence, and with what authority. Security teams should treat agent-installed skills as governed identities, not just software artefacts.

Trust metrics that can be gamed create identity blast radius. The named concept here is identity blast radius, meaning the amount of downstream execution power that a manipulated trust signal can unlock. Once the malicious skill reached the top of search, the blast radius expanded from one poisoned listing to thousands of executions across many geographies. The practical conclusion is that popularity-based ranking must never be the final gate for autonomous installation.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why trust failures persist even when teams believe controls are in place.
• For a broader control lens, see The 52 NHI breaches Report for patterns that show how identity trust breaks down across machine-access paths.

What this signals

Trust signals need to move from popularity to provenance. ClawHub shows what happens when score becomes a proxy for safety: the registry itself becomes a control surface. Teams should align agent marketplace decisions with guidance from the OWASP Agentic AI Top 10 and the MITRE ATLAS adversarial AI threat matrix, because agent selection logic is now part of the threat model.

With 43% of security professionals concerned about AI systems learning and reproducing sensitive information patterns from codebases, per The State of Secrets in AppSec, the issue is no longer just malicious packages. It is the combination of machine-readable metadata, autonomous selection, and execution privilege. That means identity teams should prepare governance that spans discovery, approval, and runtime enforcement.

Identity blast radius: once an agent can install code based on manipulated trust metrics, the downstream impact is measured in executions, not downloads. That is why practitioners should connect package governance to workload identity controls and runtime policy, not leave it to developer judgment alone.

For practitioners

• Harden registry write paths Require authentication, permission checks, deduplication, and rate limiting for any endpoint that can change download counts, ranking, or other trust metrics.
• Separate discovery from approval Let agents search broadly, but force a distinct approval or inspection step before any install action that can execute code under user context.
• Inspect skills before installation Run package-level checks for suspicious scripts, telemetry exfiltration, and unsafe execution patterns at the runtime boundary where the agent cannot skip enforcement.
• Map agent ownership and entitlement Assign every AI agent a human owner, document the skills it may install, and remove standing privileges so the agent can only act within a bounded approval model.

Key takeaways

• The ClawHub flaw shows that popularity-based trust signals can be turned into an execution path for malicious agent skills.
• The scale matters because thousands of executions followed a manipulated registry signal, proving that small metadata flaws can create large identity blast radius.
• The practical control point is before installation, with enforced inspection, ownership, and boundary controls that the agent cannot bypass.

Key terms

• Agentic Skill Marketplace: A marketplace where AI agents or users can discover, evaluate, and install executable skills or tools. In governance terms, it combines software distribution with identity decisions because the installed package can act on behalf of a user or agent with inherited authority.
• Identity Blast Radius: The downstream scope of damage that a compromised identity signal can unlock. In agentic systems, a manipulated ranking, token, or install path can expand from one poisoned decision to many executions, making the blast radius a governance measure, not just an incident metric.
• Runtime Enforcement Boundary: The point in a system where a policy decision is applied before an action is allowed to continue. For AI agents and NHIs, the boundary matters because controls placed inside the model or package can be skipped, while controls at the boundary can still stop execution.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Silverfort: LLMjacking research on how attackers hijack AI using compromised NHIs. Read the original.