Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key →
← Back to ideas
clawsmith.com/idea/verify-clawhub-skill-registry-integrity-detect-ranking-fraud
IdeaCompetitiveSECURITYOPEN-SOURCECLILive

A background service that continuously audits ClawHub skill download counts, detects ranking inflation, and flags skills with suspicious promotion patterns before users install them

ClawHub's download.increment mutation was exposed as an unauthenticated public RPC endpoint with no rate limiting. Silverfort's PoC pushed a malicious skill to #1 in its category with 3,900 executions across 50+ cities in 6 days. Even after the specific endpoint was patched, the fundamental problem remains: ClawHub has no integrity verification layer between the registry's popularity metrics and what users see. Download counts, star ratings, and trending positions can be gamed because no system validates that reported engagement represents real human installs. This service monitors the ClawHub registry continuously, builds statistical models of normal download velocity per skill category, and flags anomalies (sudden spikes, geographic concentration, bot-like install patterns) before they reach human users.

Demand Breakdown

HN
91

Social Proof 1 sources

HN
ClawHub
2026-02-15
91

Gap Assessment

CompetitiveMultiple tools exist but differentiation opportunities remain

3 tools exist (SkillSieve, OpenClaw VirusTotal Integration, Bitdefender AI Skills Checker) but gaps remain: Analyzes skill CONTENT for malicious payloads. Does not monitor registry METADATA integrity (download counts, rankings, publisher reputation). A skill with clean code but fraudulently inflated downloads passes SkillSieve without issue.; Scans code artifacts only. Does not validate whether a skill's popularity metrics are authentic. A clean-code skill with inflated downloads and fake ranking position is invisible to VirusTotal..

Features3 agent-ready prompts

Download velocity anomaly detector that builds per-category baselines and flags skills with statistically improbable download growth patterns
Skill provenance chain validator that verifies the publishing account age, commit history, and cross-references with known malicious publisher fingerprints
Registry diff tracker that snapshots ClawHub rankings hourly and alerts on position changes that don't correlate with any detectable organic activity

Competitive LandscapeFREE

ProductDoesMissing
SkillSieveThree-layer hierarchical triage framework that detects malicious AI agent skills using pattern matching, static analysis, and behavioral analysis. Achieves 0.800 F1 score.Analyzes skill CONTENT for malicious payloads. Does not monitor registry METADATA integrity (download counts, rankings, publisher reputation). A skill with clean code but fraudulently inflated downloads passes SkillSieve without issue.
OpenClaw VirusTotal IntegrationAll published skills scanned using VirusTotal threat intelligence including Code Insight capability. Catches known malware signatures and suspicious code patterns.Scans code artifacts only. Does not validate whether a skill's popularity metrics are authentic. A clean-code skill with inflated downloads and fake ranking position is invisible to VirusTotal.
Bitdefender AI Skills CheckerConsumer-facing skill safety checker from Bitdefender. Analyzes skills for security risks including data exfiltration, system modification, and obfuscation.Content-focused scanner like SkillSieve. No registry integrity monitoring, no ranking fraud detection, no publisher provenance verification.

Sign in to unlock full access.

Aggregate Score
154
0 leads found
Details
TypeProduct Idea
Competitors3
Features3
Issues1
Leads0
Source Signals
All signals →
154ClawHub Ranking Manipulation: Unauthenticated RPC Inflates Download Counter to Push Malicious Skill to #1
Related Ideas
All ideas →
0A CLI tool that scans a running OpenClaw instance for every known CVE, exposed endpoint, malicious skill, and token scope violation, then outputs a prioritized remediation checklist0A CLI tool that audits self-hosted AI agent deployments against government security advisories, CVE databases, and compliance frameworks with auto-remediation scripts0A runtime behavioral sandbox that detects guidance injection attacks in OpenClaw skills by observing what agents actually do instead of scanning what skills say
Tags
SECURITYOPEN-SOURCECLIREGISTRY-INTEGRITYSUPPLY-CHAIN