QWE AI Academy You install a skill to read your Gmail. Two days later, your SSH keys are gone. The skill looked fine – clean description, reasonable permissions, even a few stars on ClawHub. What you didn’t see was the delayed payload buried in a fake “prerequisite” section.
February 2026. Hundreds of users. Same attack.
The Problem: Skills Are Not Plugins
Most tutorials compare OpenClaw skills to npm packages or browser extensions. Wrong. 1Password’s security research puts it plainly: “markdown isn’t content in an agent ecosystem – markdown is an installer.”
You install a skill, you’re not adding a feature. You’re giving instructions to something that can already read your files, run shell commands, and access whatever services you’ve connected. The skill just teaches it what to do with that power.
Late February 2026: Koi Security identified 820+ malicious skills on ClawHub. Total skills? 13,729. One in seventeen packages. The campaign – ClawHavoc – delivered Atomic macOS Stealer (AMOS), malware that costs attackers $500-1K/month to rent. Malicious skills waited 24-48 hours before activating. By the time victims noticed, the connection was gone.
How Skills Actually Work
Each skill is a folder. Inside: a SKILL.md file with YAML frontmatter and markdown instructions. That’s it. No compiled code, no sandboxed runtime. Just a text file your agent reads and follows.
Structure from OpenClaw’s official docs:
my-skill/
SKILL.md
helper-script.py # optional
config.json # optionalSKILL.md contains frontmatter (metadata like name, description, required binaries) and instructions (what to do when triggered). OpenClaw loads bundled skills plus optional local overrides, filtering at load time based on environment, config, and whether required binaries are present.
Three places skills live: <workspace>/skills (highest priority) → ~/.openclaw/skills → bundled skills (lowest). Name conflict? Workspace version wins. Always. Zero warning.
Think about trust for a second. You trust npm because packages are sandboxed and reviewed. You trust browser extensions because they declare permissions upfront. OpenClaw skills? They inherit every permission you already gave the agent. The install step doesn’t ask for anything new – it just assumes you’ve decided to trust this markdown file with the same access you gave OpenClaw itself. That’s the gap.
The Silent Override Trap
Precedence causes a specific failure. You install a bundled skill like summarize. Works fine. Later, you create a custom skill in your workspace folder and name it summarize too. Your version overrides the bundled one. Invisibly. OpenClaw doesn’t warn you. Original skill stops working.
Fix: check openclaw skills list to see which version is active. But the error is silent. You won’t check until something breaks.
Installing Skills: Three Methods
ClawHub, OpenClaw’s public registry. One command:
clawhub install skill-nameClawHub’s VirusTotal integration only scans NEW uploads after the partnership launched in February 2026. Any skill published before mid-February? Unscanned. Security advisories: treat those as untrusted until verified.
ClawHub grew from ~3,000 skills to 13,729 between early and late February 2026. The older ones? No automatic scan.
Before installing any ClawHub skill, visit its page and check the VirusTotal report manually. Report missing or skill predates the partnership? Read the SKILL.md source code yourself – it’s just markdown. Look for base64 strings, curl commands to unfamiliar domains, instructions to disable confirmations.
You can also install from GitHub directly by pasting the repo URL into your agent chat. OpenClaw handles setup in the background. Bypasses ClawHub entirely. Zero VirusTotal scan. Use this only for skills from authors you trust.
Third method: write your own. Create a folder in ~/.openclaw/skills/, add a SKILL.md file with frontmatter and instructions. OpenClaw picks it up on the next session. Custom skills are safest – you control exactly what they do.
The Config Gotcha
Skills won’t run until you enable them in openclaw.json. Syntax:
{
"skills": {
"entries": {
"skill-name": { "enabled": true },
"another-skill": { "enabled": true }
}
}
}Quotes around skill-name. Leave them out? Skill is silently skipped. No error. No warning. One user spent hours debugging – issue was missing quotes in the JSON.
Some skills need environment variables or API keys. Same block:
"skill-name": {
"enabled": true,
"env": {
"API_KEY": "your-key-here"
}
}OpenClaw injects these into the host process for that agent turn (not the sandbox). Keep secrets out of prompts and logs.
When Skills Silently Disappear
You install a skill. It doesn’t show up in openclaw skills list. What happened?
Skills can declare dependencies like rg (ripgrep), jq, or summarize in their frontmatter. Binary not on PATH? OpenClaw filters out the skill at load time. No error – skill just isn’t eligible.
The catch: OpenClaw’s gateway process might have a different PATH than your terminal. You installed rg via Homebrew, it’s in /opt/homebrew/bin, your shell sees it fine. Gateway doesn’t. Skill stays invisible.
