GoPlus: ClawHub has a vulnerability that allows for download count forgery, and popular skills may contain malicious code

By: rootdata|2026/03/26 11:51:10
0
Share
copy

According to a security alert released by GoPlus Security, Silverfort security researchers discovered a serious vulnerability in OpenClaw's skill repository ClawHub. Attackers can bypass all protective mechanisms by calling the internal function downloads:increment, allowing them to inflate the download count to over 20,000 in just a few minutes with a single curl request, thereby pushing malicious skills to the top of search rankings and enticing users or AI Agents to install them automatically.

Once the malicious skill is running, it can steal sensitive data such as cryptocurrency wallets and API keys. The vulnerability has been patched within 24 hours. GoPlus advises users that a high download count does not equal safety and recommends using AgentGuard for security scanning and protection.

-- Price

--

You may also like

Stablecoins are the "royalists" of the crypto world: Open USD brings the old currency system into play

The emergence of Open USD has shifted the competition for stablecoins from the market struggle of crypto startups to a battle for infrastructure involving traditional finance, payment networks, technology platforms, and public chain ecosystems.

Semiconductor stocks plummet, yet Anthropic wants to create a 2nm chip

Abandoning TSMC and teaming up with Samsung. Anthropic launches a self-developed 2nm chip program, challenging Nvidia and starting a battle to break through computing power costs.

Where is Zhao Changpeng's billion-dollar investment going? YZi Labs' investment landscape fully revealed

Zhao Changpeng's billion-dollar new "family office" YZi Labs investment landscape revealed: 70% of the funds are committed to the crypto ecosystem, while 30% are cross-industry bets on AI and biotechnology, launching a new capital experiment in the post-Binance era.

Ethereum Foundation Report: A Basic Guide to Ethereum for Governments and Financial Institutions

The Ethereum Foundation has released this non-technical introductory report aimed at government officials, central banks, regulators, and corporate decision-makers, explaining how Ethereum works, how it is governed, how it differs from other blockchains, and how institutions and governments are alre...

A pre-announced harvesting case: After the cryptocurrency price dropped by 99%, the public chain Saga exited to transform into AI

True failure often isn't a single price drop, but rather a pricing mechanism that repeatedly rewards those who tell stories while repeatedly punishing those who believe in the stories.

When American giants collectively "defect" from Chinese AI models

Coinbase CEO publicly stated: the company has fully switched its AI to a Chinese model, cutting expenses in half while usage has doubled. Snowflake and Lindy are also doing the same thing—an unnoticed "AI model migration wave" is happening.

Contents

Popular coins

Latest Crypto News

Read more
iconiconiconiconiconiconicon
Customer Support:@weikecs
Business Cooperation:@weikecs
Quant Trading & MM:bd@weex.com
VIP Program:support@weex.com