Skip to main content
Tutorial 5 min read

The #1 Downloaded ClawdBot Skill Was a Backdoor

Learn how a fake ClawdBot skill became #1 in 8 hours and compromised 16 developers. Essential security tutorial for auditing AI assistant skills.

Originally published:

Dev.to by Lier

Understanding the ClawdBot Backdoor Incident

In a shocking security experiment, a researcher demonstrated how a malicious ClawdBot skill rose to the #1 position on ClawdHub in just 8 hours, compromising 16 developers across 7 countries. This tutorial will help you understand what happened, why it matters, and how to protect yourself when using ClawdBot (now rebranded as MoltBot) skills.

clawdbot security

Learning Objectives

  • Understand the unique security risks of AI assistant skills versus traditional package managers
  • Learn to audit ClawdBot/MoltBot skills before installation
  • Implement safe practices for skill discovery and usage
  • Recognize red flags in skill repositories and marketplaces

Prerequisites

  • Basic familiarity with ClawdBot or MoltBot
  • Understanding of command-line operations
  • Git installed for repository inspection (optional)
  • Access to ClawdHub skill marketplace

What Happened: Anatomy of the Attack

A security researcher created a proof-of-concept attack that exposed critical vulnerabilities in the ClawdHub ecosystem. The attack vector involved creating a skill called "What Would Elon Do?" and exploiting an API vulnerability to artificially inflate its download count to over 4,000 downloads, propelling it to the top position.

Within 8 hours, 16 real developers from 7 different countries installed and executed the skill. While the payload was benign (just a ping command for tracking), the implications were severe: a malicious actor could have exfiltrated SSH keys, AWS credentials, or entire codebases without detection.

supply chain attacks

Why This Is Different from Traditional Supply Chain Attacks

Unlike npm or PyPI attacks where malicious code must navigate sandboxes and permission restrictions, ClawdBot skills operate with elevated privileges by design. As one community member noted: "In a traditional npm attack, the malicious code has to fight for permissions. In ClawdBot, the user hands the permissions over on a silver platter."

When you install a ClawdBot skill, you grant it comprehensive access including file system operations, terminal execution, and network requests. Everything ClawdBot can do, the skill inherits.

Key Vulnerabilities Identified

1. Fakeable Download Counts

The ClawdHub API lacked proper authentication, allowing attackers to spoof IP addresses and artificially inflate download metrics. Popular skills appear trustworthy, creating a false sense of security.

2. Hidden Code References

ClawdHub's interface doesn't prominently display referenced files or imported dependencies, making it easy to hide malicious payloads in external modules.

3. Permission Fatigue

Users become accustomed to clicking "Allow" on permission prompts, as command execution is ClawdBot's primary function. This normalized approval process works against security.

Step-by-Step: How to Audit Skills Before Installation

Step 1: Read the SKILL.md File

Every ClawdBot skill includes a SKILL.md manifest. Before installation, carefully review it for:

  • Description alignment with advertised functionality
  • External file references or imports
  • Network calls to unknown domains
  • Suspicious run_command arguments

Step 2: Inspect the Source Code

If the skill links to a GitHub repository, clone and examine it thoroughly:

# Clone the repository
git clone https://github.com/author/skill-name
cd skill-name

Search for potential red flags

grep -r "curl" . # External HTTP requests
grep -r "nc " . # Netcat usage
grep -r "eval" . # Code execution
grep -r "$HOME/.ssh" . # SSH key access

If the skill isn't open source, consider that a major warning sign.

git security auditing

Step 3: Ignore Download Counts

As demonstrated by this attack, download metrics are easily manipulated. A skill with 10,000 downloads might have 9,990 fake installations. Focus on code quality and author reputation instead.

Step 4: Verify the Author

Research the skill creator:

  • Do they have other published projects?
  • What's their GitHub contribution history?
  • Is this a brand new account with a single skill?
  • Are they responsive to issues and community feedback?

Step 5: Test in Sandbox Mode

Before deploying untrusted skills in production environments, test them in isolated sandboxes with limited file system and network access.

Alternative Approach: Generate Skills Locally

Rather than relying on third-party skills, consider generating custom skills based on your specific needs. Tools like the Skill Builder at open-claw.bot allow you to describe functionality in plain language and receive a complete, locally-generated skill package. This approach eliminates third-party trust issues entirely.

For example, instead of searching for a commit reminder skill, simply describe: "remind me to commit every hour" and generate the SKILL.md yourself. The documentation works for both ClawdBot and MoltBot since they share the same underlying architecture.

openclaw skill builder

Best Practices Moving Forward

  1. Prioritize verified authors with established GitHub histories and multiple projects
  2. Use open source skills exclusively where you can audit the complete codebase
  3. Rely on community-vetted collections with human review processes
  4. Build custom skills for sensitive operations to maintain full control

Next Steps

The ClawdBot/MoltBot ecosystem offers powerful automation capabilities, but requires vigilance. Start by auditing your currently installed skills using the techniques outlined above. Consider contributing to community security efforts by reporting suspicious skills and participating in code reviews.

Remember: the #1 skill on any marketplace might be there because someone gamed the system. Always read the code before executing it with privileged access to your development environment.

ai assistant security

Share:

Original Source

https://dev.to/er_li_92a27f8612f9f070e18/the-1-downloaded-clawdbot-skill-was-a-backdoor-4o1p

View Original

Last updated: