What is a skill in OpenClaw and why are they dangerous?
Category:AI Agents Security
Quick Answer
Skills are extensions that add functionality to OpenClaw, stored in ClawdHub repository. The problem: all downloaded skills are treated as trusted code with no review process, making them a major supply chain attack vector.
Detailed Answer
What Are Skills?
Skills are extensions that add functionality:
- Connect to external services
- Automate workflows
- Add new capabilities
- Stored in ClawdHub repository
The Security Problem
All downloaded skills are treated as trusted code with no review process.
Real-World Example
Cisco found "What Would Elon Do?" skill:
- Ranked #1 in repository
- Contained data exfiltration code
- Had prompt injection vulnerabilities
- Command injection capabilities
Mitigation
Cisco released a security scanner:
git clone https://github.com/cisco-ai-defense/skill-scanner python scan.py /path/to/skill
Comments
Loading comments...