TL;DR: A public skill registry flaw let an attacker inflate a malicious skill to the top of ClawHub, leading to 3,900 executions in six days across 50 cities and demonstrating how trust signals can be manipulated, according to Silverfort. Popularity-based ranking is not a security control when autonomous agents can discover and install code on behalf of users.
NHIMG editorial — based on content published by Silverfort: LLMjacking research on how attackers hijack AI using compromised NHIs
By the numbers:
- 3,900 skill executions within 6 days in over 50 different cities around the world.
Questions worth separating out
Q: How should security teams stop AI agents from installing malicious skills?
A: Put a mandatory inspection and block step at the install boundary, not inside the skill itself.
Q: Why do download counts and popularity scores fail as trust signals for agent marketplaces?
A: Because those metrics describe exposure, not integrity.
Q: What breaks when an agent uses mutable marketplace metadata to choose tools?
A: The selection process becomes attacker-influenced before any code is executed.
Practitioner guidance
- Harden registry write paths Require authentication, permission checks, deduplication, and rate limiting for any endpoint that can change download counts, ranking, or other trust metrics.
- Separate discovery from approval Let agents search broadly, but force a distinct approval or inspection step before any install action that can execute code under user context.
- Inspect skills before installation Run package-level checks for suspicious scripts, telemetry exfiltration, and unsafe execution patterns at the runtime boundary where the agent cannot skip enforcement.
What's in the full article
Silverfort's full research covers the operational detail this post intentionally leaves for the source:
- The vulnerable Convex endpoint flow and the exact download counter bypass path used to inflate ranking.
- A step-by-step description of the malicious skill structure, including the embedded telemetry payload.
- The OpenClaw selection behaviour that made download count part of the skill choice logic.
- ClawNet implementation details showing how runtime interception blocks suspicious installs before execution.
👉 Read Silverfort's research on ClawHub ranking abuse and OpenClaw skill risk →
ClawHub ranking abuse: what it means for AI agent controls?
Explore further
Popularity is not a trust signal when the identity path is machine-consumed. ClawHub exposed a basic but dangerous assumption: that download counts can stand in for legitimacy. That premise breaks as soon as an attacker can manipulate the counter and an OpenClaw agent can treat the resulting score as decision support. The implication is that agent-facing registries need governance for metadata integrity, not just package content.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why trust failures persist even when teams believe controls are in place.
A question worth separating out:
Q: Who is accountable when an AI agent installs a malicious skill?
A: Accountability should sit with the organisation that defined the agent’s permissions, selection criteria, and install controls. If a human owner is not assigned, or if the agent can install code without enforceable policy, accountability becomes ambiguous. For regulated environments, that weakens evidence of governance and makes post-incident review harder to defend.
👉 Read our full editorial: OpenClaw skill ranking abuse exposes agentic supply chain risk