GHSA-3VVQ-Q2QC-7RMP: Remote Code Execution via Missing Integrity Check in OpenClaw Package Manager

The OpenClaw framework utilizes a package management system named ClawHub to distribute modular AI extensions known as skills. The ClawHub client implementation prior to version 2026.3.1 fails to enforce cryptographic integrity verification on downloaded skill packages. This design flaw allows threat actors to substitute legitimate skill files with malicious payloads during the installation process or within upstream repositories.

The vulnerability is tracked as GHSA-3VVQ-Q2QC-7RMP and classified under CWE-353, representing a failure to support integrity checks. The Common Vulnerability Scoring System (CVSS) calculates a score of 6.9, reflecting a high impact on confidentiality, integrity, and availability. The attack vector requires user interaction to initiate the package download, which inherently limits the base severity score.

Successful exploitation results in arbitrary code execution within the context of the OpenClaw host process. AI skills require extensive system permissions to function, granting the executing code broad access to local file systems, environment variables, and network interfaces. The lack of validation fundamentally breaks the trust model of the framework and enables widespread supply chain attacks against the OpenClaw ecosystem.

The installation mechanism relies on the OpenClaw clawhub install <skill-slug> command to initiate a remote fetch operation. This routine retrieves package contents directly from the central clawhub.ai registry or third-party Git repositories. A standard skill package contains a declarative SKILL.md file alongside executable source code. The client fetches these remote assets via standard HTTP requests without requesting or verifying a corresponding cryptographic hash or digital signature.

Following the download phase, the OpenClaw framework immediately registers the skill and executes its initialization logic. The framework relies on a declarative setup routine embedded directly within the downloaded SKILL.md installer file. Because the integrity of this file is never mathematically proven, any transit-level or repository-level modification executes automatically. The framework processes the file contents assuming local origin trust, bypassing standard execution safeguards.

The core architectural oversight stems from prioritizing rapid prototyping over secure package management principles. The system implicitly trusts the transport layer and the origin server, failing to account for compromised upstream repositories or man-in-the-middle network interception. This omission violates established security standards for decentralized software distribution systems.

The vulnerable implementation resides in the package resolution and download modules of the ClawHub client. Before the B-M3 milestone patch, the fetch routine processed the network response stream directly into the local file system. The code lacked any intermediate buffer analysis, relying entirely on the native fetch streams. The application passed the resulting file path directly to the execution handler.

The patch introduces a mandatory checksum validation step during the package download phase. The updated code buffers the download and calculates an SHA-256 hash before committing the file to disk.

// Vulnerable Implementation (Pre 2026.3.1)
async function downloadSkill(slug: string, targetPath: string) {
    const response = await fetch(`https://clawhub.ai/api/skills/${slug}/download`);
    const fileStream = fs.createWriteStream(targetPath);
    await streamPipeline(response.body, fileStream);
    return executeSetup(targetPath); // Arbitrary execution without verification
}
 
// Patched Implementation (Post 2026.3.1)
async function downloadSkill(slug: string, targetPath: string) {
    const response = await fetch(`https://clawhub.ai/api/skills/${slug}/download`);
    const expectedHash = await fetchSignature(slug); // Retrieve trusted metadata
    const fileBuffer = await response.buffer();
    
    const actualHash = crypto.createHash('sha256').update(fileBuffer).digest('hex');
    if (actualHash !== expectedHash) {
        throw new SecurityError("Integrity verification failed");
    }
    
    fs.writeFileSync(targetPath, fileBuffer);
    return executeSetup(targetPath); // Safe execution of verified file
}

The updated function guarantees that the executed payload matches the cryptographic signature provided by the registry authority. If the calculated hash deviates from the expected signature, the system throws a SecurityError and halts execution. This provides a strict integrity boundary and neutralizes the supply chain injection vector.

Threat actors exploit this vulnerability by publishing malicious skills or compromising existing upstream repositories. Attackers heavily utilize typosquatting techniques to register skill names that closely resemble popular AI extensions. In February 2026, security researchers identified 341 distinct malicious skills residing on the central ClawHub registry. These packages relied exclusively on the missing integrity checks for widespread distribution.

The primary exploitation technique transforms the SKILL.md file into a two-stage dropper. Attackers embed obfuscated setup routines within the markdown declaration that execute external scripts upon initialization. For example, a malicious skill named yahoofinance used this vector to silently download an executable payload immediately after the user initiated the install command. The framework parses and runs this embedded routine without user confirmation.

Once the secondary payload executes, it targets the host environment for credential harvesting and persistence. The yahoofinance dropper parsed local environment variables and extracted SSH keys from the user's home directory. The initial execution context grants the payload identical system privileges to the user running the OpenClaw instance.

The OpenClaw development team addressed the missing integrity check vulnerability in version 2026.3.1 as part of the Bug Milestone 3 (B-M3) release. This update implements strict cryptographic hash verification for all skill downloads and introduces a verified publisher framework. Administrators must upgrade all OpenClaw instances to this patched version to secure the package management lifecycle. Upgrading removes the technical capacity for arbitrary code execution via compromised dependencies.

Post-upgrade, operators must validate previously installed skills to ensure no malicious packages remain active. The patched client includes a new command line utility specifically designed for retroactive integrity auditing. Executing the npx clawhub@latest verify --all command analyzes the local skill directory against the central registry's verified signatures. Administrators should immediately uninstall any packages that fail this verification process.

Organizations utilizing OpenClaw should implement manual vetting procedures for critical AI skills as a defense-in-depth measure. Security teams must review the SKILL.md setup routines for anomalous network calls, such as unexpected curl or wget commands that bypass standard execution paths. Integrating community security tools like clawsec into development pipelines provides automated reputation scoring and behavioral analysis for ClawHub packages.