GHSA-3vvq-q2qc-7rmp — MEDIUM AI Security Vulnerability

Q: Is GHSA-3vvq-q2qc-7rmp actively exploited?

No confirmed active exploitation of GHSA-3vvq-q2qc-7rmp has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-3vvq-q2qc-7rmp?

1. Upgrade openclaw to 2026.4.8 or later — the fix is available on npm and the patched tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. 2. Audit all plugins installed prior to the patch: inspect plugin directories for unexpected executables, scripts, or network-connecting binaries. 3. Cross-reference installed plugin manifests against ClawHub's official registry; flag any whose hash no longer matches. 4. Check host for AMOS stealer indicators per AIID #1368 (credential store access, unexpected network connections to C2 infrastructure). 5. Rotate any credentials (API keys, SSH keys, tokens) accessible to the OpenClaw process if pre-patch plugin installs occurred. 6. Until the upgraded version is deployed, disable ClawHub plugin auto-install or restrict to a controlled allowlist.

Q: What systems are affected by GHSA-3vvq-q2qc-7rmp?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, AI agent plugin ecosystems.

Q: What is the CVSS score for GHSA-3vvq-q2qc-7rmp?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's ClawHub plugin system downloads and installs plugin archives without enforcing any integrity metadata — no hash, no signature, no per-file verification — meaning a compromised registry, a MitM position, or a poisoned CDN can silently deliver tampered plugins to every user who installs or updates. The blast radius is amplified by AIID #1368, a documented February 2026 incident where malicious OpenClaw skills were used to deliver AMOS stealer and exfiltrate credentials; the attack surface this CVE describes was already being weaponized before the patch shipped. Severity is rated medium and the CVE is not in CISA KEV, but the confirmed real-world exploitation of the same mechanism makes this higher operational risk than the score alone suggests. Upgrade to openclaw 2026.4.8 immediately; audit all currently installed ClawHub plugins for unexpected binaries or credential-touching behavior, and treat any pre-patch plugin installs as potentially compromised.

Sources: GitHub Advisory ATLAS AIID

Risk Assessment

Medium CVSSv3 rating understates operational risk here. The AIID #1368 incident confirms adversaries have already exploited OpenClaw's plugin ecosystem to deliver infostealers before this patch existed. No EPSS data is available, but the exploitation pattern is well-understood (tampered package delivery via unverified channel) and requires only registry-level or network-level access. The local trust model scopes blast radius to individual users rather than multi-tenant services, but credential theft from a security or DevOps user running an AI assistant is a high-value target. No public exploit or scanner exists for this specific CVE, but the generic supply-chain technique is trivially accessible.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade openclaw to 2026.4.8 or later — the fix is available on npm and the patched tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Audit all plugins installed prior to the patch: inspect plugin directories for unexpected executables, scripts, or network-connecting binaries.
Cross-reference installed plugin manifests against ClawHub's official registry; flag any whose hash no longer matches.
Check host for AMOS stealer indicators per AIID #1368 (credential store access, unexpected network connections to C2 infrastructure).
Rotate any credentials (API keys, SSH keys, tokens) accessible to the OpenClaw process if pre-patch plugin installs occurred.
Until the upgraded version is deployed, disable ClawHub plugin auto-install or restrict to a controlled allowlist.

Classification

Supply Chain Code Execution Agent Plugin AML.T0010.001 - AI Software AML.T0010.005 - AI Agent Tool AML.T0011.001 - Malicious Package AML.T0104 - Publish Poisoned AI Agent Tool

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System — third-party components

ISO 42001

8.4 - AI system supply chain management

NIST AI RMF

GOVERN 6.1 - AI Supply Chain Risk Management

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents adversaries abusing OpenClaw's ClawHub plugin ecosystem to deliver AMOS stealer and exfiltrate credentials — the exact attack vector this CVE's missing integrity check enables. The vulnerability and the incident share the same package, the same delivery mechanism, and the same failure mode.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-3vvq-q2qc-7rmp?

OpenClaw's ClawHub plugin system downloads and installs plugin archives without enforcing any integrity metadata — no hash, no signature, no per-file verification — meaning a compromised registry, a MitM position, or a poisoned CDN can silently deliver tampered plugins to every user who installs or updates. The blast radius is amplified by AIID #1368, a documented February 2026 incident where malicious OpenClaw skills were used to deliver AMOS stealer and exfiltrate credentials; the attack surface this CVE describes was already being weaponized before the patch shipped. Severity is rated medium and the CVE is not in CISA KEV, but the confirmed real-world exploitation of the same mechanism makes this higher operational risk than the score alone suggests. Upgrade to openclaw 2026.4.8 immediately; audit all currently installed ClawHub plugins for unexpected binaries or credential-touching behavior, and treat any pre-patch plugin installs as potentially compromised.

Is GHSA-3vvq-q2qc-7rmp actively exploited?

No confirmed active exploitation of GHSA-3vvq-q2qc-7rmp has been reported, but organizations should still patch proactively.

How to fix GHSA-3vvq-q2qc-7rmp?

1. Upgrade openclaw to 2026.4.8 or later — the fix is available on npm and the patched tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. 2. Audit all plugins installed prior to the patch: inspect plugin directories for unexpected executables, scripts, or network-connecting binaries. 3. Cross-reference installed plugin manifests against ClawHub's official registry; flag any whose hash no longer matches. 4. Check host for AMOS stealer indicators per AIID #1368 (credential store access, unexpected network connections to C2 infrastructure). 5. Rotate any credentials (API keys, SSH keys, tokens) accessible to the OpenClaw process if pre-patch plugin installs occurred. 6. Until the upgraded version is deployed, disable ClawHub plugin auto-install or restrict to a controlled allowlist.

What systems are affected by GHSA-3vvq-q2qc-7rmp?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, AI agent plugin ecosystems.

What is the CVSS score for GHSA-3vvq-q2qc-7rmp?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact B-M3: ClawHub package downloads are not enforced with integrity verification. ClawHub downloads could install plugin archives without enforcing archive or per-file integrity metadata. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Exploitation Scenario

An adversary targeting an AI practitioner or security engineer who uses OpenClaw as a local assistant registers or compromises a popular ClawHub plugin (e.g., a code search or file management tool). They replace the plugin archive with a backdoored version containing an additional module that exfiltrates environment variables and ~/.ssh/ on first load. Since OpenClaw <= 2026.4.1 performs no integrity check on downloaded archives, the tampered plugin installs silently. On next agent startup the malicious module runs, harvesting API keys and SSH credentials and sending them to an attacker-controlled endpoint. This exactly mirrors the AMOS stealer delivery observed in AIID #1368.