Back to archive
5 public sources
Incident report

When a Top-Downloaded ClawHub Skill Changed the Meaning of Discovery

ClawHub top-download malware episode

Marketplace-ranking incident / ecosystem trust break

ClawHub / OpenClaw ecosystem

The revealing part of this incident was not only that one malicious skill slipped through. It was that the marketplace cues telling users what looked popular and normal were also helping decide what got executed next.

Opening quote
Once a skill directory ranks and distributes executable capability, trust in discovery becomes part of the security model.

The dangerous part was not hidden in a diff.

It was sitting in discovery.

A user could browse ClawHub, sort by what looked proven, install a popular skill, and walk from marketplace trust into malware prompts without ever feeling like they had left the normal path.

That is why this episode matters.

If the story were only “a bad package existed,” it would be ugly but familiar. The sharper point is that ClawHub had already become a ranking and distribution surface for executable capability. Once that happened, the list of top downloads stopped being a convenience feature. It became part of the trust boundary.

The ranking did the first half of the malware’s work

1Password’s reporting is the clearest anchor for the incident because it is concrete about what changed. The company said the malicious skill it analyzed had reached an all-time Top Downloads ranking on ClawHub with 1,729 downloads, and it argued that this ranking was a major reason so many users saw it and ran it.

That detail matters more than the shock value.

If a malicious skill sits obscurely in a long tail, the story is mostly about screening failure. If it rises high enough that download ranking becomes a visibility engine, the story is about distribution. The marketplace is no longer merely hosting risk. It is helping route attention toward it.

That is the break in meaning this page is trying to preserve. ClawHub was not just a place where a bad actor posted something dangerous. It was a place where popularity cues, install affordances, and normal-looking marketplace metadata helped the skill inherit trust before the malicious behavior became obvious.

What users were actually being asked to install

The incident gets more revealing once you compare the official product model with what the malicious skill reportedly told users to do.

OpenClaw’s own docs describe skills as bundles centered on SKILL.md. They may also include scripts, tools, docs, images, and other files. The official ClawHub docs then present the normal operator path: browse skills, inspect metadata, look at status and scan information, and install the bundle into your skills directory.

That is the expected story. A skill is supposed to look like packaged capability inside the OpenClaw ecosystem.

1Password’s report describes a very different path. According to its analysis, the malicious skill immediately pushed users toward a supposed dependency called openclaw-core, sent them to fake documentation infrastructure, and then escalated into staged execution patterns including obfuscated shell and PowerShell delivery. In other words, the marketplace listing did not end at bundle install. It acted as a trust bridge into off-platform execution.

That distinction is the heart of the incident.

The problem was not only that a skill contained harmful behavior. The problem was that the marketplace context made extra steps look routine. A user was not being asked, in emotional terms, to cross a dramatic red line. They were being asked to finish setup.

Why this changed the meaning of skill discovery

ClawHub’s official docs are useful because they show exactly how the platform teaches trust.

The docs present ClawHub as the public skill registry for OpenClaw. They describe search, tags, versions, security scan status, install buttons, and sorting by signals such as popularity, recent activity, and downloads. They also describe labels and filters that let users surface verified skills or hide suspicious ones.

Those are product features. They are also security cues.

A ranked registry quietly teaches users three habits at once:

  • popularity is a proxy for safety,
  • marketplace presence is a proxy for legitimacy,
  • install flow is a proxy for normality.

Those shortcuts feel reasonable because marketplaces are built to reduce friction. They are also exactly what make a ranking incident consequential. When the object being distributed is executable capability, every cue that helps a user decide faster also helps decide what gets trusted faster.

That is the larger judgment here, and it is editorial rather than directly quoted from one source: the ClawHub episode changed the meaning of “skill discovery” because discovery had already become part of execution. Once a user can browse, sort, install, and later invoke packaged skills in one ecosystem flow, the registry is participating in the security model whether it wants that job or not.

The operator scene is painfully ordinary

The story sticks because the user moment is so easy to imagine.

Someone has OpenClaw working. They want one more useful capability. They open ClawHub, look at what is already popular, click the skill that looks established, and assume the page has done some of the filtering for them. A status badge, a version list, a familiar category name, and a high download count all soften the next decision. If the skill says an extra dependency or command is required, that request borrows some legitimacy from the page that introduced it.

Nothing in that scene feels reckless.

That is why the incident hit harder than a generic malware warning. The dangerous move was not framed as danger. It was framed as the obvious continuation of a discovery flow the marketplace itself had normalized.

What the official response actually looks like

I did not find a single dramatic ClawHub postmortem that says, in one place, “this is the incident and this is our response.” The clearest official response is product-level and documentation-level.

