The #1 Downloaded ClawdBot Skill Was a Backdoor
Learn how a fake ClawdBot skill became #1 in 8 hours and compromised 16 developers. Essential security tutorial for auditing AI assistant skills.
Originally published:
Understanding the ClawdBot Backdoor Incident
In a shocking security experiment, a researcher demonstrated how a malicious ClawdBot skill rose to the #1 position on ClawdHub in just 8 hours, compromising 16 developers across 7 countries. This tutorial will help you understand what happened, why it matters, and how to protect yourself when using ClawdBot (now rebranded as MoltBot) skills.
clawdbot securityLearning Objectives
- Understand the unique security risks of AI assistant skills versus traditional package managers
- Learn to audit ClawdBot/MoltBot skills before installation
- Implement safe practices for skill discovery and usage
- Recognize red flags in skill repositories and marketplaces
Prerequisites
- Basic familiarity with ClawdBot or MoltBot
- Understanding of command-line operations
- Git installed for repository inspection (optional)
- Access to ClawdHub skill marketplace
What Happened: Anatomy of the Attack
A security researcher created a proof-of-concept attack that exposed critical vulnerabilities in the ClawdHub ecosystem. The attack vector involved creating a skill called "What Would Elon Do?" and exploiting an API vulnerability to artificially inflate its download count to over 4,000 downloads, propelling it to the top position.
Within 8 hours, 16 real developers from 7 different countries installed and executed the skill. While the payload was benign (just a ping command for tracking), the implications were severe: a malicious actor could have exfiltrated SSH keys, AWS credentials, or entire codebases without detection.
supply chain attacksWhy This Is Different from Traditional Supply Chain Attacks
Unlike npm or PyPI attacks where malicious code must navigate sandboxes and permission restrictions, ClawdBot skills operate with elevated privileges by design. As one community member noted: "In a traditional npm attack, the malicious code has to fight for permissions. In ClawdBot, the user hands the permissions over on a silver platter."
When you install a ClawdBot skill, you grant it comprehensive access including file system operations, terminal execution, and network requests. Everything ClawdBot can do, the skill inherits.
Key Vulnerabilities Identified
1. Fakeable Download Counts
The ClawdHub API lacked proper authentication, allowing attackers to spoof IP addresses and artificially inflate download metrics. Popular skills appear trustworthy, creating a false sense of security.
2. Hidden Code References
ClawdHub's interface doesn't prominently display referenced files or imported dependencies, making it easy to hide malicious payloads in external modules.
3. Permission Fatigue
Users become accustomed to clicking "Allow" on permission prompts, as command execution is ClawdBot's primary function. This normalized approval process works against security.
Step-by-Step: How to Audit Skills Before Installation
Step 1: Read the SKILL.md File
Every ClawdBot skill includes a SKILL.md manifest. Before installation, carefully review it for:
- Description alignment with advertised functionality
- External file references or imports
- Network calls to unknown domains
- Suspicious
run_commandarguments
Step 2: Inspect the Source Code
If the skill links to a GitHub repository, clone and examine it thoroughly:
# Clone the repository
git clone https://github.com/author/skill-name
cd skill-name
Search for potential red flags
grep -r "curl" . # External HTTP requests
grep -r "nc " . # Netcat usage
grep -r "eval" . # Code execution
grep -r "$HOME/.ssh" . # SSH key access
If the skill isn't open source, consider that a major warning sign.
git security auditingStep 3: Ignore Download Counts
As demonstrated by this attack, download metrics are easily manipulated. A skill with 10,000 downloads might have 9,990 fake installations. Focus on code quality and author reputation instead.
Step 4: Verify the Author
Research the skill creator:
- Do they have other published projects?
- What's their GitHub contribution history?
- Is this a brand new account with a single skill?
- Are they responsive to issues and community feedback?
Step 5: Test in Sandbox Mode
Before deploying untrusted skills in production environments, test them in isolated sandboxes with limited file system and network access.
Alternative Approach: Generate Skills Locally
Rather than relying on third-party skills, consider generating custom skills based on your specific needs. Tools like the Skill Builder at open-claw.bot allow you to describe functionality in plain language and receive a complete, locally-generated skill package. This approach eliminates third-party trust issues entirely.
For example, instead of searching for a commit reminder skill, simply describe: "remind me to commit every hour" and generate the SKILL.md yourself. The documentation works for both ClawdBot and MoltBot since they share the same underlying architecture.
openclaw skill builderBest Practices Moving Forward
- Prioritize verified authors with established GitHub histories and multiple projects
- Use open source skills exclusively where you can audit the complete codebase
- Rely on community-vetted collections with human review processes
- Build custom skills for sensitive operations to maintain full control
Next Steps
The ClawdBot/MoltBot ecosystem offers powerful automation capabilities, but requires vigilance. Start by auditing your currently installed skills using the techniques outlined above. Consider contributing to community security efforts by reporting suspicious skills and participating in code reviews.
Remember: the #1 skill on any marketplace might be there because someone gamed the system. Always read the code before executing it with privileged access to your development environment.
ai assistant securityOriginal Source
https://dev.to/er_li_92a27f8612f9f070e18/the-1-downloaded-clawdbot-skill-was-a-backdoor-4o1p
Last updated: