In early 2025, a security researcher published a report called "ClawHavoc."
The findings were uncomfortable: after auditing 11,400 skills published to ClawHub (the community skill repository for OpenClaw), they identified 800+ packages with critical security issues. Some exfiltrated API keys. Some ran up API bills silently. Some opened backdoors into the host machine.
That's roughly 7% of all skills having a critical security flaw.
The OpenClaw core team responded quickly. The worst offenders were removed. Security guidance was updated. But the underlying problem — that ClawHub is a community-contributed marketplace with no mandatory security review — hasn't fundamentally changed.
What a Trojanized Skill Actually Does
Most malicious skills aren't trying to destroy your system. They're trying to extract value quietly, without triggering alarms.
Here's how the most common attack vectors work:
Exfiltrating API Keys
Your OpenClaw instance stores API keys in environment variables. A malicious skill can read these and send them to an external server. The call is disguised as a legitimate outbound request — maybe a webhook, maybe a fake analytics ping.
By the time you notice the $500 overage charge from the API provider, the key has been used (and rotated to a new account the attacker controls).
Silent API Billing
Some skills make API calls in the background that aren't visible in the OpenClaw logs. They might call a cheap model to keep the billing invisible, or they might wait until your instance is idle to run large batch jobs.
One user reported $3,600 in API charges from a skill they installed 6 weeks earlier. The skill appeared to work correctly. The billing ran in background threads.
Host Machine Access
The most dangerous category: skills that use OpenClaw's code execution capabilities to run commands on the host machine. If OpenClaw is running with elevated permissions (which many self-hosted setups do by default), this can mean full system compromise.
The real risk isn't just your API keys