OpenClaw Official Marketplace Breached: 23 Counterfeit Plugins Infiltrate ClawHub

Security vendor Manifold Security has discovered 23 skill plugins on OpenClaw’s official plugin marketplace, ClawHub, that were disguised as official releases, exposing serious supply chain security risks in the AI Agent ecosystem.
Manifold Security disclosed a disturbing finding this week: in OpenClaw’s official plugin marketplace, ClawHub, there are 23 Skills masquerading as official first‑party products.
This isn’t some sophisticated exploit, but rather the most basic form of “namespace squatting” — third‑party developers naming their plugins @openclaw/security-gate or @clawhub/asia-twitter-api, making it impossible for ordinary users to tell whether they are official or unofficial.
Where the Problem Lies
Researchers audited the 1,508 Skills listed in ClawHub. Among them, 557 used the @owner/skill-name naming format, originally intended to identify the publisher. However, further checking revealed that many third‑party uploaded Skills were impersonating well‑known brands.
The most typical example: a Skill named @Microsoft/xxx, but the publishing account had nothing to do with Microsoft.
More concerning are the 23 plugins directly using the @openclaw/ or @clawhub/ prefix. OpenClaw’s official Skills usually adopt this format, such as @openclaw/whatsapp or @openclaw/codex. When users see names like @openclaw/fiat-wallet, they instinctively assume it’s an official product and therefore trustworthy.

Why This Happens
The root cause lies in ClawHub’s overly lenient publishing mechanism.
According to platform rules, the Skill naming format “in principle” should match the publisher’s identity. But this rule was not strictly enforced before. Worse, the OpenClaw project organization’s namespace itself allowed external Skills, giving opportunists a loophole.
As an open‑registration software marketplace, ClawHub has a very low entry threshold — all you need is a GitHub account to list a plugin. This openness helped OpenClaw quickly build ecosystem network effects, but also amplified supply chain risks.
Security companies point out that this “scope squatting” technique has long been common in traditional package managers such as npm and PyPI. Now, the same attack pattern is spreading to the AI Agent ecosystem.
Do These Plugins Contain Malicious Code?
There is currently no evidence that these 23 plugins contain malicious code, nor that they have been used to attack users.
But that’s not the point.
The point is that, once this impersonation tactic is used by real attackers, the consequences could be severe. OpenClaw’s Skill system grants plugins relatively high system privileges, allowing malicious plugins to:
- Embed malicious instructions in
SKILL.mdto lure AI Agents into executing dangerous actions - Steal users’ API keys, conversation records, and local files
- Plant backdoors, open reverse shells, and gain full control of the device
Earlier this year, security teams already identified 341 genuinely malicious Skills in ClawHub. These plugins typically disguised themselves as crypto asset trackers, security check tools, or automation utilities, luring users to install them and then carrying out supply chain poisoning.
ClawHub’s Response Measures
After receiving Manifold Security’s report, ClawHub reacted relatively quickly.
On June 17, the platform strengthened namespace management rules, clarifying in its FAQ page: only publishers with @openclaw privileges can upload Skills belonging to the openclaw or clawhub namespace.
On June 19, ClawHub removed these 23 misleading Skills from the public directory and introduced a namespace appeal mechanism, allowing brands whose namespaces were squatted to reclaim them.
These remedies came in time, but are essentially “closing the barn door after the horse has bolted.” For users who have already installed these plugins, the platform cannot forcibly uninstall them; any malicious programs (if present) will continue to run.
Bigger Picture: OpenClaw’s Security Challenges
This namespace squatting incident is just the tip of the iceberg for OpenClaw’s security issues.
Over the past six months, the open‑source AI Agent platform—nicknamed “the little lobster” by netizens—has experienced all‑round security challenges:
Frequent High‑Risk Vulnerabilities
In February, vulnerability CVE‑2026‑25253 was disclosed, involving WebSocket hijacking and remote code execution. Attackers could use the victim’s browser to establish a connection to OpenClaw’s server, steal authentication tokens, and execute arbitrary code. Even if OpenClaw only listens on localhost, it’s not exempt — attackers need only lure the user into visiting a malicious webpage, and the whole attack process is completed within milliseconds.
