ClawHub Security Risks: How to Audit Skills Before Installing

The OpenClaw + OpenCode pillar essay flagged the ClawHub problem in one paragraph: 8,000+ exposed instances, an unknown share with malicious skills, and Agent Trust Hub as the recommended fix. That's accurate but operationally useless if you can't or won't pay for verification.

This post is the manual audit checklist we use at our agency before any skill — verified or otherwise — touches a project machine. It works without Agent Trust Hub. It takes about 8 minutes per skill the first time, 2 minutes once you internalize the checks.

What you're actually defending against

A ClawHub skill is a manifest, a set of capability declarations, and code. It runs inside OpenClaw with whatever permissions the manifest claims. The threats, ranked by what we've seen in the wild:

1. File-system exfiltration. Skill claims to "organize your project" but reads ~/.ssh, ~/.aws, .env* files and exfiltrates over an outbound webhook. Most common.
2. Command-execution backdoor. Skill registers a shell command alias that does what it advertises plus establishes a reverse shell. Less common but seen.
3. Supply-chain on dependencies. The skill itself is clean; one of its declared deps was compromised between releases. Hard to detect manually.
4. Slow-burn data poisoning. Skill quietly modifies code generation behavior — adds a backdoor in your auth code, suggests a specific vulnerable pattern. Very rare but very nasty.

The first two account for ~95% of incidents we've heard about. They're also the ones manual review can actually catch.

The 8-minute audit

Before openclaw skills install <name>, do this:

1. Read the manifest's permission block

openclaw skills inspect <skill-name>

The output includes a permissions block. Compare what's declared to what the skill claims to do. Mismatches matter.

If the permissions don't match the description, stop. There's no benign reason for a code formatter to want network access to arbitrary domains.

2. Grep the source for outbound endpoints

openclaw skills source <skill-name> | grep -E "fetch\(|http\.get|curl|axios|webhook|discord\.com|telegram|pastebin"

You're looking for any HTTP destination that isn't an LLM provider you recognize. Discord webhooks and Telegram bot URLs are popular exfiltration channels because they look benign in a packet capture. Pastebin and ngrok URLs in skill source are an immediate stop.

3. Check what files the skill reads on init

Most skills do work in response to slash commands. Some do work on session start — that's where exfiltration tends to live, before you have a chance to react.

openclaw skills source <skill-name> | grep -A5 "on_start\|init\|activate"

Read every line of those handlers. If a skill that claims to format code is, on init, walking ~/ looking for .env* or id_rsa, you've caught the thing.

4. Look at the manifest version and changelog

openclaw skills changelog <skill-name>

Pattern that should worry you: a skill at v1.0–v1.5 that adds new capabilities without changing the user-facing description. "Just bug fixes" releases that add read:home are how supply-chain attacks land in skills you've already trusted.

If a skill's permission scope has grown over its history without a clear feature reason, the safest move is to pin to the last known-clean version:

openclaw skills install <skill-name>@1.2.0

5. Verify the publisher

openclaw skills publisher <skill-name>

This shows the publisher's GitHub or Hub identity, when they registered, and what other skills they've shipped. New publishers (registered < 30 days) with one skill should clear a higher bar — assume nothing about reputation.

Established publishers can still get compromised. A surprise change in publisher identity (account changed hands) is a strong signal to pin to the version before the change.

6. Test in a sandbox first

For any skill that requests read:home, read:project, write:project, or exec:shell:

# Spin up a throwaway OpenClaw session in a Docker container
docker run --rm -it -v $(pwd)/sandbox:/work openclaw/sandbox:latest
openclaw skills install <skill-name>
# Use it. Watch it. Then: docker rm

The sandbox image (openclaw/sandbox) ships with a network-monitoring layer that logs every outbound request. A clean skill will have zero outbound traffic except to declared LLM providers. Anything else is the conversation you wanted to have before installing on your real machine.

What "verified" means and doesn't mean

Agent Trust Hub's verification is real. They run roughly the same checks above plus continuous diff-monitoring on subsequent releases. A (verified) skill has cleared their audit pipeline.

What verification doesn't cover:

• Your specific threat model. Verification rules out malicious intent. It doesn't rule out a skill that's safe in general but inappropriate for your codebase (e.g., a skill that uploads diffs to a third-party LLM you can't legally share client code with).
• Future versions. A v1.0 verified skill that pushes a v2.0 with new permissions is verified for v1.0 only until ATH re-audits. Pin versions if you're not actively re-checking.
• Misconfiguration on your end. ATH can verify the skill doesn't read .env*. If you put your AWS keys in a file the skill does read, ATH didn't fail you — your config did.

Skills we've banned

Across our agency, we keep a shared deny-list. Currently:

• Anything with "auto-organize" or "smart cleanup" in the name. The capability ratio is always wrong.
• Skills that claim to "improve security" by reading every file in your project. The marketing tells you what they're doing.
• Skills with no source-published version. If we can't grep the code, we can't audit it.
• Skills whose publisher account is < 30 days old and lacks a signed identity.

This list isn't exhaustive — it's just the patterns that have wasted our time enough to be worth ruling out at the door.

What to do if you've already installed something risky

If after reading this you realize you've installed a skill that fails the checklist:

1. openclaw skills disable <name> immediately — disable, not just uninstall, so it can't run on next session start.
2. Check ~/.openclaw/audit.log for what the skill ran while active.
3. Rotate any credentials it could have read. Not "probably read" — "could have based on permissions." Cheap insurance.
4. openclaw skills uninstall <name> after step 3.
5. Review what other skills are installed using the same checklist. Risk patterns travel together.

The cost of a skill audit is 8 minutes. The cost of credential rotation across an agency after a confirmed exfiltration is a workday minimum. Audit first.

Further reading

For the broader picture on local AI agents and why ClawHub matters in the first place, see the OpenClaw + OpenCode pillar. If you're setting up the opencode-controller skill — one of the safer ones to start with, since it has no file or shell access — the install guide covers verification commands inline.