Security & Safety Security Incidents

OpenClaw ClaWHub Malicious Skills: What to Check Before Installing

The ClaWHub marketplace has grown to thousands of skills. Most are legitimate. Some are not. Here's the exact review process we use before installing any third-party skill into a production OpenClaw deployment.

SR
S. Rivera
Security Researcher
Jan 28, 2025 16 min read 13.8k views
Updated Feb 2025
Key Takeaways
ClaWHub skills run inside your OpenClaw process and can access environment variables including API keys unless you isolate them
Always read the manifest.json permissions array before installing — mismatched permissions vs. claimed functionality is the clearest red flag
ClaWHub community badges indicate community vetting, not official security audits — treat all skills from unknown publishers as untrusted code
Run unfamiliar skills in an isolated instance with no production credentials before promoting to production
If you've installed a suspicious skill, disable it, rotate all credentials that were accessible, and review outbound network logs

A skill from an unknown ClaWHub publisher with 47 installs and no reviews just asked for exec and env-read permissions. You install it because the description looks useful. That's exactly how credential harvesting happens inside agent frameworks — and it's happened to real teams in the OpenClaw community.

Third-party skills are the most significant attack surface in any OpenClaw deployment. Unlike a web application where malicious content is sandboxed, a skill runs in-process with your agent. It operates with the permissions you grant it. This guide covers exactly what to check before that install button gets clicked.

Understanding the OpenClaw Permission Model

Every ClaWHub skill declares its required permissions in a manifest.json file at the root of the package. OpenClaw reads this manifest on install and shows you the permissions during confirmation. Most users click through without reading them. That's the problem.

The permissions that matter most, ranked by risk:

  • exec — can run shell commands inside your environment. Highest risk. Very few legitimate skills need this.
  • env-read — can read environment variables. This means API keys, tokens, and any secret injected via env vars.
  • file-write — can write to the filesystem. Used legitimately for caching, but also for persistence and exfiltration staging.
  • network — can make outbound HTTP requests. All exfiltration requires this. Legitimate skills should specify exactly which domains.
  • memory-write — can modify the agent's memory store. A compromised skill could inject false memories to alter agent behavior.
⚠️
The Credential Exfiltration Pattern
The most common malicious skill pattern: requests env-read + network permissions, claims to need them for "API integration." On first run, reads all environment variables and POSTs them to an external endpoint. The skill works as described in every other way, so users never notice. If a skill requests both env-read and network with no domain restrictions, that combination is high-risk.

Red Flags Before You Install

We've reviewed hundreds of ClaWHub skills as part of community security research. These are the patterns that correlate most strongly with malicious or poorly-secured packages.

Permission Mismatch

The clearest signal. A skill claiming to be a "text formatter" that requests exec permissions has no legitimate reason for that capability. Map every declared permission against the skill's stated functionality. If you can't explain why the skill needs a specific permission, don't install it.

No Source Repository Link

Legitimate skill publishers link to source code. If a skill has no GitHub, GitLab, or equivalent repository link in its ClaWHub listing, you cannot inspect what it's actually doing. Treat closed-source skills from unknown publishers as untrusted until proven otherwise.

Very Recent Publication + Aggressive Promotion

A skill published three days ago with 200 installs and a suspiciously high rating is almost certainly being artificially boosted. Real skills accumulate installs gradually. Instant popularity for new packages is a supply-chain attack indicator.

Typosquatting Popular Skill Names

Malicious publishers name skills openclaw-slack instead of openclaw-slack-connector, or memory-pro instead of memory-plugin. Always verify you're installing the exact canonical package name, not a lookalike.

ℹ️
Check the Publisher History
Click through to the publisher's ClaWHub profile before installing. A legitimate publisher has multiple skills with consistent review history spanning several months. An account created last week with one skill and no history is a risk signal — not a guarantee of malice, but worth factoring into your review.

How to Read the Skill Manifest

The manifest.json contains everything you need to make an installation decision. Here's what a clean, well-scoped manifest looks like versus what a concerning one looks like.

// ACCEPTABLE — specific, minimal permissions
{
  "name": "openclaw-weather",
  "version": "1.4.2",
  "permissions": ["network"],
  "network_domains": ["api.openweathermap.org"],
  "description": "Fetches weather data from OpenWeatherMap API"
}

// CONCERNING — broad permissions, no domain restriction
{
  "name": "openclaw-weather-pro",
  "version": "0.1.0",
  "permissions": ["network", "env-read", "exec"],
  "description": "Advanced weather with AI features"
}

The acceptable manifest specifies exactly which domain the network permission covers. The concerning manifest requests three high-risk permissions with no domain restriction and a vague description. That combination is a hard no for production.

Auditing Skills Already Running

Already installed skills you didn't vet properly? Here's the audit process.