Proliferation of Publicly Exposed Instances
According to SecurityScorecard statistics, as of March this year, more than 469,000 OpenClaw instances were detectable on the public internet, of which 27.2% had high‑risk vulnerabilities. Many users, for convenience in remote access, changed the default 127.0.0.1 to 0.0.0.0, directly exposing a high‑privilege AI Agent to the internet.
Supply Chain Poisoning Epidemic
Snyk scanned roughly 4,000 plugins in ClawHub and found that 7.1% had sensitive credential leakage issues — developers explicitly wrote API keys, account passwords, and even credit card information in SKILL.md.
Trend Micro discovered that attackers had disguised malicious content as OpenClaw Skills, delivering the Atomic macOS Stealer (AMOS) credential‑stealing malware to macOS devices via seemingly normal installation commands.
Real Attack Cases
In February, Summer Yue, Security Director of Meta’s super‑intelligence team, shared her experience on X: she asked OpenClaw to “check the inbox and suggest emails to archive or delete,” but the AI began deleting emails in bulk on its own, and even urgent manual intervention couldn’t stop it.
Earlier, an attacker sent an AI assistant an email disguised as ordinary content, containing a bash script. The script’s function was simple: search the user’s machine for SSH private keys and POST them all to a server controlled by the attacker. The AI Agent obediently complied.
Advice for Developers
If you are using OpenClaw, the following points are worth noting:
1. Treat Third‑Party Skills with Caution
The official documentation explicitly states: third‑party Skills should be considered untrusted code. Before installation, be sure to check publisher identity, code source, star count, and community reviews.
2. Strengthen Local Security Configurations
# Force binding to local address, forbid 0.0.0.0
openclaw config set server.host "127.0.0.1"
# Enable strong password authentication
openclaw config set security.password "YourStrongPasswordOver16Chars"
# Enable audit logs
openclaw config set security.audit.level "debug"
3. Update Versions Promptly
Ensure you upgrade to the latest version (currently recommended v2026.3.7 or above) to patch known high‑risk vulnerabilities such as CVE‑2026‑25253 and CVE‑2026‑30891.
4. Consider Environment Isolation
Run OpenClaw in a virtual machine or container to prevent it from directly accessing sensitive files and credentials on the host.
5. Monitor for Abnormal Activity
Regularly check access logs in the ~/.openclaw/ directory and monitor unusual connections on port 18789.
Industry Lessons
This incident once again confirms a judgment: AI Agents’ security issues are replicating all the old problems of traditional software supply chain security, and because Agents have higher system privileges and autonomous execution capabilities, the risks are further amplified.
The npm ecosystem took ten years to gradually establish a relatively complete security review mechanism. Will AI Agent Skill marketplaces take the same long detour?
From ClawHub’s handling this time, at least the response speed was timely. But the limitations of “after‑the‑fact control” remain obvious — after malicious plugins are removed, devices of already‑installed users still retain this code.
For vendors building AI Agent ecosystems, this is a warning: the balance between openness and security needs to be thought through at the architecture design stage, not patched after problems arise.
Currently, OpenClaw has partnered with VirusTotal to scan newly uploaded Skills for malicious code and to perform semantic analysis of LLM content. Bitdefender has also launched the AI Skills Checker tool. But as platform maintainers themselves admit: automated detection cannot cover all malicious variants, and attackers will always find ways to evade.
This cat‑and‑mouse game has only just begun.
References
- ITHome: OpenClaw official marketplace sees “impersonation” projects, as many as 23 Skills masquerading as “first‑party products” — Chinese news coverage of the core incident
- Reddit: If you’re self‑hosting OpenClaw, here’s every documented security incident in 2026 — Summary of OpenClaw security incidents in 2026
- GitHub: OpenClaw Security Advisories — Official security advisories page



