Researchers discovered 1,184 malicious skills on ClawHub — OpenClaw's community skill marketplace — disguised as crypto trading tools, productivity plugins, and utility integrations. The campaign, dubbed ClawHavoc, deployed info-stealers, crypto wallet drainers, and persistent backdoors on the machines of users who installed them.
Separately, a Snyk scan of 3,984 skills across ClawHub and skills.sh found 534 (13.4%) with critical-severity vulnerabilities, and 76 confirmed malicious payloads.
This is a supply chain attack problem. OpenClaw skills run with the same permissions as OpenClaw itself — which on most setups means shell execution, file system access, and access to whatever channels you've connected. A malicious skill can read your files, exfiltrate your API keys, and persist across reboots.
Current status: ClawHub has removed the confirmed malicious skills from the ClawHavoc campaign. However, skills that haven't been reported may still be present, and new malicious skills continue to be submitted. The audit habits below protect you regardless of which skills are currently flagged.
Red Flags — Reasons to Reject a Skill Immediately
- 🚩Any crypto-related skill from an unknown author. Wallet integration, trading bots, DeFi tools — this was the primary attack vector in ClawHavoc. Treat all of these as high-risk until independently verified.
- 🚩Account created in the last 30 days with no other public activity. Attacker accounts are throwaway. A new account with one skill and no GitHub/social presence is a major warning sign.
- 🚩SKILL.md references external URLs for scripts or dependencies. Legitimate skills are self-contained. A skill that downloads additional code at runtime is an immediate reject.
- 🚩Shell commands in SKILL.md that exfiltrate data. Look for
curlorwgetcalls that send data to external servers. Even if disguised as "analytics" or "telemetry," reject any skill that sends data out. - 🚩Obfuscated JavaScript or minified code with no source. If the npm package has minified/obfuscated JS with no corresponding readable source, that's a deliberate attempt to hide behavior.
- 🚩Requests more permissions than the stated function requires. A notes-taking skill that requests exec access to your shell has no legitimate reason to do so.
Green Flags — Signs a Skill Is Trustworthy
- ✅Author has a public GitHub profile with a history of legitimate projects. Look them up. Real developers have footprints.
- ✅Skill is referenced in OpenClaw's official docs or the /r/openclaw wiki. Community-vetted skills get mentioned by name.
- ✅SKILL.md is readable plain text with no executable content. Skills that are pure instructions to the LLM (no npm deps, no shell commands) can't harm you.
- ✅Open source with readable code, active issue tracker, and recent commits. Not a guarantee, but maintained open source projects have community scrutiny.
- ✅Installed by hundreds or thousands of users with no reported issues. High install counts with no r/openclaw complaints are a reasonable signal.
The Skill Audit Process (5 Minutes Per Skill)
-
Read SKILL.md completely before installing
The full text of any skill is available on ClawHub before you install. Read it. Does it do what the description says? Does it reference external URLs or include shell commands that seem out of scope?
-
Check the author profile on ClawHub and GitHub
Click the author name. How long has the account existed? Do they have other skills or contributions? A GitHub profile with years of activity is much harder to fake than a fresh ClawHub account.
-
Search the skill name on Reddit and GitHub
Run:
[skill name] openclaw redditand[skill name] site:github.com. If real people are using it and reporting results, that's meaningful signal. If nobody mentions it anywhere, that's a yellow flag. -
For skills with npm deps — audit the package
If the skill installs npm packages, look them up on npmjs.com. Check the weekly downloads, the source repo, and the last publish date. New packages with no public source are a red flag.
# After installing, check what's in the skill directory ls ~/.openclaw/skills/[skill-name]/ cat ~/.openclaw/skills/[skill-name]/package.json
-
Test in a sandboxed environment first
If you're evaluating a skill for a production setup, test it on a machine without real credentials, wallet access, or sensitive data first. Any skill that "calls home" will do so during testing too.
How to Remove a Skill You're Unsure About
# List installed skills openclaw skills list # Remove a specific skill openclaw skills remove [skill-name] # Verify removal ls ~/.openclaw/skills/
After removing, restart the gateway to ensure the skill is fully unloaded:
openclaw gateway restart
If you installed a skill from the ClawHavoc period (before April 2026) and haven't audited it: treat it as potentially compromised. Remove it, rotate any API keys the skill had access to, and review your agent logs for unusual exec or network activity.
Skills That Are Always Safe
One category of skills carries essentially zero risk: pure SKILL.md skills with no dependencies. These are plain text instruction files — they tell the LLM how to behave, reference no external resources, and have no executable code. They cannot exfiltrate data or install backdoors.
The official skills that ship with OpenClaw, plus well-known community skills like the weather skill, calendar integrations, and the ClawReady skills we publish, fall into this category. If you want to limit your attack surface, prioritize pure-markdown skills over anything with an npm dependency tree.
Policy recommendation: Treat ClawHub skills like browser extensions — install only what you actually need, from authors you can verify. The functionality gain from a random skill is rarely worth the risk of a compromised machine.