state of openclaw security
1 in 6 agent skills can read your env vars
Environment variables are where apps keep API keys and tokens, so it's worth knowing which skills can reach them. Check the one you're about to install.
CLAUDE.md.mcp.jsonagent rules
no signup · instant what we measured
01
Counted from code, not tiers
0.0% can read env vars ≈ 1 in 6
of 19,461 skills
of 19,461 skills
Skills whose code touches process.env, where API keys and tokens live. The broad capability, stated plainly: can read, not does steal.
0.0% read env vars + reach the network ≈ 1 in 10
co-occurrence
co-occurrence
Both capabilities present in one skill: the shape of exfiltration, not proof of it. We don't verify the two ever connect.
0.0% touch a credential store ≈ 1 in 179
narrow & real
narrow & real
SSH keys, AWS configs, keychains: the capability that actually means "can read your secrets." We count it separately, on purpose.
the gap is the point
0.0% can read env vars
0.0% can read real secrets
One in 6 can read environment variables. Far fewer can reach real secret stores. Most scanners call all of it credential theft. Conflating the two is how a scanner overstates its own findings, so we don't. You see what the code can do, and exactly how sure we are.
02
Notable in the corpus
The most-flagged skills we've scanned, by capability combination. Not a feed of recent checks, a standing shortlist. Each links to its full verdict.
Dangerous scanned · capability combination flagged
chj0w0/skill-safe-install
file_write · credential_access · network_out
Dangerous scanned · capability combination flagged
starbuck100/ecap-security-auditor
network_out · credential_access · process_exec
Dangerous scanned · capability combination flagged
deerleo/modelwise-openclaw-setup
network_out · package_install · credential_access
Dangerous scanned · capability combination flagged
divide-by-0/create-new-openclaw-in-gcp
network_out · network_in · credential_access
Dangerous scanned · capability combination flagged
paolorollo/openclaw-sec
credential_access · network_in · network_out
Dangerous scanned · capability combination flagged
happydog-intj/github-passwordless-setup
network_out · credential_store · package_install
capability ≠ conduct. we say "can," not "will."
counted from code, so prose-only risks aren't here and the real figures run higher.
every number is a measurement, not a verdict.
counted from code, so prose-only risks aren't here and the real figures run higher.
every number is a measurement, not a verdict.