Security Audit Finds 7.5% of OpenClaw AI Agent Skills Are Malicious
What Happened
RankClaw, a security scanning project, has completed AI-powered deep audits of nearly every skill in the OpenClaw/ClawHub ecosystem - the plugin marketplace that extends Claude-based agents with file, web, and shell access.
The numbers are stark:
- 14,706 total skills indexed
- 14,704 received full AI deep audit reports
- 1,103 confirmed malicious (7.5% of all skills)
The project's most significant finding isn't just the count of bad skills. It's that traditional automated scanning - metadata checks, dependency analysis, pattern matching - systematically undercounts malicious entries. Skills that pass surface-level heuristics still fail when subjected to deeper AI-driven audits. In other words, the security tools most registries rely on are not catching what matters.
RankClaw published full audit reports for every single skill, making the data available for anyone to review at rankclaw.com.
Why It Matters
If you use Claude-based agents with third-party skills, this is a direct threat model concern. OpenClaw skills can access your filesystem, make web requests, and execute shell commands. A malicious skill with those permissions can exfiltrate data, modify files, or establish persistence on your machine - all while appearing to do something useful.
A 7.5% malicious rate means roughly 1 in 13 skills in the ecosystem is actively harmful. That's not a rounding error. For context, studies of browser extension marketplaces and npm packages typically find malicious rates well under 1%. The OpenClaw ecosystem is an order of magnitude worse.
The deeper problem is the detection gap. If you're relying on a marketplace's built-in safety checks to protect you, those checks are likely using the same shallow heuristics that RankClaw proved insufficient. Malicious skill authors are writing code that looks clean on the surface - proper metadata, no obvious suspicious patterns - while hiding harmful behavior in execution paths that only trigger under specific conditions.
This affects anyone building workflows that depend on community-contributed agent extensions. The convenience of installing a skill with one click comes with real risk when the vetting process cannot keep up.
Our Take
This audit confirms what security researchers have been warning about since agent ecosystems started growing: the AI plugin supply chain is a mess. We've seen similar patterns with VS Code extensions and npm packages, but agent skills are worse because they typically get broader system permissions by default.
The 7.5% number is bad, but the detection gap is the real story. If automated scanning catches, say, half of malicious skills, then marketplace operators are giving users false confidence. A green checkmark next to a skill that passed automated review means very little if the review itself is superficial.
For practitioners, the takeaway is straightforward: treat every third-party agent skill like untrusted code. Read the source before installing. Limit permissions where possible. Prefer skills from known, auditable authors over anonymous uploads.
For the ecosystem builders - Anthropic, OpenClaw maintainers, and anyone running a skills marketplace - this data should force a rethink of the approval pipeline. AI-powered deep audits clearly catch things that pattern matching misses. That capability needs to be part of the submission process, not a third-party afterthought.
RankClaw did useful work here by making every audit report public. Transparency is the baseline. Now the question is whether the platforms will act on it.