OpenClaw Skills: How to Spot Malware and Vet Before You Install
On this page
Installing an OpenClaw skill looks completely harmless. You find something on ClawHub, it’s a Markdown file, a few hundred words of instructions. You paste the install command. Done. Compared to installing software from the internet, it feels like nothing.
That’s the problem. It feels like nothing. But that skill now runs with your agent’s full permissions — your terminal, your files, your saved passwords, your SSH keys, your AWS credentials. There’s no sandbox. There’s no permission check. There’s no review process on ClawHub’s end. The barrier to publish a skill there is a Markdown file and a GitHub account that’s one week old.
Here’s the thing most people haven’t heard: deleting a malicious skill may not fix the problem. The worst ones in the ClawHavoc campaign rewrote your agent’s memory and config files before you even noticed anything was wrong. I’ll explain exactly how that works — and what to do about it — after we cover the numbers.
If you’re exploring what OpenClaw skills can do for your business, this is the part that comes before all the exciting use cases. Get the security layer right first.
What an OpenClaw Skill Actually Runs With
When you install a skill, it inherits everything your agent already has access to. No exceptions. No prompts asking what the skill is allowed to touch.
Some things only reveal themselves under the right light — and that includes what’s hiding inside a skill before you install it.
Shell execution
The skill can run terminal commands on your machine — the same commands you would type yourself.
Full filesystem access
Read and write to any file your user account can reach, including ~/.ssh/, ~/.aws/, .env files, and your agent's own config.
Saved credentials
Environment variables, API keys stored in config files, credentials for other connected services — all accessible.
Network access
The skill can send data outbound. To anywhere. There is no egress filter by default.
Persistent memory
Instructions written to memory files survive across sessions — and in some cases, survive deleting the skill itself.
There is no permission model — skills don’t declare what they need. No code signing — no way to verify a skill hasn’t been tampered with. No sandboxing — no runtime restrictions on what a skill can actually do. This isn’t speculation. This is documented in OpenClaw’s own GitHub issue tracker.
The ClawHavoc Numbers: How Bad Did It Get on ClawHub?
The ClawHavoc campaign, tracked as Trojan/OpenClaw.PolySkill, was the first coordinated malware campaign targeting OpenClaw and Claude Code users. Antiy CERT identified 1,184 malicious skills tied to 12 publisher accounts. One account alone pushed 677 skills.
At the campaign’s peak, over 800 confirmed unique malicious skill names represented roughly 20% of the total ClawHub registry. Some accumulated over 14,000 downloads before takedown. The payload was AMOS — the Atomic Stealer credential stealer — targeting macOS crypto wallets, SSH keys, and browser credentials.
Snyk’s February 2026 ToxicSkills audit — the largest scan of the skills ecosystem ever conducted — extended these findings. Of 3,984 skills from ClawHub and skills.sh, 534 carried at least one critical-level security issue. 76 were confirmed to contain active malicious payloads in their Markdown instructions. Eight remained publicly available on ClawHub as of publication date.
How MCP Tool Poisoning Works (in Plain English)
The sneakiest attack pattern isn’t malicious code buried in a shell script. It’s instructions hidden inside a tool’s description — text that you never see, but your AI agent reads and follows.
Invariant Labs demonstrated this clearly. They built a tool that appeared to do nothing but add two numbers. Completely harmless on the surface. But buried in the tool description — invisible to the user in the interface — was an instruction telling the agent to read the user’s SSH keys and configuration files, then pass their contents as a hidden parameter before returning the answer.
The user saw a simple addition result. Their private keys were already gone.
This works because the AI model sees the complete tool description, including hidden instructions, while the interface shows you a simplified summary. You click approve on what looks like ‘add numbers.’ The agent executes what the full description actually said.
Researchers also documented Unicode Tag smuggling — invisible characters (U+E0000–U+E007F) embedded in skill files that look like empty whitespace in any text editor but carry semantic instructions the model reads and follows. Anthropic patched this specific technique in the February 10, 2026 Claude Code release. The general technique applies to any agent platform that doesn’t explicitly strip these characters.