As of March 17, 2026, the official ClawHub docs and threat model describe a platform that now treats registry trust as an active security problem:

  • skills can carry verified, suspicious, new, and unclaimed status signals,
  • users can filter out suspicious entries while browsing,
  • every new or updated skill is described as going through threat modeling and automated checks,
  • malicious patterns such as install instructions that tell users to paste obfuscated remote shell payloads are described as block-worthy,
  • and ClawHub has publicly announced that all new skill submissions are scanned with VirusTotal.

That matters because it tells you what the platform believes broke.

You do not build that kind of response if the lesson is only “one uploader behaved badly.” You build it if the registry itself has become a distribution channel serious enough to need reputation signals, scanner output, moderation evidence, and sharper intervention rules.

In other words, the official response confirms the story’s deeper shape even without saying so in those exact words. ClawHub is behaving less like a neutral directory and more like a platform that knows discovery, moderation, and install trust now sit on the same line.

What is documented, and what this page is inferring

The documented layer is strong:

  • 1Password reported that the malicious skill it examined had achieved an all-time Top Downloads ranking on ClawHub with 1,729 downloads.
  • The same report says the skill pushed users toward fake openclaw-core installation, malicious documentation links, and staged shell or PowerShell execution.
  • OpenClaw’s official docs say skills are bundles that can include SKILL.md, scripts, tools, docs, and other files.
  • Official ClawHub docs show a registry built around browsing, sorting, status labels, security scan visibility, and install flows.
  • ClawHub’s threat-model docs and VirusTotal announcement show the platform publicly emphasizing moderation, suspicious labeling, and malware scanning.

The bounded editorial inference is this:

The ClawHub episode was not just a bad-package moment. It was the point where a skill hub became visibly part of the attack surface because ranking and discovery were already helping distribute trust at scale.

That claim stays inside the evidence. It does not require pretending every popular skill is unsafe or that one report proves a total ecosystem collapse. It only requires taking the marketplace’s actual role seriously.

The consequence is bigger than one malicious skill

The easiest way to remember this incident is also the weakest: “a malware skill slipped into ClawHub.”

The stronger memory is harsher and more useful.

A skill marketplace stops being only a convenience layer once its ranking can distribute untrusted execution at scale. At that point, the top of the list is no longer just a recommendation surface. It is part of the execution path. Its badges are trust signals. Its defaults are security policy in disguise.

That is the ecosystem consequence worth keeping.

One malicious skill created the scare. The deeper story was that the scare revealed what ClawHub had already become: not just a place to find capability, but a place where the meaning of “looks safe enough to try” could travel directly into what users run next.

Once that line is crossed, discovery is no longer neutral. It is operational authority with better UX.

Sources

Sources & public record

CoClaw keeps story pages grounded in public reporting, primary posts, issue threads, and project materials readers can inspect themselves.

  1. Source 01

    1Password blog - OpenClaw malicious packages and supply chain risk

  2. Source 02

    OpenClaw docs - Skills overview

  3. Source 03

    OpenClaw docs - ClawHub

  4. Source 04

    ClawHub docs - Threat model

  5. Source 05

    ClawHub blog - VirusTotal partnership

Related Stories

Capability Evolver and the Governance Test It Forced on ClawHub
Project case
A source-backed reconstruction of the Capability Evolver dispute: breakout momentum, a detailed Feishu-export allegation, the builder pushback that followed, and the governance pressure it exposed inside ClawHub.
When Fake OpenClaw Installers Turned Discovery Into the Real Attack Surface
Incident report
A source-backed reconstruction of the fake OpenClaw installer wave: cloned GitHub repos, Bing AI answers, GhostSocks and infostealers, and the trust failure that happened before many users ever reached the official product.
The Security Scam Wave Around OpenClaw
Incident report
A source-backed reconstruction of the first OpenClaw scam wave: rename confusion, copied surfaces, malicious skills, and the trust breakdown that followed when users were granting unusually real power.

Related Guides

ClawHub Usage Guide: Discover, Evaluate, Install, Upgrade, and Roll Back Skills Safely
Guide
A practical guide to using ClawHub as a skill discovery and distribution channel: how to evaluate maintainers, install in a low-risk way, upgrade without surprises, and keep a real rollback path when a skill fails or disappears.
OpenClaw Security Playbook: Skill Supply Chain Safety & Prompt Injection Defense
Guide
Harden OpenClaw against unsafe skills and prompt injection with a workflow you can actually operate: separate lab from prod, constrain blast radius, and verify that dangerous actions still require explicit trust.