state of openclaw security
1 in 8 agent skills can read your env vars
Environment variables are where apps keep API keys and tokens, so it's worth knowing which skills can reach them. Check the one you're about to install.
CLAUDE.md.mcp.jsonagent rules
no signup · instant what we measured
01
Counted from code, not tiers
0.0% can read env vars ≈ 1 in 8
of 63,697 skills
of 63,697 skills
Skills whose code touches process.env, where API keys and tokens live. The broad capability, stated plainly: can read, not does steal.
0.0% read env vars + reach the network ≈ 1 in 16
co-occurrence
co-occurrence
Both capabilities present in one skill: the shape of exfiltration, not proof of it. We don't verify the two ever connect.
0.0% touch a credential store ≈ 1 in 267
narrow & real
narrow & real
SSH keys, AWS configs, keychains: the capability that actually means "can read your secrets." We count it separately, on purpose.
the gap is the point
0.0% can read env vars
0.0% can read real secrets
One in 8 can read environment variables. Far fewer can reach real secret stores. Most scanners call all of it credential theft. Conflating the two is how a scanner overstates its own findings, so we don't. You see what the code can do, and exactly how sure we are.
02
Notable in the corpus
The most-flagged skills we've scanned, by capability combination. Not a feed of recent checks, a standing shortlist. Each links to its full verdict.
Dangerous scanned · capability combination flagged
openclaw-sec
credential_access · network_in · network_out
Dangerous scanned · capability combination flagged
openclaw-sec-plus
credential_access · network_in · package_install
Dangerous scanned · capability combination flagged
teamclaw
credential_access · network_in · network_out
Dangerous scanned · capability combination flagged
teamclaw-2
credential_access · network_in · network_out
Dangerous scanned · capability combination flagged
teamclawtest
credential_access · network_in · network_out
Dangerous scanned · capability combination flagged
join-meeting
credential_access · network_in · data_encoding
capability ≠ conduct. we say "can," not "will."
counted from code, so prose-only risks aren't here and the real figures run higher.
every number is a measurement, not a verdict.
counted from code, so prose-only risks aren't here and the real figures run higher.
every number is a measurement, not a verdict.