One more layer: when multiple skills are active at the same time, a malicious skill can poison the behavior of trusted ones. Invariant Labs showed a malicious ‘add numbers’ tool whose description contained instructions telling the agent to redirect all emails sent through a trusted email skill to an attacker’s address. The email skill itself was clean. The malicious skill hijacked it.
The Part Nobody Tells You: Deletion Doesn’t Always Work
Here’s what I promised to explain. The worst skills in the ClawHavoc campaign didn’t just steal credentials and leave. They wrote instructions into your agent’s persistent memory files — MEMORY.md, SKILL.md, and similar config files — before you caught them.
When you delete the skill, the Markdown file goes away. But the instructions it already wrote to your memory files? Still there. Still active. Your agent continues following them in every subsequent session because it reads those memory files at startup.
The Cloud Security Alliance briefing on agent context poisoning describes this plainly: a skill file is, by design, an unrestricted natural-language instruction set for an AI agent. When it writes to memory, those instructions become part of the agent’s operative context. The platform has no native mechanism to distinguish trusted developer instructions from attacker instructions written by a now-deleted skill.
Deleting the skill closes the door. It doesn’t undo what already walked through it.
This is why the audit steps at the end of this article include checking your memory files directly — not just your installed skills list.
Your Pre-Install OpenClaw Skills Vetting Checklist
Run through this before installing any skill from ClawHub or any other public registry. It takes five minutes. Most bad skills fail on step one or two.
Check the publisher account age and history
Click the publisher name on ClawHub. When was the account created? How many skills have they published? A skill from an account created last week with zero other skills is a significant warning sign. The ClawHavoc campaign used accounts as young as one week old to publish hundreds of malicious skills.
Read the full SKILL.md yourself — all of it
Don't skim. Read every line of the skill file before installing. You're looking for instructions that have nothing to do with the skill's stated purpose — requests to read files, pass environment variables, echo API keys, or contact external URLs. Malicious instructions are often buried after legitimate-looking setup text.
Paste the skill text into a Unicode inspector
Copy the raw skill Markdown and paste it into a Unicode character inspector (search 'Unicode character inspector' — several free tools exist). Look for characters in the U+E0000–U+E007F range. Their presence means invisible instructions are embedded that your editor won't show you but your agent will follow.
Check every external URL in the skill
Does the skill fetch content from external URLs at runtime? Does it clone external repositories? Does it download from GitHub releases by an unfamiliar account? Each external URL is a point where behavior can be changed after you install — the rug pull attack. If you don't recognize every domain, treat it as a red flag.
Verify the skill doesn't request credentials or ask for secrets in outputs
Legitimate skills don't ask you to echo API keys, paste credentials into prompts, or include sensitive values in command outputs. Any skill that asks for this is either poorly designed or malicious. Either way, don't install it.
Search for the skill name and publisher across security feeds
Run a quick search combining the skill name, publisher name, and 'malicious' or 'ClawHub.' Security researchers publish findings fast. If a skill appeared in the Snyk ToxicSkills corpus or OWASP Agentic Skills Top 10 reports, someone has likely written it up.
Why Automated Scanners Aren’t Enough for ClawHub Skills
You might be thinking: isn’t ClawHub scanning for this? The short answer is yes, partially — and researchers have already shown how to bypass those scanners.
Trail of Bits researchers bypassed malicious skill detectors for ClawHub, Cisco, and Vercel’s skills.sh platform using four techniques. Three of the four took less than one hour to develop. The methods — whitespace inflation to exceed scanner context limits, precompiled Python bytecode hiding, document-archive indirection, and socially engineering the AI-based scanner with persuasively framed prompts — require no novel research. They’re well-understood obfuscation techniques applied to a new surface.
