OpenClaw Skills — Security Guide
ClawHub is the npm of AI skills. And like early npm, nobody’s auditing what gets published.
The parallel runs deeper than it looks. Security researchers found 341 malicious tools on agent marketplaces in a single survey — tools that requested wildcard shell permissions, embedded hidden instructions in their descriptions, and combined filesystem plus network access in ways that had no legitimate justification. OpenClaw’s ClawHub is no exception: 22% of enterprises already have employees using it without any centralized visibility into which skills have been installed or what permissions they hold.
OpenClaw’s permission model was designed to enable fine-grained access control. shell:read, filesystem:write:/home/user/data, network:post:api.example.com — each permission is intended to be scoped and explicit. But the model only works when skill authors use it correctly. A skill that requests shell:* gets unrestricted command execution. A skill that requests shell:* plus filesystem:* plus network:* simultaneously has the maximum possible attack surface: it can read any file, execute any command, and exfiltrate the results to any server.
Firmis scans OpenClaw skill manifests, handler code, and ClawHub-installed skill dependencies across 209 detection rules covering wildcard permissions, maximum blast-radius permission combinations, bulk exfiltration patterns, and supply chain risks.
What Firmis detects
Section titled “What Firmis detects”| Threat Category | Rules | Coverage | Example Finding |
|---|---|---|---|
| Permission Overgrant | 7 | High | shell:* or filesystem:* wildcard in skill permissions |
| Tool Poisoning | 10 | High | Hidden instructions in skill handler tool descriptions |
| Prompt Injection | 13 | High | Instruction override in skill description field |
| Data Exfiltration | 12 | High | External HTTP POST in skill handler |
| Secret Detection | 60 | High | Hardcoded API key in openclaw.json |
| Supply Chain | 8 | High | Known malicious npm package in skill dependencies |
| Agent Memory Poisoning | 7 | Medium | Code writing to .openclaw/ or .clawdbot/ config |
| Access Control | 3 | Medium | Auth bypass flag in skill configuration |
| Insecure Config | 3 | Medium | Debug mode enabled in skill settings |
Files Firmis scans
Section titled “Files Firmis scans”| File Pattern | What It Contains |
|---|---|
openclaw.json | Skill metadata, permissions, and tool declarations |
.openclaw/** | OpenClaw agent configuration directory |
.clawdbot/** | ClawBot agent configuration directory |
src/**/*.ts, src/**/*.js | Skill handler implementations |
package.json | Dependency declarations and install scripts |
Scan OpenClaw Skills
Section titled “Scan OpenClaw Skills”npx firmis scan --platform openclawCommon findings and remediation
Section titled “Common findings and remediation”Wildcard permission in skill manifest
Section titled “Wildcard permission in skill manifest”HIGH perm-001 Wildcard Permission openclaw.json:9 Pattern: "shell:*"What it means. The skill requests shell:* — unrestricted command execution. OpenClaw’s permission model is designed around least-privilege: a skill that only needs to read the output of one command should declare exactly that, scoped to that command. A wildcard permission bypasses the entire model. The skill can execute any command the current user can run, escalate privileges through local exploits, and persist itself by writing startup scripts or cron jobs.
This is one of the 341 malicious tool patterns documented in agent marketplace security research. Wildcard shell permissions are the clearest signal that a skill was not designed with security in mind — or was designed with the opposite intent.
How to fix. Replace wildcard permissions with the minimum specific permission required. If the skill reads command output, use shell:read. If it runs a single known command, scope it to that command explicitly. If no shell permission is genuinely required, remove it entirely. Establish a policy of rejecting any ClawHub skill that requests wildcard permissions without a documented, reviewed justification.
Maximum blast radius permission combination
Section titled “Maximum blast radius permission combination”CRITICAL perm-002 Maximum Blast Radius Permission Combo openclaw.json:7-11 Pattern: shell + network + filesystem permissions presentWhat it means. The skill simultaneously requests shell execution, network access, and filesystem access. This is the maximum possible attack surface for any OpenClaw skill. With these three permissions, a skill can read any file on the system, execute arbitrary commands on the host, and transmit both to any external server — all within a single invocation.
Each individual permission might appear to have a legitimate justification when read in isolation. But the combination should trigger a mandatory security review: the set of legitimate use cases that genuinely requires all three simultaneously is very small. The set of malicious use cases that benefits from all three is not.
How to fix. Challenge each permission in the combination. Can the filesystem reads be replaced with a narrower path-scoped permission? Can the shell commands be replaced with a direct API call? Can the network access be restricted to a specific approved endpoint? If the combination is genuinely necessary, add explicit scope constraints to each permission, document the security rationale in the skill’s README, and require human approval before deploying skills with this combination in any shared environment.
Data exfiltration from skill handler
Section titled “Data exfiltration from skill handler”HIGH exfil-008 Archive Creation Before Upload src/export-handler.ts:45 Pattern: createWriteStream('.zip') with axios uploadWhat it means. The skill handler creates a ZIP archive and uploads it via HTTP. This is the bulk exfiltration pattern: rather than leaking one file at a time, the skill packages a large collection of files into an archive and transmits the entire thing in one request. In an OpenClaw environment with filesystem permissions, a single skill invocation can exfiltrate an entire project directory — source code, configuration files, secrets, and all.
The upload happens in the background while the skill appears to complete its stated function. The user sees normal skill output. The archive has already left the network.
How to fix. Implement an explicit allowlist of directories that can be archived and uploaded. Require user confirmation with a clear description of what is being uploaded and where before any transmission occurs. Validate the destination URL against an approved endpoint list before every upload. Log all archive creation and upload operations with timestamps, destination URLs, and file counts. Apply this level of scrutiny to every skill installed from ClawHub that combines file access with network calls.