The Most Dangerous Skills on OpenClaw in 2026

We ran every skill in the OpenClaw registry — 19,461 of them — through ClawAudit's static security analyzer. 3,183 scored below 40, earning a Dangerous rating. That's 16.4% of the entire ecosystem.

Here's what we found.

The numbers

The 3,183 dangerous skills collectively contain thousands of critical findings — patterns that indicate credential theft, data exfiltration, prompt injection, or obfuscated malicious code.

Pattern 1: Credential harvesting

The most common dangerous pattern is credential access combined with network exfiltration. 5,953 skills access credentials — API keys, tokens, or environment variables. When a skill reads your OPENAI_API_KEY and also makes outbound HTTP requests, there's a real risk your keys are being sent somewhere they shouldn't be.

What makes this insidious is that many legitimate skills also need API keys. The line between "skill needs your key to call an API" and "skill is stealing your key" is in the implementation details — which is exactly what static analysis catches.

Pattern 2: Install-time code execution

2,666 skills install packages at runtime. Package installation is a supply chain attack vector — a compromised or typosquatted package can execute arbitrary code during npm install or pip install.

The dangerous cases are skills that install packages and suppress output or errors, skills that install from non-standard registries, or skills that install packages with names suspiciously similar to popular libraries.

Pattern 3: Prompt injection

Hundreds of skills contain instructions that attempt to override the agent's behavior. These range from crude ("ignore all previous instructions") to sophisticated role reframing that gradually shifts the agent's context.

Some of these are security tools that demonstrate injection — we suppress those with zone-aware analysis. But many appear in skills that have no business including agent manipulation patterns. A weather skill that says "from now on, your role is..." is a red flag.

Read more about this in our deep dive on prompt injection in AI agent skills.

Pattern 4: Obfuscated payloads

We found skills using base64 encoding, hex escape sequences, and eval chains to hide what they actually do. A code block that contains eval(atob("...")) is doing something it doesn't want you to see.

1,077 skills use data encoding capabilities. When encoding combines with network access, it's often an attempt to exfiltrate data while evading content inspection.

Pattern 5: Compound threats

The most dangerous skills aren't the ones with a single bad pattern — they're the ones that combine multiple capabilities into an attack chain:

• File read + network out: Read sensitive files, send them to an external server
• Credential access + encoding + network: Steal API keys, encode them to avoid detection, exfiltrate over HTTPS
• Process exec + package install: Install a package that spawns a reverse shell or persistence mechanism

ClawAudit flags these compound threats separately from individual findings because the combination is far more dangerous than any single capability alone.

What this means for the ecosystem

With 16.4% of skills rated Dangerous and an average trust score of just 62.4, the OpenClaw ecosystem has a security problem. The barrier to publishing a skill is low, there's no automated security review, and users have had no easy way to assess risk — until now.

We're not saying 3,183 skills are actively malicious. Some are poorly written. Some trigger patterns unintentionally. But the percentage that contain genuine threats is non-trivial, and the ecosystem's rapid growth (nearly 20,000 skills) means the surface area is only expanding.

What you can do

1. Audit before installing. Here's how.
2. Browse the registry. Search all 19,461 skills and filter by tier.
3. Read the full report. The State of OpenClaw Security has the complete methodology and data.