This doesn’t mean scanners are useless. It means they’re a floor, not a ceiling. A scanner that catches 80% of malicious skills still misses the 20% written by anyone who spent an hour on it. Your own review is the layer that covers what automated detection misses.
The Cloud Security Alliance recommends extending existing software supply chain policies to explicitly cover agent context files — requiring content hash verification before loading skills into production, restricting which registries skills can be sourced from, and establishing internal approval workflows for new skills. The same discipline organizations apply to software dependencies.
Curated Catalog vs. Public Registry: Why It Matters for Your Setup
The underlying issue isn’t that ClawHub is unusually bad. It’s that any open registry without mandatory code signing, content integrity verification, and automated behavioral scanning will attract malicious submissions. The Cloud Security Alliance’s briefing compares ClawHub’s current state to npm and PyPI before supply chain security became a first-class concern — and both of those ecosystems had serious incidents before the community caught up.
For a solo business owner or small team running an agent like OpenClaw, the practical implication is this: a curated, scanned catalog with governed installs is meaningfully safer than trusting a public registry. Not because public registries are bad in principle, but because the current state of ClawHub security controls doesn’t yet match the permissions skills receive on install.
If your agent handles customer messages, client files, or business credentials, the blast radius of a compromised skill is your entire business context. That warrants the same caution you’d apply to any software with root access to your machine.
The AI agent platform you choose matters here too. Platforms that review skills before making them available, enforce install approval steps, and log tool invocations give you meaningful protection that a raw ClawHub install does not. We cover what to look for in our AI agent platform comparison if you’re evaluating options.
Your Monday Morning OpenClaw Skills Audit
What you’ll have when done: a clean verified list of your installed skills, checked memory files with no attacker-written instructions, and a repeatable process for every future install. Budget 30-45 minutes for the first pass.
List every installed skill
Open your OpenClaw skills directory and list every installed skill. Write them down. You're about to verify each one individually — don't skip any, including skills installed months ago.
For any skill installed January–February 2026, flag it for immediate review
The ClawHavoc campaign peaked during this window. Skills installed during this period have higher prior probability of being affected. Flag all of them and run the full six-step vetting checklist from above, even if you reviewed them at install time.
Open and read your MEMORY.md and SKILL.md files directly
Don't rely on your skills list. Open these files in a plain text editor. Read every line. Look for instructions that aren't in your own voice — particularly anything referencing external URLs, credential handling, or behavior that should apply 'before every request' or 'whenever' a certain tool is used. Attacker-written instructions often use those trigger patterns.
If you find suspicious content in memory files, do not just delete it
Remove the specific lines first. Then uninstall the associated skill if you can identify it. Then check your environment variables and API keys for any that may have been exposed — rotate any credential that could have been read during the period the skill was active. If the suspicious content references a specific external domain, block that domain at the network level.
Set a review threshold of zero new skills from single-skill publishers with accounts under 30 days old
This one filter would have blocked the majority of ClawHavoc campaign installs. Apply it as a standing rule. If a skill you want comes from a new single-skill account, wait 30 days and check whether the account has published more work and whether security researchers have reviewed it.
Enable whatever logging your setup supports for outbound network calls
Agent tool invocations and outbound connections should be logged. You don't need enterprise security tooling — even a simple proxy log tells you when your agent made an unexpected outbound call. Flag any connection to an endpoint you don't recognize within 24 hours of a new skill install.
Schedule this audit quarterly, not just when a campaign makes the news
Snyk's data showed skills being published at an accelerating rate — from under 50 per day in mid-January 2026 to over 500 per day by early February, a 10x increase in weeks. The threat surface grows every week. A quarterly review is the minimum reasonable cadence for anyone whose agent handles business-sensitive information.
For a deeper look at how agent governance fits into your overall setup, our guide on the real costs of running a personal AI agent covers the security and operational overhead that doesn’t show up in the monthly pricing.
OpenClaw Skills: What the Situation Means for Your Setup
- Snyk’s February 2026 audit of 3,984 skills found 36.82% contain at least one security flaw and 13.4% carry critical-level issues — these are confirmed findings, not theoretical risk.
