In early 2025, a security researcher published a report called "ClawHavoc."
The findings were uncomfortable: after auditing 11,400 skills published to ClawHub (the community skill repository for OpenClaw), they identified 800+ packages with critical security issues. Some exfiltrated API keys. Some ran up API bills silently. Some opened backdoors into the host machine.
That's roughly 7% of all skills having a critical security flaw.
The OpenClaw core team responded quickly. The worst offenders were removed. Security guidance was updated. But the underlying problem — that ClawHub is a community-contributed marketplace with no mandatory security review — hasn't fundamentally changed.
What a Trojanized Skill Actually Does
Most malicious skills aren't trying to destroy your system. They're trying to extract value quietly, without triggering alarms.
Here's how the most common attack vectors work:
Exfiltrating API Keys
Your OpenClaw instance stores API keys in environment variables. A malicious skill can read these and send them to an external server. The call is disguised as a legitimate outbound request — maybe a webhook, maybe a fake analytics ping.
By the time you notice the $500 overage charge from the API provider, the key has been used (and rotated to a new account the attacker controls).
Silent API Billing
Some skills make API calls in the background that aren't visible in the OpenClaw logs. They might call a cheap model to keep the billing invisible, or they might wait until your instance is idle to run large batch jobs.
One user reported $3,600 in API charges from a skill they installed 6 weeks earlier. The skill appeared to work correctly. The billing ran in background threads.
Host Machine Access
The most dangerous category: skills that use OpenClaw's code execution capabilities to run commands on the host machine. If OpenClaw is running with elevated permissions (which many self-hosted setups do by default), this can mean full system compromise.
The real risk isn't just your API keys
If your OpenClaw instance has access to your filesystem, databases, or other services, a compromised skill can reach those too. Many people run OpenClaw on the same machine as their production database or business files. A trojanized skill that gets that far isn't just an API bill problem.
How to Vet Skills Before Installing
If you're self-hosting, here's a practical checklist:
Step 1: Read the Source Code
Every ClawHub skill has a public repository. Before installing, review:
- All network calls (
fetch,axios,http.get, etc.) — where are they sending data? - All file system operations — is it reading or writing anywhere unexpected?
- Environment variable access — which env vars does it touch?
- Subprocess or shell commands — is it executing anything on the host?
This takes 15–30 minutes per skill. It's the only reliable method.
Step 2: VirusTotal Scan
Upload the skill's main files to VirusTotal. This catches known malware signatures but misses custom-written exploits. It's a necessary first step, not a complete solution.
Step 3: Sandbox Testing
Run new skills in an isolated environment before deploying to your main instance. Docker containers with network restrictions and no access to production env vars. Test for 24–48 hours and monitor outbound network traffic.
Step 4: Check the Author
How many other skills has this author published? What's their GitHub history like? How many stars/installs does the skill have? A skill with 12,000 installs from an author with 3 years of OpenClaw community history is lower risk than a new skill from an account created last week.
The 13-point checklist from Upwork
One security specialist on Upwork charges $125–$500 per deployment to run a 13-point security audit on each skill before installation. We've seen their checklist. It's thorough. It's also exactly what Clawfleet's automated verification does on every single skill in the marketplace.
What Clawfleet's Curated Security Layer Does
We don't publish every ClawHub skill to Clawfleet's marketplace. We curate.
Before any skill reaches a Clawfleet instance:
- Automated static analysis — every network call, file operation, and subprocess is flagged for human review
- VirusTotal verification — all binaries and scripts are scanned
- Sandboxed execution testing — the skill runs in an isolated environment with network monitoring enabled
- Outbound traffic review — any call to an unexpected external endpoint is a disqualifier
- Author verification — new authors go through additional scrutiny
The result: zero Clawfleet users were affected by the ClawHavoc incident. Every skill that was identified as malicious in that audit was already blocked from Clawfleet's marketplace.
The Uncomfortable Trade-Off of Self-Hosting
Self-hosting gives you control. It also gives you responsibility.
You can absolutely run a safe, secure OpenClaw installation without Clawfleet. Many people do. But it requires:
- Time to audit skills before installation
- Discipline to not skip the checklist when you're in a hurry
- Infrastructure to sandbox new skills before deploying
- Ongoing monitoring for unexpected behavior
Most people don't have that time. Most people install skills without auditing them, because they're small tools from the community and it feels like overkill.
That's how 7% becomes a meaningful risk.
Deploy with verified skills only
Every skill in the Clawfleet marketplace has passed our security review. No auditing required.