Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key →

← Back to dashboard

clawsmith.com/signal/cve-2026-42428-plugin-integrity-bypass-clawhub

⚠ IssueWide OpenVulnerabilityLive

CVE-2026-42428: ClawHub plugin archives downloaded without integrity verification (CVSS 7.1)

OpenClaw before v2026.4.8 fails to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment. CVSS 7.1 HIGH, CWE-353. Reported by @kexinoh from Tencent Zhuque Lab. Fixed in commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.

Score Breakdown

Issues

23

Social Proof 0 sources

Virality Score

23

across 1 platforms

Details

Signalissue

EcosystemVulnerability

Sources0

Platforms1

Updated9h ago

Trend→ stable

Top ideas

26.1MA pre-publish scanner that strips source maps, secrets, and internal code from npm packages before they ship to the registry 2.2MA routing middleware that pairs an expensive advisor model with a cheap executor model for OpenClaw agents, cutting API costs by 80% while maintaining output quality 1.7MA self-hosted agent deployment kit that auto-fails over from cloud APIs to local models when provider costs spike or access gets cut

Related signals

All signals →

93KAgents of Chaos: 38 Researchers Deploy 6 OpenClaw Agents — 11 Critical Failure Patterns in 14 Days 41.8KNanoClaw: Container-Isolated OpenClaw in ~500 Lines of TypeScript 35.7KCapability Evolver — #1 ClawHub Skill (35K Downloads) Caught Exfiltrating Data to ByteDance Feishu