GoPlus: ClawHub has a vulnerability that allows for download count forgery, and popular skills may contain malicious code

According to a security alert released by GoPlus Security, Silverfort security researchers discovered a serious vulnerability in OpenClaw's skill repository ClawHub. Attackers can bypass all protective mechanisms by calling the internal function downloads:increment, allowing them to inflate the download count to over 20,000 in just a few minutes with a single curl request, thereby pushing malicious skills to the top of search rankings and enticing users or AI Agents to install them automatically.

Once the malicious skill is running, it can steal sensitive data such as cryptocurrency wallets and API keys. The vulnerability has been patched within 24 hours. GoPlus advises users that a high download count does not equal safety and recommends using AgentGuard for security scanning and protection.