Slowmist: ClawHub Has Backdoor Implantation Risk, 21% of Top 100 Skills Listed as High Risk

Chief Information Security Officer of SlowMist Technology 23pds Public Warning: Since ClawHub relies on GitHub one-click login, worms stealing developer credentials may be used to impersonate developers and release malicious Skills, launching supply chain attacks. Meanwhile, GoPlus has completed comprehensive security scans on the top 100 Skills with the highest download volumes from ClawHub, revealing 21% high risk and 17% requiring warnings.

Full Analysis of Attack Path: From GitHub Credentials to System Intrusion

SlowMist clearly outlines the complete attack chain in its announcement to help developers and users understand the actual threat mechanism:

Credential Theft: Worms like Sha1-Hulud or phishing attacks steal developers’ GitHub login credentials

Gaining GitHub Access: Attackers use stolen credentials to log into victims’ GitHub accounts

Impersonating Developers to Log into ClawHub: Since ClawHub uses GitHub one-click authorization, attackers can directly access the platform as legitimate developers

Releasing Malicious Skills: Under the guise of compromised developers, malicious Skills containing backdoors are uploaded, making them hard to distinguish from normal Skills

User Installation and Execution: Unaware users download and run these Skills, triggering malicious code

System Intrusion: Attackers gain access to user devices, potentially leading to data theft, remote control, and serious consequences

The danger of this attack chain lies in each link being highly covert, making it nearly impossible for users to visually identify whether a Skill has been maliciously tampered with.

GoPlus Scan Results: Security Distribution Among Top 100 Skills

On March 12, GoPlus released a security scan report on the top 100 Skills frequently downloaded from ClawHub, providing more systematic risk quantification data:

21% Blocked: These Skills exhibit clear high-risk behaviors, including direct network penetration, sensitive API calls, and automatic messaging

17% Warning: These Skills pose potential risks; users with higher security requirements are advised to exercise caution

62% Passed: The remaining Skills showed no obvious issues under current scan parameters

GoPlus recommends that Skills with high-risk operations should enforce a “Human-in-the-Loop (HITL)” verification mechanism, involving manual review before executing critical operations rather than remedial actions afterward.

Tencent SkillHub Controversy: Large-Scale Scraping Raises Copyright and Support Issues

Amid rising security alerts, the ClawHub ecosystem has also sparked another discussion due to Tencent’s approach. Tencent launched the SkillHub community based on the open-source OpenClaw ecosystem, positioning it as a localized Skills distribution platform for Chinese developers. However, OpenClaw founder Peter Steinberger criticized this after learning about it, stating he received complaints that Tencent scraped all Skills from ClawHub and integrated them into its platform, with such rapid speed that it triggered official rate limits. Steinberger openly said, “They copied, but did not support this project.”

Tencent AI officials responded, explaining that SkillHub operates as a mirror site, with original sources marked as ClawHub, and stated that the platform aims to provide a more stable and faster access experience for Chinese users. In its first week online, the platform handled about 180GB of download traffic (870,000 downloads), but only about 1GB was actually pulled from official sources. Tencent emphasized that multiple team members have contributed code to related open-source projects and hopes to continue supporting the ecosystem development.

Frequently Asked Questions

How can ClawHub users protect themselves from malicious Skills?

It is recommended to: prioritize installing Skills reviewed by security agencies like GoPlus; be cautious with Skills requesting access to local files, network, or system APIs; monitor download counts and reviews but do not rely solely on them for safety; regularly update Skills and pay attention to platform security notices. Most importantly, enable “Human-in-the-Loop (HITL)” verification before executing high-risk operations.

Should ClawHub switch from GitHub login to other authentication methods?

From a security architecture perspective, relying on a single OAuth provider (like GitHub) creates a single point of failure—if GitHub credentials are compromised, ClawHub accounts are at risk. More secure options include implementing multi-factor authentication (MFA), allowing independent account creation, or adding additional manual or automated verification layers for Skill publishing. These are areas for platform developers to improve trust mechanisms.

Does Tencent’s SkillHub approach violate open-source licenses?

This depends on the specific licensing terms of OpenClaw and ClawHub. SkillHub’s use of mirroring and source attribution can be considered fair use, but Steinberger’s criticism is more about ethical support—using community-built results without substantial contribution or commercial backing. Such disputes are common in open-source communities and are usually resolved through clearer licensing and commercial agreements.