Run openclaw doctor --repair to sync the PATH, or manually edit the launchd plist to include the correct directories.
Silent failures are a pattern here. Precedence conflicts, missing quotes, PATH mismatches – none throw errors. They just fail quietly. It’s like debugging with the lights off. You have to know where to look before you can see what broke.
ClawHavoc Campaign
Late January to early February 2026: attackers published 341 malicious skills to ClawHub. Typosquatted names (smart-email-assistant, calendar-sync-pro), clean descriptions. SKILL.md files had legitimate-looking instructions with malware commands hidden in “prerequisite” sections.
Payloads delivered AMOS. Exfiltrates SSH keys, API tokens, browser cookies, Discord message histories. Some skills waited 24-48 hours before activating. Connection between install and compromise? Gone by the time victims noticed.
ClawHub removed 2,419 suspicious skills overnight. Registry dropped from 5,700 to 3,286. Then grew back to 13,729 by late February. Malicious count grew too – 341 to 820+ in three weeks. Percentage getting worse, not better.
CVE-2026-25253
CVE-2026-25253 (CVSS 8.8): one-click remote code execution via WebSocket hijacking. Visit a malicious webpage while OpenClaw is running? JavaScript on that page silently connects to your local OpenClaw gateway, steals your auth token, takes full control. From there: disable sandboxing, modify your agent’s memory files, run arbitrary commands.
Patched in version 2026.1.29 (January 29, 2026). But 135,000 OpenClaw instances were publicly exposed with zero authentication when the CVE went public. Many ran vulnerable versions weeks later.
Two entry points: install a bad skill, or visit the wrong website.
Who Should Not Use Skills
Microsoft Security: “OpenClaw should be treated as untrusted code execution with persistent credentials. Not appropriate to run on a standard personal or enterprise workstation.”
Running OpenClaw on a machine with access to company data? Don’t install skills from ClawHub. Even vetted ones. Risk-reward doesn’t balance.
Personal use? Different calculation. Skills extend what OpenClaw can do in ways that matter – controlling Gmail, managing notes, triggering workflows. But treat every install like you’re granting root access. Functionally, you are.
Safer Skill Practices
Bundled skills first. OpenClaw ships with 53 skills covering email, calendars, GitHub, browser automation, more. Vetted by core team. Zero supply chain risk.
ClawHub skill? Check the author. Skills by @steipete (Peter Steinberger, OpenClaw’s creator) are first-party. High version counts (10+ releases) and stars (300+) mean maintained and reviewed by the community. 1 version, 0 stars? Read the source first.
Install the Skill Vetter skill before anything else. Scans skills for red flags before and after installation. Early 2026: 3,500+ downloads. One of the few security-focused tools in the registry.
Unknown skills? Test in isolation. Run it on a disposable VM or separate machine with no access to sensitive data. Watch what it does for 48 hours before moving to your main setup.
Disable what you don’t use. Every enabled skill is another surface area. Installed something to test it and never used it again? Remove it.
Next Action
Running OpenClaw with skills installed before February 2026? Audit them now. Run clawhub list, check each skill’s ClawHub page for a VirusTotal report, remove anything without a clean scan or a trusted author.
Starting fresh? Stick to bundled skills for the first month. Learn what OpenClaw can do out of the box before adding third-party code.
FAQ
Can I write my own skills without coding experience?
Yes. A skill is markdown with YAML frontmatter. You can write instructions in plain English? You can write a skill. Agent reads the instructions and follows them. Start by copying a bundled skill from ~/.openclaw/skills/, modify the instructions, rename it. Test on a simple task first.
What happens if two skills have the same name?
Workspace skills override user skills, which override bundled skills. Custom summarize in your workspace and OpenClaw ships with bundled summarize? Your version wins. OpenClaw won’t warn you – bundled skill just stops being active. Breaks workflows silently. I once spent an hour debugging why email summarization stopped working. Turned out I’d created a test skill with the same name in my workspace two weeks earlier and forgot about it. Check openclaw skills list to see which version is loaded. Override was unintentional? Rename your custom skill.
Do I need to restart OpenClaw after installing a skill?
Depends on install method. Skills installed via clawhub install are snapshotted at session start. Install during an active session? Skill won’t be available until you restart OpenClaw. Skills added manually to the workspace folder behave the same way – changes take effect on the next session, not immediately. (The snapshotting happens because OpenClaw pre-filters skills based on environment variables and binary availability, which only runs at startup.) Run openclaw skills list after restarting to confirm the new skill is loaded.