openclaw skill security auditor

See what a skill's code can do.

Agent skills can read files, reach the network, touch credentials, and run remote code. We map what each one's code can actually reach — counted from the config, stated plainly as can, not will. Paste any skill to see its capability surface, and exactly how sure we are.

CLAUDE.md.mcp.jsonagent rules
no signup · instant
what we found
01

Counted from code, not tiers

0.0% can read env vars ≈ 1 in 8
of 63,697 skills
Skills whose code touches process.env, where API keys and tokens live. The broad capability, stated plainly: can read, not does steal.
0.0% read env vars + reach the network ≈ 1 in 16
co-occurrence
Both capabilities present in one skill: the shape of exfiltration, not proof of it. We don't verify the two ever connect.
0.0% touch a credential store ≈ 1 in 267
narrow & real
SSH keys, AWS configs, keychains: the capability that actually means "can read your secrets." We count it separately, on purpose.
the gap is the point
0.0% can read env vars
0.0% can read real secrets

One in 8 can read environment variables. Far fewer can reach real secret stores. Most scanners call all of it credential theft. Conflating the two is how a scanner overstates its own findings, so we don't. You see what the code can do, and exactly how sure we are.

capability ≠ conduct. we say "can," not "will."
counted from code, so prose-only risks aren't here and the real figures run higher.
every number is a measurement, not a verdict.