TechFlow News: On March 26, GoPlus Security issued a security alert stating that Silverfort security researchers discovered a critical vulnerability in ClawHub—the skill repository of OpenClaw. Attackers can bypass all protective mechanisms by invoking the internal function downloads:increment, enabling them to inflate download counts to over 20,000 within minutes using just a single curl request. This allows malicious skills to rank first in search results, tricking users or AI Agents into automatically installing them.
Once executed, these malicious skills can steal sensitive data such as cryptocurrency wallet credentials and API keys. The vulnerability has been patched within 24 hours. GoPlus reminds users that high download counts do not equate to safety, and recommends using AgentGuard for security scanning and protection.
