ClawHub ranking abuse: what it means for AI agent controls

TL;DR: A public skill registry flaw let an attacker inflate a malicious skill to the top of ClawHub, leading to 3,900 executions in six days across 50 cities and demonstrating how trust signals can be manipulated, according to Silverfort. Popularity-based ranking is not a security control when autonomous agents can discover and install code on behalf of users.

NHIMG editorial — based on content published by Silverfort: LLMjacking research on how attackers hijack AI using compromised NHIs

By the numbers:

• 3,900 skill executions within 6 days in over 50 different cities around the world.

Questions worth separating out

Q: How should security teams stop AI agents from installing malicious skills?

A: Put a mandatory inspection and block step at the install boundary, not inside the skill itself.

Q: Why do download counts and popularity scores fail as trust signals for agent marketplaces?

A: Because those metrics describe exposure, not integrity.

Q: What breaks when an agent uses mutable marketplace metadata to choose tools?

A: The selection process becomes attacker-influenced before any code is executed.

Practitioner guidance

• Harden registry write paths Require authentication, permission checks, deduplication, and rate limiting for any endpoint that can change download counts, ranking, or other trust metrics.
• Separate discovery from approval Let agents search broadly, but force a distinct approval or inspection step before any install action that can execute code under user context.
• Inspect skills before installation Run package-level checks for suspicious scripts, telemetry exfiltration, and unsafe execution patterns at the runtime boundary where the agent cannot skip enforcement.

What's in the full article

Silverfort's full research covers the operational detail this post intentionally leaves for the source:

• The vulnerable Convex endpoint flow and the exact download counter bypass path used to inflate ranking.
• A step-by-step description of the malicious skill structure, including the embedded telemetry payload.
• The OpenClaw selection behaviour that made download count part of the skill choice logic.
• ClawNet implementation details showing how runtime interception blocks suspicious installs before execution.

👉 Read Silverfort's research on ClawHub ranking abuse and OpenClaw skill risk →

ClawHub ranking abuse: what it means for AI agent controls?

Explore further

View Full Forum →  |  NHI Foundation Course →