GHSA-3VVQ-Q2QC-7RMP: Remote Code Execution via Missing Integrity Check in OpenClaw Package Manager
Vulnerability ID: GHSA-3VVQ-Q2QC-7RMP
CVSS Score: 6.9
Published: 2026-04-09
The OpenClaw personal AI assistant framework contains a severe architectural flaw in its ClawHub package management system. The client fails to verify the cryptographic integrity of downloaded skill packages, enabling supply chain attacks and remote code execution via poisoned upstream repositories.
TL;DR
OpenClaw versions prior to 2026.3.1 download and execute remote AI skills without integrity verification. Attackers exploited this flaw to distribute over 340 malicious packages, resulting in remote code execution and credential theft across affected instances.
⚠️ Exploit Status: ACTIVE
Technical Details
- CWE ID: CWE-353
- Attack Vector: Network
- CVSS Score: 6.9
- Impact: High (Confidentiality, Integrity, Availability)
- Exploit Status: Active Exploitation
- KEV Status: Not Listed
Affected Systems
- OpenClaw Framework
- ClawHub Package Manager
- openclaw/openclaw
-
OpenClaw: < 2026.3.1 (Fixed in:
2026.3.1)
Exploit Details
- Penligent Hacking Labs: ClawHub Poisoning Playbook detailing the exploitation of SKILL.md as a dropper.
- Silverfort Research: Analysis of ranking manipulation used to promote malicious ClawHub skills.
Mitigation Strategies
- Implement cryptographic signature validation for all remote package downloads
- Restrict package resolution to verified publishers
- Enforce strict execution sandboxing for AI skill initialization routines
Remediation Steps:
- Upgrade OpenClaw core to version 2026.3.1 or higher
- Execute the 'npx clawhub@latest verify --all' command to audit existing installed skills
- Remove any skill packages that fail the cryptographic verification step
- Deploy 'clawsec' to monitor for anomalous network calls within SKILL.md routines
References
- GitHub Advisory: GHSA-3VVQ-Q2QC-7RMP
- A Systematic Taxonomy of Security Vulnerabilities in the OpenClaw Ecosystem
- Silverfort: ClawHub Ranking Manipulation Analysis
- Penligent: The OpenClaw ClawHub Poisoning Playbook
- Aliyun Vulnerability Database: AVD-2026-1866873
- Prompt Security: Clawsec Assessment Tool
Read the full report for GHSA-3VVQ-Q2QC-7RMP on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)