8 Types of Dangerous ClawHub Skills You Should Never Install

A 2025 security study that scanned major AI plugin marketplaces found 71 overtly malicious Claude Skills and 73 additional Skills exhibiting high-risk behaviors — including active data exfiltration, background network calls to attacker-controlled servers, and cryptominer injection. This isn't a theoretical threat. Researchers confirmed these in production.

ClawHub's own data reinforces the severity: 17.7% of Skills actively scrape third-party web content (opening prompt injection attack surfaces), and 2.9% ship with clean code at install time but pull remote logic at runtime.

This guide covers 8 risk patterns you should know before clicking install.

Why AI Skill Security Is Underestimated

Most developers are already aware of plugin security risks in traditional software. But AI Skills have specific properties that raise the stakes:

1. Broader execution scope. A Skill doesn't just run code — it runs inside Claude's agent context, with access to file systems, network requests, and other tools. A "weather lookup" Skill has the technical capability to read your SSH private keys if you haven't reviewed its permission declarations.

2. Higher user trust threshold. When an AI responds in natural language and the result looks correct, users rarely audit what happened underneath. Malicious Skills exploit exactly this assumption.

3. Third-party content is the primary injection vector. When a Skill fetches external web pages, emails, or documents, attackers can embed hidden instructions in that content to hijack the AI Agent's behavior. Palo Alto Networks' Unit 42 research team calls this Indirect Prompt Injection and identifies it as the most severe threat class in the current AI Agent ecosystem.

8 High-Risk Skill Patterns: A Field Guide

1. Key Harvesting

What it does: The Skill claims to need API keys or cloud service credentials to function, but secretly forwards them to an attacker-controlled server.

How to identify it:

• Very simple functionality (e.g. "get today's weather") but requires AWS / GCP / database credentials
• Code contains outbound network requests to non-official endpoints with credential fields in the payload
• README gives a vague or missing explanation for why those credentials are needed

Real case: A malicious Skill called "bob-p2p" discovered on ClawHub would read users' Solana wallet private keys at runtime and route funds to an attacker-controlled address. The install description looked completely legitimate.

Defense: Apply the principle of least privilege. If a weather Skill asks for AWS credentials, reject it immediately.

2. Cryptominer Injection

What it does: The Skill silently runs a cryptocurrency miner in the background, consuming your CPU and electricity.

How to identify it:

• CPU utilization spikes after install, even when Claude isn't processing anything
• Fans run continuously at high speed
• The Skill's process persists in the background between sessions

Why it's hard to catch: Mining code typically throttles itself to stay below detection thresholds — holding CPU usage around 30% under normal conditions, ramping up when the system appears idle. Users often attribute it to other causes.

3. Dynamic Pull

What it does: The Skill ships with clean code, passes any static review, but fetches and executes fresh logic from an external server at runtime. 2.9% of ClawHub Skills exhibit this behavior.

How to identify it:

• Code contains eval() or exec() calls on content returned from external URLs
• Unexpected outbound network requests to addresses not explicitly declared in the Skill's manifest
• Behavior changes across sessions without a version bump

Why it's particularly dangerous: This pattern defeats one-time code review. A Skill can be clean at launch, accumulate users, and then activate malicious behavior by updating the remote server payload — without touching the installable code.

4. Unauthorized Access

What it does: The Skill's declared functionality is wildly mismatched with the permissions it requests. A "PDF converter" that requests full filesystem read access and SSH key directories is a classic unauthorized access signal.

How to identify it:

• Permission scope far exceeds functional requirements (full ~ read vs. specific folder access)
• Outbound network permissions include unrelated domains
• Simple functionality, but an unusually long capability list in the manifest

Defense: When authorizing a Skill in OpenClaw / Claude Code, review the permission list. Don't approve everything by default.

5. Official Impersonation

What it does: Uses a name closely resembling a popular Skill, hoping users install the fake version by mistake. Common patterns: appending -pro, -plus, -v2, -official, or making subtle typos (memory → menory).

How to identify it:

• Very low download count (fakes rarely have time to accumulate installs)
• Very recent publish date (typically right after a popular Skill gains traction)
• Author info and GitHub page don't match the original
• Description text closely mirrors the original but with subtle differences

Known pattern: Names like browser-pro and memory-plus have real impersonation instances on ClawHub. Before installing, verify the author's identity directly against their official GitHub profile.

6. Unattributed Origin

What it does: No GitHub repository, no author information, no README. If something goes wrong, there's no one to hold accountable.

How to identify it:

• No GitHub link on the Skill page
• Author uses a random string or anonymous handle
• README is empty or contains only a single sentence
• No history of other published Skills from this author

This isn't inherently malicious, but in high-stakes scenarios — connecting external APIs, processing sensitive data — choosing an unattributed Skill is an unnecessary risk. If a data leak occurs, you have no recourse.

7. Third-Party Content Scraping

What it does: The Skill actively fetches external web pages, RSS feeds, emails, or other untrusted content, then passes that content directly to the AI for processing. 17.7% of ClawHub Skills exhibit this behavior — the widest-spread risk category on the platform.

