We ran every skill in the OpenClaw registry — 63,697 of them — through ClawAudit's static security analyzer. 204 scored below 40, earning a Dangerous rating. That's 0.3% of the entire ecosystem.
Here's what we found.
The numbers
The 204 dangerous skills collectively contain thousands of critical findings — patterns showing credential access, network egress, prompt-injection language, or encoded payloads (capabilities flagged for review, not verified exploits).
Pattern 1: Credential access + network egress
The most common dangerous pattern is credential access combined with outbound network calls.
8,177 skills
access credentials — API keys, tokens, or environment variables. When a skill reads your
OPENAI_API_KEY and also makes outbound HTTP requests,
there's a real risk your keys are being sent somewhere they shouldn't be.
What makes this insidious is that many legitimate skills also need API keys. The line between "skill needs your key to call an API" and "skill could be sending your key elsewhere" is in the implementation details — where static analysis can surface the capability, even when it can't prove the intent.
Pattern 2: Install-time code execution
7,230 skills
install packages at runtime. Package installation is a supply chain attack vector — a compromised
or typosquatted package can execute arbitrary code during npm install
or pip install.
The dangerous cases are skills that install packages and suppress output or errors, skills that install from non-standard registries, or skills that install packages with names suspiciously similar to popular libraries.
Pattern 3: Prompt injection
Hundreds of skills contain instructions that attempt to override the agent's behavior. These range from crude ("ignore all previous instructions") to sophisticated role reframing that gradually shifts the agent's context.
Some of these are security tools that demonstrate injection — we suppress those with zone-aware analysis. But many appear in skills that have no business including agent manipulation patterns. A weather skill that says "from now on, your role is..." is a red flag.
Read more about this in our deep dive on prompt injection in AI agent skills.
Pattern 4: Obfuscated payloads
We found skills using base64 encoding, hex escape sequences, and eval chains to hide
what they actually do. A code block that contains
eval(atob("...")) is doing something it doesn't want
you to see.
2,133 skills use data encoding capabilities. When encoding co-occurs with network access, that pairing is the shape of data exfiltration — encode, then send. It's co-occurrence, not proof the two connect: the capability, not the act.
Pattern 5: Compound threats
The most dangerous skills aren't the ones with a single bad pattern — they're the ones that stack multiple capabilities into the shape of an attack chain. These are co-occurring capabilities, not verified flows: we see the surface, not proof the steps connect.
- File read + network out: the capability to read sensitive files and the capability to send data out, present together
- Credential access + encoding + network: the capability surface to read keys, encode them, and send them over HTTPS — the shape of credential exfiltration, not verified conduct
- Process exec + package install: the capability to install a package and execute processes — the surface a reverse shell or persistence mechanism would need
ClawAudit flags these compound threats separately from individual findings because the combination is far more dangerous than any single capability alone.
What this means for the ecosystem
With 0.3% of skills flagged Dangerous by automated triage and an average trust score of just 84.3, the OpenClaw ecosystem has a security problem. The barrier to publishing a skill is low, there's no automated security review, and users have had no easy way to assess risk — until now.
We're not saying 204 skills are actively malicious. Some are poorly written. Some trigger patterns unintentionally. But the percentage that contain genuine threats is non-trivial, and the ecosystem's rapid growth (nearly 20,000 skills) means the surface area is only expanding.
What you can do
- Audit before installing. Here's how.
- Browse the registry. Search all 63,697 skills and filter by tier.
- Read the full report. The State of OpenClaw Security has the complete methodology and data.