Research Report

State of OpenClaw Security

March 2026 · Based on static analysis of 19,461 skills · By 4Worlds

Executive Summary

We scanned every skill in the OpenClaw registry — 19,461 in total — using ClawAudit's static analysis engine. The results paint a concerning picture: 16.4% of skills were flagged as Dangerous, meaning they contain critical security threats such as prompt injection, credential exfiltration, or obfuscated payloads. Only 31.8% achieved a Trusted rating.

The average trust score across the registry is 62.4/100 — firmly in the Caution tier. This means the typical skill warrants manual review before installation.

Methodology

ClawAudit performs zone-aware static analysis on SKILL.md files. It parses the markdown structure, classifies content zones (prose, code blocks, YAML frontmatter, headings), and applies 60+ detection patterns weighted by zone context. Code blocks are treated as executable instructions and weighted higher than prose descriptions. Security documentation — sections describing threats as warnings — is suppressed to avoid false positives.

Each skill receives a trust score from 0 to 100 based on the severity and quantity of findings, positive trust signals (version numbers, documentation, metadata), and the presence of compound threats (e.g., file read + network out = potential data exfiltration).

Trust tiers:

  • Trusted (80-100): No significant issues. 6,182 skills (31.8%)
  • Caution (60-79): Minor concerns, review recommended. 6,092 skills (31.3%)
  • Risky (40-59): Significant issues found. 4,004 skills (20.6%)
  • Dangerous (0-39): Critical threats detected. 3,183 skills (16.4%)

Findings by the Numbers

4,895
Critical findings
1,457
High severity
10,562
Total findings

Across the entire registry, we detected 10,562 security findings. Of these, 4,895 are critical severity — patterns like credential harvesting from environment variables, obfuscated eval chains, or direct prompt injection attempts.

Capability Landscape

Understanding what capabilities skills request reveals the attack surface of the ecosystem. The most commonly detected capabilities are:

file_write
31.8%
credential_access
30.6%
network_out
21%
network_in
13.9%
package_install
13.7%
file_read
11.7%
data_encoding
5.5%
agent_memory
3.5%
process_exec
1.4%
dynamic_eval
0.8%

31.8% of skills have file_write capabilities. When file write access combines with network access, it creates a potential exfiltration channel — and 4,081 skills have outbound network capabilities.

Common Threat Patterns

Credential Access

5,953 skills (30.6%) access credentials — environment variables, API keys, or token files. While many of these are legitimate (API integrations require keys), the sheer volume means the ecosystem normalizes credential access, making malicious credential harvesting harder to spot.

Package Installation

2,666 skills install packages at runtime. This is a supply chain risk — a compromised dependency could execute arbitrary code during installation. Skills that install packages and have network access create a particularly dangerous combination.

Prompt Injection

We detected prompt injection patterns — attempts to override agent instructions, manipulate system prompts, or hijack agent behavior — in hundreds of skills. Some are benign (security tools demonstrating attacks), but many appear in unexpected contexts.

Recommendations

  1. Audit before installing. Use ClawAudit or similar tooling to check skills before adding them to your agent. A 30-second scan can prevent credential theft.
  2. Review credential requirements. If a skill asks for API keys, verify it actually needs them. Overprivileged skills are a red flag.
  3. Watch for compound threats. A skill that reads files and makes network requests could be exfiltrating data. Individual capabilities are fine; certain combinations are not.
  4. Sandbox untrusted skills. Run skills with minimal permissions. Don't give file system or network access unless required.
  5. Registry-level gatekeeping. OpenClaw should consider automated security scanning as part of the skill submission process.

Limitations

ClawAudit is a static analyzer — it reads SKILL.md files and applies pattern matching. It cannot execute code, trace data flows, or detect novel obfuscation techniques. False positives occur (estimated <5%), particularly for security tools that describe attack patterns in their documentation. False negatives are possible for highly obfuscated or novel attack vectors.

This report represents a snapshot as of March 2026. The registry is constantly changing as skills are added, updated, and removed.

Want to audit a specific skill? Use the free API or browse the registry.