Blog/

We Scanned 200+ OpenClaw Skills. Here's What We Found.

SpiderShield Team··7 min read
OpenClawSkillsSecurityAudit

The rise of AI agent skills

OpenClaw has become the largest registry for Claude Code skills, with 1,000+ community-contributed skills and top entries exceeding 140,000 downloads. Skills like Self-Improving Agent (1,576 stars, 137k downloads), Tavily Web Search (724 stars, 142k downloads), and Find Skills (597 stars, 136k downloads) are widely adopted.

But unlike npm packages or Docker images, there's no npm audit for agent skills. Users install them on trust alone. We decided to change that.

What we scanned

We used SpiderShield to scan 200+ skills from the OpenClaw registry (2,432 stars, 720 forks). Each skill was analyzed with teeshield agent-check, which evaluates:

  • Skill description quality -- Does the SKILL.md clearly explain intent, scope, and boundaries?
  • Security patterns -- Shell commands, file access, network calls, credential handling
  • Agent configuration -- Sandboxing, auth, tool profiles, permission scope

Key findings

Grade distribution

GradeCountPercentage
A (9.0+)00%
B (7.0+)00%
C (5.0+)3690%
D (3.0+)12.5%
F (<3.0)37.5%

Zero A or B grades. The best skills scored around 6.4/10 -- solid C grades. The majority cluster in the 5.0-6.5 range.

Top-scoring skills

SkillScoreWhat it does
byr-cli6.4CLI tool integration
soulflow6.3Workflow orchestration
mapping-skill6.3Map visualization
open-webui6.1Web UI integration
web-skills-protocol6.0Structured web interactions

Common issues

  1. No sandboxing configuration -- Most skills don't specify any sandbox constraints. An agent running the skill has full access to the user's system.
  1. Unrestricted shell access -- Many skills use shell commands (subprocess, os.system, bash scripts) without declaring this capability or restricting scope.
  1. Vague skill descriptions -- SKILL.md files often describe *what* the skill does but not *what it can access*, *what it modifies*, or *when it should NOT be used*.
  1. No authentication guidance -- Skills that call external APIs rarely document required credentials or how they're stored.
  1. Missing error boundaries -- Almost no skills define failure modes or rollback behavior.

High-risk patterns

Some patterns we flagged deserve special attention:

  • Desktop automation skills (mouse/keyboard control, screen capture) -- These have god-mode access to the user's system. Skills like Desktop Control (21k+ downloads) can execute arbitrary UI actions.
  • Auto-updater skills -- Skills that automatically update themselves or other skills are potential rug-pull vectors. A compromised update could inject malicious behavior.
  • Browser automation -- Skills controlling headless browsers can navigate to arbitrary URLs, fill forms, and exfiltrate data.
  • Humanizer skills -- Explicitly designed to "bypass AI detection systems." While not malicious per se, this is a dual-use capability.

Why this matters

Unlike MCP servers, skills run inside the agent's context -- they share the agent's permissions, file access, and network capabilities. A malicious or poorly-written skill can:

  • Read and exfiltrate files from your project directory
  • Execute arbitrary shell commands with your user privileges
  • Modify code in ways that persist after the session
  • Access environment variables containing API keys and tokens

The OpenClaw registry acknowledges this: their README notes that "suspicious/malicious skills may be retained temporarily for analysis." But there's no automated vetting before skills are published.

Recommendations

For skill authors

  1. Document your scope -- Explicitly state what files, APIs, and system resources your skill accesses
  2. Minimize shell usage -- Avoid raw subprocess calls; use structured APIs when possible
  3. Declare side effects -- If your skill modifies files, sends network requests, or writes logs, say so
  4. Pin external dependencies -- Don't fetch scripts from URLs at runtime

For skill users

  1. Read the SKILL.md before installing -- check for shell commands and network calls
  2. Run `spidershield agent-check` on skills before adding them to your agent config
  3. Use allowlist mode -- Only permit skills you've explicitly reviewed
  4. Audit regularly -- Skills can be updated. Re-check after updates.

For OpenClaw / ClawHub

  1. Automated security scanning on skill submission (we'd love to help)
  2. Trust badges for skills that pass security review
  3. Capability declarations -- Require skills to declare what system resources they need
  4. Sandboxing guidance -- Recommend sandbox configurations for different skill categories

Try it yourself

Scan any OpenClaw skill locally:

pip install spidershield
spidershield agent-check /path/to/agent/config

Or browse all skill ratings at spiderrating.com/servers.

What's next

We're continuing to scan the full OpenClaw registry and will publish updated ratings weekly. We're also working on a Skill Trust Badge that authors can embed in their SKILL.md to show their security rating.

The agent skill ecosystem is still young. Building security awareness now -- before a major incident -- is the best investment we can make.

← Back to Blog