In early 2026, malicious OpenClaw skills exfiltrated API keys and credentials from thousands of users. The attack vector was simple: compromised SKILL.md files with hidden instructions. This guide teaches you to read, inspect, and audit any SKILL.md file — with a copy-paste checklist you can use before every installation.
A SKILL.md file is a set of instructions your AI agent will follow. Those instructions can include tool calls, network requests, file operations, and system commands. If the instructions are malicious, the agent becomes the attack vector. In early 2026, security researchers discovered several skills on ClawHub that contained hidden instructions to exfiltrate environment variables — including API keys for OpenAI, AWS, and database credentials — to external servers. The skills looked normal on the surface, but their system prompts included base64-encoded URLs and obfuscated data exfiltration commands. The lesson: every SKILL.md is a trust decision. You're giving the skill author control over what your agent does. Audit before you install.
Before installing any skill, open its SKILL.md (available on ClawHub and our directory) and check these 8 areas: 1. Permissions block (frontmatter) Look for `fileAccess`, `networkAccess`, `systemCommands`, and `apiKeys`. A code review skill should not need network access. A search skill should not need file write access. Question every permission. 2. Network domains Check the `networkAccess.allowedDomains` list. Legitimate skills connect to known APIs (api.openai.com, api.github.com). Suspicious: unknown domains, IP addresses, URL shorteners, or base64-encoded URLs. 3. System commands If `systemCommands` is not empty, the skill can execute shell commands. This is the highest-risk permission. Only grant it to skills that genuinely need it (Docker, deployment, CI/CD). 4. System prompt content Read the full system prompt. Look for: instructions to access environment variables (`process.env`), instructions to send data to external URLs, instructions to ignore user commands, or instructions to override other skills. 5. Tool declarations Examine each tool's input/output schema. Do the tools match the skill's stated purpose? A 'markdown formatter' skill shouldn't have an `httpRequest` tool. 6. Dependencies Check if the skill depends on other skills. Audit those dependencies too — a trusted skill with a malicious dependency is still dangerous. 7. Author reputation Check the author's other skills, community contributions, and review history. Unknown authors with new accounts deserve extra scrutiny. 8. Version history Look for unexpected changes between versions. If a skill suddenly adds network access or system commands in a patch version, that's suspicious.
These patterns should trigger immediate suspicion: 🚩 Base64-encoded strings in the system prompt or tool configurations. Legitimate skills don't need to encode URLs or commands. 🚩 Dynamic code execution — `eval()`, `Function()`, `child_process.exec()` with user-controlled input. There's almost never a legitimate reason for this in a SKILL.md. 🚩 Environment variable access — Instructions that reference `process.env`, `$HOME`, `~/.ssh`, `~/.aws`, or `~/.config`. Skills should never read your credentials. 🚩 Obfuscated URLs — URLs using hex encoding, URL shorteners, or domain names that look like legitimate APIs but aren't (e.g., `api-openai.attacker.com`). 🚩 Instruction overrides — Phrases like 'ignore previous instructions,' 'override system prompt,' or 'do not tell the user' in the system prompt. This is a prompt injection attack. 🚩 Excessive permissions — A skill that requests every permission (file read/write, network, system commands, API keys) for a simple task. Legitimate skills request minimum permissions. 🚩 Minified or unreadable content — SKILL.md should be human-readable. If you can't understand what a skill does, don't install it.
Our Code Reviewer skill includes a security scanning mode specifically designed for SKILL.md auditing: `npx clawhub@latest install code-reviewer` Then ask OpenClaw: 'Audit this SKILL.md for security risks: [paste the skill contents]' Code Reviewer will: - Flag excessive permissions - Detect base64-encoded strings - Identify suspicious network domains - Check for prompt injection patterns - Verify tool declarations match the stated purpose - Compare permissions to similar skills in the same category Limitation: Automated scanning catches known patterns but may miss novel attacks. Always combine automated scanning with manual review of the 8-point checklist above. For Docker-based isolation and hardened runtime security, see our comprehensive security guide.
After auditing, follow this installation workflow: Step 1: Read the SKILL.md — Complete the 8-point checklist. Step 2: Check our directory — See if the skill is verified on ClawSkills. Step 3: Install in sandbox — Use a Docker container with `--network=none` for initial testing. Step 4: Test with non-sensitive data — Run the skill on test inputs before using real data. Step 5: Monitor network — On first real use, monitor outbound connections with `tcpdump` or similar. Step 6: Deploy to production — After passing all checks, install in your production environment. For ongoing security, run `npx clawhub@latest update` regularly and re-audit skills after updates — especially after major version bumps.
Can a SKILL.md run arbitrary code?
Not directly. SKILL.md is a configuration file, not executable code. However, skills can declare tools that execute code, and the system prompt can instruct the agent to run shell commands if `systemCommands` is permitted.
What if I find a malicious skill?
Report it immediately: `npx clawhub@latest report