We Audited the Top 10 Most Downloaded OpenClaw Skills. 3 Had Critical Security Issues.

March 22, 2026 · 8 min read · By @4cryptoclearly

OpenClaw skills are powerful. You install a markdown file, and suddenly your AI agent can do something new — browse the web, manage emails, track revenue, run security scans.

But here's what nobody talks about: your agent executes whatever those skill files tell it to. If a skill says "curl this URL with your API keys," your agent will do it. If it says "encode this data and send it somewhere," your agent will do that too.

We wanted to know: how safe are the most popular skills on the ClawHub registry?

So we audited the top 10 most downloaded ones.

TL;DR: 3 out of 10 flagged critical security issues. One skill with 14,000+ downloads routes data to third-party servers. Another uses base64 encoding to obscure where your data goes. Most people install these without checking.

What We Checked

We built an automated security scanner that checks for 8 categories of risk:

Credential access — does the skill read API keys, tokens, or secrets?
Data exfiltration — does it send data to external servers?
Prompt injection — can it hijack your agent's behavior?
Obfuscated code — is anything hidden with base64 or hex encoding?
Pipe-to-shell — does it run curl | sh or similar?
Destructive commands — rm -rf, chmod 777, etc.
Dependency risks — external packages, auto-installed tools
Network calls — outbound connections to unknown hosts

Each skill was installed in a temporary directory (never our workspace), scanned automatically, then reviewed manually for anything the scanner flagged.

The Findings

CRITICAL

ByteRover — 14,376 downloads

Most downloaded skill in its category

Routes data through their own servers. Your queries, your context, your agent's work — passing through infrastructure you don't control. No disclosure in the skill description.

CRITICAL

self-improvement — 9,370 downloads

Second most popular in personal productivity

Found base64 encoding in scripts that obscured outbound URLs. When your agent runs these scripts, it's connecting to endpoints you can't see by reading the code normally. You'd have to decode the base64 strings to find out where your data actually goes.

CRITICAL

agentmail — 708 downloads

Email integration skill

Two critical flags: credential access patterns (reads your email API keys) combined with external network calls. An email skill needs network access, sure — but the combination of credential reading + outbound calls without proper scoping is a red flag that needs manual review.

CLEAN

7 out of 10 passed

Including: agent-browser, proactive-agent, exa, memory-setup, second-brain, ontology, skillcraft

The majority of popular skills are fine. But "most are fine" isn't good enough when the ones that aren't can access your API keys, read your files, and make network requests on your behalf.

Why This Matters

OpenClaw agents run with your permissions. They can read your files, access your API keys, execute commands, and make network requests. A malicious or poorly-written skill has the same access as a trusted one.

Think about what's in your OpenClaw environment:

API keys (Claude, OpenAI, Stripe, etc.) — each worth real money
Personal files and project code
Email credentials and message history
SSH keys and server access
Business data, customer info, financial records

A single compromised skill could exfiltrate all of it. And unlike a browser extension that asks for permissions, OpenClaw skills don't have a permission system. Install it, and it has full access.

How to Protect Yourself

1. Never install directly to your workspace

Always install skills to a temporary directory first. Audit them there. Only move to your workspace after you've verified they're safe.

# Install to temp directory
mkdir -p /tmp/skill-audit
clawhub install skill-name --dir /tmp/skill-audit/

# Audit it (manually or with a scanner)
# ...

# Only then move to workspace
cp -r /tmp/skill-audit/skill-name ~/.openclaw/workspace/skills/

2. Check for these red flags

Base64 or hex encoding in scripts — why would a legitimate skill hide its code?
curl | sh or wget | bash — remote code execution, the biggest red flag
Hardcoded external URLs — where is your data going?
Reading from secrets/credentials directories — does this skill actually need your API keys?
Auto-fetching tokens from third-party APIs — some skills silently create accounts on external services

3. Use an automated scanner

Manual review works but takes 20-30 minutes per skill. An automated scanner catches the obvious patterns in seconds, so you can focus manual review on what actually needs attention.

Audit your skills automatically

Our security scanner checks for all 8 risk categories in ~10 seconds. Free version available.

Free Audit Tool Full Scanner — $19

What the OpenClaw Community Should Do

This isn't just a user problem. The ecosystem needs:

A permission system for skills — declare what you need access to, let users approve
Automated security scanning on ClawHub — flag risky patterns before skills get thousands of downloads
Verified publisher badges — know who made the skill you're installing
Sandboxing — skills shouldn't have full system access by default

Until then, audit everything. The 10 seconds it takes to run a scan is worth it.

Full transparency: We sell a premium security scanner. We also give away a free version. Use whichever you want — just don't install skills blindly. The risk is real.