Last week I published a 30-minute hardening guide for OpenClaw. The #1 risk on that list was third-party skills. Since then, the numbers have gotten worse.
820+ malicious skills are now on ClawHub — roughly 20% of the entire registry. That’s not a rounding error. That’s one in five skills being actively hostile to the agent that installs them.
But the number isn’t what makes this the biggest attack vector. The architecture is.
Why Skills Are Worse Than Prompt Injection
Prompt Injection vs Malicious Skill
───────────────── ─────────────────
Single conversation Every heartbeat cycle
Bounded by context Persistent execution
User might notice Runs silently
Mitigated by guardrails Bypasses all guardrails
Prompt injection gets all the attention. It’s dramatic — a website tricks your agent into doing something it shouldn’t. But prompt injection is bounded exposure. Your agent visits one bad page, processes one malicious input, and moves on. The exposure window is seconds.
Third-party skills are persistent exposure. When you install a skill, it doesn’t run once. It runs on every heartbeat cycle. If your agent has a 10-minute heartbeat, that skill executes 144 times per day. Each execution gives it access to:
- Your agent’s full context window
- Your agent’s memory files (read and potentially write)
- Your agent’s active tasks and outputs
- Any API credentials your agent has access to
- The ability to modify your agent’s behavior
A malicious skill isn’t like visiting a bad website. It’s like hiring a spy who sits in every meeting, reads every document, and reports back to someone else — 144 times a day.
What Malicious Skills Actually Do
Based on analysis of the ClawHub incidents and disclosed attack patterns, malicious skills fall into three categories:
1. Data Exfiltration Skills
These skills look like helpful utilities — “memory optimizer,” “context analyzer,” “performance monitor.” They provide real functionality. But on every heartbeat, they also scan for API keys, tokens, credentials, and personal information in the agent’s context, then transmit it to an external endpoint.
The clever part: they use your agent’s own web browsing capabilities to exfiltrate. The network traffic looks like your agent doing its normal work.
2. Behavior Modification Skills
These are harder to detect. They don’t steal data — they subtly alter how your agent reasons. A behavior modification skill might:
- Add instructions to your agent’s context that bias its decisions
- Modify memory files to change the agent’s personality or goals
- Insert hidden context that influences tool selection or output format
The agent still “works.” It just doesn’t work the way you intended. If you’re using your agent for business decisions, financial analysis, or security monitoring, a behavior modification skill can corrupt your outputs without you ever noticing.
3. Lateral Movement Skills
The most sophisticated category. These skills use your agent as a platform to attack other systems your agent has access to. If your agent can:
- Send emails → the skill sends phishing emails from your account
- Access databases → the skill queries sensitive tables
- Execute code → the skill installs backdoors on your machine
- Interact with other agents → the skill spreads to your other OpenClaws
This is the same lateral movement pattern from traditional malware, adapted for agent architecture.
Why Static Analysis Isn’t Enough
There are tools that scan skill code for malicious patterns. Some are quite good — Cisco’s skill-scanner uses LLM-based semantic analysis, and 3-4 open-source scanners can catch obvious data exfiltration.
But the hardest malicious skills are clean code that produces malicious behavior. The skill’s source code contains no suspicious patterns. Instead, it uses legitimate agent APIs in combinations that create harmful outcomes. Static analysis sees clean code. Behavioral analysis sees the harm.
This is analogous to the difference between antivirus (pattern matching) and EDR (behavioral detection) in traditional security. We solved the antivirus gap 15 years ago. We’re just now recognizing the same gap in agent security.
What to Do Instead
If you need a capability that a third-party skill provides, don’t install the skill. Instead:
- Read the skill’s source code to understand what it does
- Tell your agent: “Look at how this skill works and build me a local version”
- Review the agent’s version before enabling it
- You control the code. You can read every line. You know exactly what runs on every heartbeat.
This pattern — understand, rebuild, verify — is slower than clicking “install.” It’s also the only approach that gives you confidence in what’s running inside your agent.
For teams running multiple agents, this doesn’t scale manually. That’s why we’re building tools at Singularity Cybersecurity to automate skill security verification — including behavioral sandbox testing that catches what static analysis misses.
The Bigger Picture
The ClawHub malicious skill problem is a supply chain attack. It’s the npm/PyPI compromise pattern, adapted for agent architectures. The security industry solved (or at least mitigated) this for traditional package managers with tools like Snyk, Socket, and Dependabot.
Agent skill marketplaces need the same treatment. But the attack surface is larger because skills have access to the agent’s reasoning process, not just its execution environment. A malicious npm package can execute code. A malicious agent skill can change how your agent thinks.
That’s a fundamentally different — and harder — security problem.
Limitations
The 820 malicious skill count comes from community reporting and ClawHub registry analysis, not independent verification. ClawHub’s actual moderation practices and detection rates are not publicly documented. The comparison to prompt injection (bounded vs persistent exposure) is analytical — no controlled experiment directly measures the differential risk. Malicious skill definitions vary across the community.
What I’m Doing About It
At Singularity Cybersecurity, we’re building tools to address this gap — starting with SkillVet (behavioral sandbox scanning) and AgentArmor (runtime behavioral monitoring). The practical hardening guide is already live: How to Secure Your OpenClaw in 30 Minutes →
Rex Coleman is securing AI from the architecture up — building and attacking AI security systems at every layer of the stack, publishing the methodology, and shipping open-source tools. rexcoleman.dev · GitHub
If this was useful, subscribe on Substack for weekly AI security research — findings, tools, and curated signal.