March 7, 2026 · 6 min read

The Most Dangerous Skills on OpenClaw in 2026

By 4Worlds

We ran every skill in the OpenClaw registry — 63,697 of them — through ClawAudit's static security analyzer. 204 scored below 40, earning a Dangerous rating. That's 0.3% of the entire ecosystem.

Here's what we found.

The numbers

9,713
Critical findings
29,168
High severity
91,335
Total findings

The 204 dangerous skills collectively contain thousands of critical findings — patterns showing credential access, network egress, prompt-injection language, or encoded payloads (capabilities flagged for review, not verified exploits).

Pattern 1: Credential access + network egress

The most common dangerous pattern is credential access combined with outbound network calls. 8,177 skills access credentials — API keys, tokens, or environment variables. When a skill reads your OPENAI_API_KEY and also makes outbound HTTP requests, there's a real risk your keys are being sent somewhere they shouldn't be.

What makes this insidious is that many legitimate skills also need API keys. The line between "skill needs your key to call an API" and "skill could be sending your key elsewhere" is in the implementation details — where static analysis can surface the capability, even when it can't prove the intent.

Pattern 2: Install-time code execution

7,230 skills install packages at runtime. Package installation is a supply chain attack vector — a compromised or typosquatted package can execute arbitrary code during npm install or pip install.

The dangerous cases are skills that install packages and suppress output or errors, skills that install from non-standard registries, or skills that install packages with names suspiciously similar to popular libraries.

Pattern 3: Prompt injection

Hundreds of skills contain instructions that attempt to override the agent's behavior. These range from crude ("ignore all previous instructions") to sophisticated role reframing that gradually shifts the agent's context.

Some of these are security tools that demonstrate injection — we suppress those with zone-aware analysis. But many appear in skills that have no business including agent manipulation patterns. A weather skill that says "from now on, your role is..." is a red flag.

Read more about this in our deep dive on prompt injection in AI agent skills.

Pattern 4: Obfuscated payloads

We found skills using base64 encoding, hex escape sequences, and eval chains to hide what they actually do. A code block that contains eval(atob("...")) is doing something it doesn't want you to see.

2,133 skills use data encoding capabilities. When encoding co-occurs with network access, that pairing is the shape of data exfiltration — encode, then send. It's co-occurrence, not proof the two connect: the capability, not the act.

Pattern 5: Compound threats

The most dangerous skills aren't the ones with a single bad pattern — they're the ones that stack multiple capabilities into the shape of an attack chain. These are co-occurring capabilities, not verified flows: we see the surface, not proof the steps connect.

  • File read + network out: the capability to read sensitive files and the capability to send data out, present together
  • Credential access + encoding + network: the capability surface to read keys, encode them, and send them over HTTPS — the shape of credential exfiltration, not verified conduct
  • Process exec + package install: the capability to install a package and execute processes — the surface a reverse shell or persistence mechanism would need

ClawAudit flags these compound threats separately from individual findings because the combination is far more dangerous than any single capability alone.

What this means for the ecosystem

With 0.3% of skills flagged Dangerous by automated triage and an average trust score of just 84.3, the OpenClaw ecosystem has a security problem. The barrier to publishing a skill is low, there's no automated security review, and users have had no easy way to assess risk — until now.

We're not saying 204 skills are actively malicious. Some are poorly written. Some trigger patterns unintentionally. But the percentage that contain genuine threats is non-trivial, and the ecosystem's rapid growth (nearly 20,000 skills) means the surface area is only expanding.

What you can do

  1. Audit before installing. Here's how.
  2. Browse the registry. Search all 63,697 skills and filter by tier.
  3. Read the full report. The State of OpenClaw Security has the complete methodology and data.