How to Scan OpenClaw Skills for Malicious Code
OpenClaw's skill system is one of its most powerful features. You can extend your agent with community-built skills that add capabilities—web scraping, API integrations, data processing, and more. But every skill you install is code that runs on your machine, often with access to your files, network, and credentials.
That's a significant trust decision. And unlike browser extensions or mobile apps, there's no app store review process filtering out the bad actors. It's on you to verify what you're installing.
This guide covers the real threats in OpenClaw skills and how to catch them—manually and with automated scanning.
The Threat Model: What Can Go Wrong
A malicious or poorly-written OpenClaw skill can:
- Exfiltrate data — Read your files, environment variables, or API keys and send them to an external server
- Execute arbitrary commands — Run shell commands that install backdoors, crypto miners, or other malware
- Modify agent behavior — Inject instructions into your agent's SOUL.md or other config files to change its behavior silently
- Establish persistence — Create cron jobs, systemd services, or startup scripts that survive skill uninstallation
- Pivot to other systems — Use your network access to scan or attack internal services
This isn't theoretical. As AI agent ecosystems grow, they become targets—just as npm, PyPI, and browser extensions were before them.
Manual Audit: What to Look For
Before installing any third-party skill, read through its files. Here are the specific red flags:
1. Outbound Network Requests
Legitimate skills rarely need to phone home. Search for URLs, IP addresses, and network-related patterns:
# Search for suspicious outbound connections in a skill directory
grep -rn "http[s]*://" ./skill-directory/ | grep -v "# " | grep -v "example.com"
grep -rn "curl\|wget\|fetch\|request" ./skill-directory/
grep -rn "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" ./skill-directory/Any URL that isn't documented in the skill's README is suspicious. Encoded or obfuscated URLs are a major red flag.
2. Environment Variable Access
Skills shouldn't need your API keys unless they're explicitly documented to require them:
# Check for environment variable access
grep -rn "env\|ENV\|process\.env\|os\.environ\|\$[A-Z_]" ./skill-directory/
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD\|CREDENTIAL" ./skill-directory/3. File System Operations Outside the Skill Directory
A skill that reads your SSH keys or writes to system directories is almost certainly malicious:
# Check for suspicious file access
grep -rn "\.ssh\|\.env\|\.gnupg\|/etc/passwd\|/etc/shadow" ./skill-directory/
grep -rn "readFile\|writeFile\|fs\.\|open(" ./skill-directory/
grep -rn "chmod\|chown\|/tmp/\|/var/" ./skill-directory/4. Shell Command Execution
The most dangerous pattern. Any skill that asks the agent to execute raw shell commands should be treated with extreme suspicion:
# Check for command execution patterns
grep -rn "exec\|spawn\|system\|popen\|subprocess\|child_process" ./skill-directory/
grep -rn "bash\|/bin/sh\|eval(" ./skill-directory/
grep -rn "base64\|decode\|atob\|Buffer\.from" ./skill-directory/5. Prompt Injection in SKILL.md
This is unique to AI agent skills. A SKILL.md file can contain hidden instructions that override the agent's safety settings:
# Look for prompt injection patterns
grep -rn "ignore previous\|disregard\|override\|new instructions" ./skill-directory/
grep -rn "you are now\|forget everything\|act as" ./skill-directory/
# Check for invisible Unicode characters used to hide instructions
cat -A ./skill-directory/SKILL.md | grep -P "[\x80-\xff]"A well-crafted prompt injection can make your agent silently forward data to an attacker while appearing to function normally.
Automated Scanning: Building a Checker
Manual audits are thorough but slow. Here's how to automate the basics with a simple scanning script:
scan-skill.sh#!/bin/bash
SKILL_DIR="$1"
ISSUES=0
echo "🔍 Scanning skill: $SKILL_DIR"
echo "================================"
# Check for outbound URLs
URLS=$(grep -rn "http[s]*://" "$SKILL_DIR" 2>/dev/null | grep -cv "example\|localhost\|# ")
if [ "$URLS" -gt 0 ]; then
echo "⚠️ Found $URLS outbound URL references"
grep -rn "http[s]*://" "$SKILL_DIR" | grep -v "example\|localhost\|# "
ISSUES=$((ISSUES + 1))
fi
# Check for env/credential access
CREDS=$(grep -rcn "API_KEY\|SECRET\|TOKEN\|PASSWORD" "$SKILL_DIR" 2>/dev/null | \
awk -F: '{s+=$2}END{print s}')
if [ "$CREDS" -gt 0 ]; then
echo "⚠️ Found $CREDS credential-related references"
ISSUES=$((ISSUES + 1))
fi
# Check for shell execution patterns
EXEC=$(grep -rcn "exec\|spawn\|system\|popen\|subprocess\|/bin/" "$SKILL_DIR" 2>/dev/null | \
awk -F: '{s+=$2}END{print s}')
if [ "$EXEC" -gt 0 ]; then
echo "🚨 Found $EXEC command execution patterns"
ISSUES=$((ISSUES + 1))
fi
# Check for base64/encoding
B64=$(grep -rcn "base64\|decode\|atob\|btoa" "$SKILL_DIR" 2>/dev/null | \
awk -F: '{s+=$2}END{print s}')
if [ "$B64" -gt 0 ]; then
echo "🚨 Found $B64 encoding/decoding patterns"
ISSUES=$((ISSUES + 1))
fi
# Check for sensitive file paths
SENSITIVE=$(grep -rcn "\.ssh\|\.env\|\.gnupg\|/etc/passwd\|/etc/shadow" "$SKILL_DIR" 2>/dev/null | \
awk -F: '{s+=$2}END{print s}')
if [ "$SENSITIVE" -gt 0 ]; then
echo "🚨 Found $SENSITIVE references to sensitive file paths"
ISSUES=$((ISSUES + 1))
fi
echo "================================"
if [ "$ISSUES" -eq 0 ]; then
echo "✅ No obvious issues found. Manual review still recommended."
else
echo "⚠️ Found $ISSUES potential issues. Review carefully before installing."
fiSave this script and run it against any skill before installation:
chmod +x scan-skill.sh
./scan-skill.sh ~/.openclaw/skills/some-third-party-skill/Best Practices for Skill Security
- Read the source. Every line. If a skill is more than a few hundred lines, that itself is worth questioning—most skills should be simple.
- Check the author. Is there a real person or organization behind the skill? Do they have a track record?
- Pin versions. Don't auto-update skills. Review each update before applying it.
- Use least privilege. Configure your agent's capabilities to only grant what each skill actually needs. A data-processing skill doesn't need email access.
- Monitor network traffic. Run
tcpdumpornethogswhile testing a new skill to see if it phones home. - Sandbox first. Test new skills in a VM or container before running them on your main system.
- Audit periodically. Skills you installed six months ago might have been fine then. Re-check them after updates.
What About OpenClaw's Built-in Security?
OpenClaw has capability restrictions (you can limit what tools an agent can use) and exec policies (allowlist mode, deny mode). These help, but they're not foolproof—especially against prompt injection attacks that work within the agent's granted permissions.
Think of OpenClaw's security as the lock on your front door. Skill auditing is checking who you're letting in.
Automate Your Skill Audits
Security Scanner is an OpenClaw agent that automatically audits every skill in your setup. It checks for data exfiltration, command injection, prompt manipulation, credential access, and suspicious network activity. Runs on-demand or on a schedule, with detailed reports delivered to Telegram or Discord.
$49
One-time purchase · Scan unlimited skills · 30-day money-back guarantee
Get Security Scanner →