  1. List all installed skills: openclaw skills list --verbose
  2. For each skill, review its manifest: openclaw skills inspect [skill-name]
  3. Check recent activity logs for unexpected network calls or file writes
  4. Cross-reference any skill with env-read or exec against your memory of what you intended to install
  5. For any skill you can't explain, disable it immediately: openclaw skills disable [skill-name]
💡
Set Up Outbound Network Logging
Enable OpenClaw's outbound request logging in gateway.yaml with log_outbound: true. This records every external HTTP call your agents and skills make, with the source skill identified. Review these logs weekly. Any call to an unexpected domain from a skill that "shouldn't need network access" is an immediate investigation trigger.

Sandboxing Skills You're Not Sure About

Sometimes you need a skill but aren't confident it's clean. The solution is sandboxed testing before production deployment.

The sandboxing approach that works reliably:

  • Spin up a separate OpenClaw instance with no production API keys — use placeholder values
  • Apply OS-level firewall rules to block all outbound traffic from the test process except to explicitly allowed domains
  • Install the skill and run it through its full feature set for at least one session
  • Review all outbound connection attempts in the firewall logs — blocked connections from a "simple text formatter" are a clear indicator
  • If no unexpected behavior, promote to production with defined permission constraints

Common Mistakes That Get Teams Compromised

The mistake most people make here is treating ClaWHub like a curated app store. It's more like a package registry. Quality control exists but is not comprehensive. Your security review is not optional.

Installing skills as root. Running OpenClaw as a privileged user means any skill with exec permissions has system-level access. Run OpenClaw as a dedicated low-privilege service account.

Not rotating credentials after a suspicious install. If you installed a skill and later discovered it was malicious, your credentials are already compromised. Rotation after removal is essential.

Assuming popular equals safe. Install counts can be gamed. Community reviews can be faked. A skill with 10,000 installs from an unverified publisher deserves the same scrutiny as a skill with 10.

Frequently Asked Questions

Can ClaWHub skills access my API keys and credentials?

Skills run in the same process as OpenClaw and can read environment variables unless you isolate them. A malicious skill with exec or file-read permissions can access anything in the process environment. Always review declared permissions in the skill manifest before installing — exec and env-read permissions deserve particular scrutiny.

How do I check what permissions a ClaWHub skill is requesting?

Every ClaWHub skill includes a manifest.json with a permissions array. Check it before installing. Permissions like exec, file-write, network, and env-read are high-risk. Compare what the skill claims to do against what permissions it requests — a weather skill requesting exec permissions is a red flag.

What should I do if I've already installed a suspicious skill?

Disable it immediately via the OpenClaw skills dashboard, then remove it. Review your logs for any unexpected outbound network requests or file writes since installation. Rotate any API keys or credentials that were accessible to the OpenClaw process. File a report with the ClaWHub maintainers so the skill can be reviewed.

Does ClaWHub do security review of published skills?

As of early 2025, ClaWHub does not perform mandatory code review on all submitted skills. Community-verified badges indicate community vetting, not official security audits. Treat all skills from unknown publishers as untrusted code and review the manifest and source before installing in any production environment.

How can I sandbox a skill I'm not sure about?

Run it in an isolated OpenClaw instance with no production credentials, limited network access via firewall rules, and restricted file permissions. Monitor all outbound connections and file system activity during a test period. Only promote to production after confirming the skill behaves exactly as documented.

What are the most common attack vectors in malicious ClaWHub skills?

The most common vectors are: credential harvesting via env-read followed by HTTP exfiltration, persistence via cron-style hooks in the skill lifecycle, and supply chain attacks where a legitimate skill's dependency is compromised. Review all declared dependencies in the skill manifest alongside the permissions list.

How do I report a malicious skill on ClaWHub?

Use the Report button on the skill's ClaWHub listing page. Include the specific behavior you observed, the skill version, and any log evidence. The ClaWHub moderation team reviews reports and can suspend skills pending investigation. Also notify the broader community in the OpenClaw security channel.

You now have the complete skill security review process: permission model understanding, red flags to catch before install, manifest reading, auditing what's already running, and sandboxing for uncertain cases. This entire review takes under five minutes for most skills and eliminates the most common attack vectors.

Start with your existing installed skills. Run openclaw skills list --verbose right now and work through the audit checklist. Any skill you can't justify keeping should be disabled today.

SR
S. Rivera
Security Researcher
S. Rivera specializes in supply-chain security for AI agent frameworks. Has audited over 300 ClaWHub skills as part of community security research and contributed the permission model documentation to the OpenClaw project. Previously worked on threat intelligence for enterprise SaaS platforms.

Related Guides

All Security →
Security Incidents
OpenClaw Malware Claims: Separating Facts From FUD
Malware14 min
 Security Best Practices
OpenClaw Security Audit: 10 Checks Every Builder Should Run
Audit14 min
 Security Best Practices
OpenClaw Security Best Practices for Production Deployments
Best Practices16 min
Stay Current on OpenClaw

Security updates, skill alerts, and builder guides — direct to your inbox.