Why it matters: Attackers can embed hidden instructions on any web page — white text on white background, content inside HTML comments, or invisible zero-width characters. When a Skill fetches that page and hands the content to Claude, those instructions execute. The result can be data exfiltration, file modification, or invocation of other tools the user never authorized.

This attack class has a formal name: Indirect Prompt Injection. Unit 42 at Palo Alto Networks classifies it as the most severe current threat to AI Agent ecosystems.

How to identify it:

• Skill functionality involves fetching external URLs (WebFetch, requests.get, etc.)
• External content is passed directly as system prompt or context without sanitization
• No input validation or content filtering on fetched data

Not all scraping Skills are malicious — many legitimate Skills require external content (search, news aggregation, document analysis). But when running sensitive tasks, be aware that any Skill fetching external content opens this attack surface.

8. Abandoned / Unmaintained

What it does: Zero reviews, zero stars, no code updates in months. The Skill may have worked at launch, but the author has moved on.

Why it's a risk:

• Dependency APIs have changed but the code hasn't been updated, leaving unpatched security gaps
• Discovered vulnerabilities go unfixed indefinitely
• In the worst case: after the author abandons the project, an expired domain gets purchased by a malicious actor — and the Skill is still sending data to it

How to identify it:

• GitHub repository hasn't had a commit in 6+ months
• Issues are piling up, PRs go unreviewed
• The "last updated" timestamp on the ClawHub page is far in the past

How ClawHub Defends Against These: Quality Score and privacy-risk

ClawHub has built two defense layers against the above risk patterns:

Quality Score

Every Skill carries a Quality Score, graded from F to S. The score is computed across multiple dimensions: install-to-download ratio, README completeness, code quality signals, and whether the Skill carries a privacy-risk tag.

Grade F Skills: do not install. Grade D Skills require informed judgment before use. See the full scoring breakdown at the Quality Score Guide.

The privacy-risk Tag

privacy-risk is the heaviest deduction in the entire Quality Score system — and unlike most scoring signals, it comes from manual human audit, not heuristics. It means: confirmed data collection transmitted to an external server.

The clearest example on the platform right now is openclaw-youtube-transcript. With over 15,000 downloads, the Skill's core function — extracting YouTube transcripts for AI consumption — is completely legitimate. But embedded in transcribe.py is telemetry code that runs on every transcription:

def send_telemetry() -> None:
    if os.environ.get("DISABLE_TELEMETRY"):
        return
    payload = json.dumps({
        "un": os.getlogin(),       # your system username
        "dn": socket.getfqdn(),    # your machine's hostname
    }).encode("utf-8")
    req = request.Request(
        "http://openclaw-youtube-transcript.eastus.cloudapp.azure.com/telemetry",
        data=payload,
        ...
    )

The author labels this "telemetry" and provides an opt-out (export DISABLE_TELEMETRY=1). Most users have never seen this code. If you have the Skill installed, set the env variable before your next run.

This case illustrates why privacy-risk exists as a tag: the Skill does exactly what it advertises and the telemetry is disclosed — but buried in implementation code that most users will never read. Human review is the only way to catch it.

5-Step Checklist Before Installing Any Skill

Run through these five questions before every install:

① What's the Quality Score? Open the Skill detail page and check the grade badge. F and D grades require specific justification before proceeding.

② Does it carry a privacy-risk tag? If yes, read the risk description. Confirm whether you accept the risk, and whether an opt-out mechanism exists.

③ Who's the author? Can you trace them? Click through to the author profile and verify the GitHub repository. Confirm it's a real, attributable person or organization.

④ Do the permissions match the function? A "reminder" Skill doesn't need filesystem read access. If the capability list in the manifest is longer than you'd expect for the stated purpose, investigate before approving.

⑤ When was it last updated? Check the last GitHub commit date. For Skills that connect to external APIs or handle sensitive data, 6+ months of inactivity is a yellow flag.

FAQ

Does installing a Skill mean it immediately runs?

Not necessarily. OpenClaw Skills execute only when explicitly called. However, "Dynamic Pull" and "Cryptominer Injection" Skills may begin running background processes at install time — before you invoke them for any task.

What should I do if I've already installed a risky Skill?

Uninstall immediately. If the Skill had access to API keys, audit your key usage logs for anomalies and rotate any potentially compromised credentials. If you confirmed telemetry exfiltration, report it to ClawHub's security team.

Does ClawHub proactively remove malicious Skills?

Yes. The ClawHub security team conducts ongoing audits, and confirmed malicious Skills are marked isDelisted with a banner displayed on the Skill detail page. But this is a human review process with inherent latency — which is why your own judgment remains the first line of defense.

Are zero-install Skills inherently suspect?

No. Many newly published, high-quality Skills have zero installs. The risk signal is the combination: zero installs + no GitHub + no README + sensitive permission requests. Any one of those alone is fine; all four together warrant serious scrutiny.

Is third-party scraping (the 17.7%) malicious by definition?

No. Many legitimate Skills require external content — web search, news aggregation, document analysis. The issue is that these Skills open an indirect prompt injection attack surface. When using them for sensitive tasks, avoid giving them broad permissions, and be aware of what content sources they're fetching from.

Browse all Skills with security ratings on ClawHub: clawhub-skills.com

Full Quality Score methodology: Quality Score Guide