Vulnerability Critical

ClawHub Supply Chain Poisoning Attack - 341 Malicious Skills Found

SlowMist security team discovered a large-scale supply chain poisoning attack on OpenClaw's ClawHub plugin marketplace. Weak moderation allowed 341 malicious skills (out of 2,857 scanned) to infiltrate the platform, spreading harmful code via obfuscated Base64 backdoors and two-stage payload delivery.

Attack Details

  • 341 malicious skills identified out of 2,857 total skills scanned (12% infection rate)
  • Organized batch attacks targeting few fixed domains/IPs via two-stage loading
  • Initial obfuscation via Base64 encoding, followed by dynamic payload retrieval
  • Example: 'X (Twitter) Trends' skill hid backdoor to download/execute malware, phish passwords, collect files, upload to C2

Recommendations

  • Audit all installed ClawHub skills immediately
  • Review skill installation scripts before execution
  • Only install skills from verified/trusted authors
  • Check for suspicious curl|bash patterns in skill prerequisites

Details

Type Vulnerability
Published February 9, 2026
Severity Critical
Fix Available No
#supply-chain #Malware

Related Resources

21,639 Exposed OpenClaw Instances Found

Censys security scan identified 21,639 OpenClaw instances exposed to public internet without authentication. Over 30% running on Alibaba Cloud. Represents massive attack surface with private messages, API keys, and OAuth credentials accessible. 21x growth in under one week demonstrates rapid adoption and exposure.

Official Security Documentation

Comprehensive official security documentation covering OpenClaw's threat model, access control, authentication modes, sandboxing, DM pairing policies, tool permissions, and incident response. Details the security audit command, credential storage locations, and hardening best practices.

What Security Teams Need to Know About OpenClaw

Enterprise security assessment with detection guidance. Covers visibility via Falcon platform, discovery of OpenClaw deployments, removal workflows, prompt injection threats, and runtime protection with Falcon AIDR. Demonstrates blocking prompt injection attacks and provides enterprise-scale detection/response capabilities.