- Skills run with full agent permissions: shell, filesystem, credentials, network. There is no sandbox and no permission model at ClawHub.
- MCP tool poisoning hides malicious instructions inside tool descriptions that your interface won’t show you but your agent reads and acts on — including after you approved the install.
- Rug pulls are real: a server can change its behavior after you’ve trusted it, with no new consent required.
- Deleting a malicious skill is not always enough — check your MEMORY.md and SKILL.md files directly for instructions that survived the removal.
- Automated scanners on ClawHub can be bypassed with techniques that take under an hour to develop — your own manual review is the layer that matters most.
- A curated, scanned catalog with governed installs is meaningfully safer than raw ClawHub installs for any agent handling business credentials or client data.
Frequently Asked Questions About OpenClaw Skills Security
Are OpenClaw skills safe to install from ClawHub?
Not without vetting. Snyk’s 2026 audit found over a third of ClawHub skills contain at least one security flaw. The safe approach is to manually read every skill file before installing, check the publisher account age and history, inspect for Unicode hidden characters, and avoid any skill that references external URLs you can’t verify. Skills from a curated, reviewed catalog carry meaningfully lower risk than raw ClawHub installs.
What permissions do OpenClaw skills have when installed?
A skill inherits the full permissions of the OpenClaw agent — shell execution, full filesystem access (including ~/.ssh/ and credential files), access to environment variables and API keys, and unrestricted outbound network access. There is no permission model, no code signing, and no sandboxing at ClawHub. A skill can read and write anything your user account can reach.
If I delete a malicious skill, am I safe?
Not necessarily. The worst skills in the ClawHavoc campaign wrote instructions into persistent memory files (MEMORY.md, SKILL.md) before deletion. Those instructions remain active across sessions even after the skill file is gone. After removing any suspicious skill, open your memory files directly in a text editor and read every line. Remove any instruction you didn’t write. Then rotate any credentials that may have been accessible during the period the skill was active.
What is an MCP tool poisoning attack?
Tool poisoning embeds malicious instructions inside a tool’s description — text the AI model reads but users typically can’t see in the interface. A tool that appears to perform a simple action (like adding two numbers) can carry hidden instructions telling the agent to read SSH keys, configuration files, or API credentials and transmit them to an attacker. Invariant Labs demonstrated this working against real agent platforms. The defense is to install skills only from sources where full tool descriptions are reviewed before publication.
Does ClawHub scan for malicious skills?
ClawHub has some scanning in place, but Trail of Bits researchers showed these scanners can be bypassed using four techniques, three of which took less than one hour to develop. Scanners catch a meaningful percentage of obvious malicious skills but miss obfuscated payloads. Your own manual review — reading the full SKILL.md, checking publisher history, inspecting for hidden Unicode characters — is the layer that covers what automated detection misses.
What is the ClawHavoc campaign?
ClawHavoc was the first documented coordinated malware campaign targeting OpenClaw users via ClawHub. Antiy CERT identified 1,184 malicious skills tied to 12 publisher accounts — one account alone pushed 677 packages. The payload was the AMOS (Atomic Stealer) credential stealer, which targets macOS crypto wallets, SSH keys, and browser credentials. At the campaign’s peak, roughly 1 in 5 skills on ClawHub was malicious, with some individual skills accumulating over 14,000 downloads before takedown.
Sources
- Snyk ToxicSkills Audit — February 2026
- Cloud Security Alliance: SKILL.md Agent Context Poisoning Briefing
- Invariant Labs: MCP Tool Poisoning Attacks
- BulwarkAI: ClawHavoc Campaign Analysis
- OWASP Agentic Skills Top 10 — AST01 Malicious Skills
- Cloud Security Alliance: AI Agent Skill Scanner Bypass Research
- OpenClaw GitHub Issue #10890: Skill Security Framework RFC