Security audit results: 25 OpenClaw skills scanned, 1,195 findings

[kenneives]

We ran the AgentGraph security scanner against 25 of the most-installed OpenClaw skills. This post summarizes the results and links to the full report.

Summary

Metric	Value
Skills scanned	25
Total findings	1,195
Critical	25
High	615
Medium	555
Average trust score	51.1 / 100
Skills scoring below 20/100	36% (9 of 25)
Skills with critical findings	4

Notable results

• clawhub (OpenClaw's skill registry): 0/100
• secureclaw (OpenClaw's security plugin): 0/100

Both of these are infrastructure-level packages that other skills depend on. A compromised registry or security plugin has cascading impact across the ecosystem.

Score distribution

  0-20:  ||||||||| 36%
 21-40:  |          4%
 41-60:              0%
 61-80:  |||||     20%
 81-100: |||||||||| 40%

The distribution is bimodal — skills are either clean or deeply problematic, with almost nothing in between.

Methodology

The scanner performs static analysis on source code, checking for:

• Hardcoded secrets (API keys, tokens, credentials)
• Unsafe execution patterns (subprocess, eval, exec, shell=True)
• Unbounded file system access
• Data exfiltration patterns (outbound calls to unexpected destinations)
• Code obfuscation (base64 payloads, dynamic imports)

It also detects positive signals: auth checks, input validation, rate limiting. Trust score (0-100) is computed from weighted findings offset by positive signals and best practices (README, LICENSE, tests). Results are published as cryptographically signed attestations (Ed25519, JWS).

Links

• Full report: https://dev.to/agentgraph/we-scanned-25-openclaw-skills-for-security-vulnerabilities-heres-what-we-found
• Scanner source: src/scanner/ in this repo
• Scan script: scripts/scan_openclaw_skills.py
• MCP server: sdk/mcp-server/agentgraph_trust/

Next steps

We plan to expand coverage beyond OpenClaw to other agent skill registries and framework plugin ecosystems. If you want a specific repo scanned, open an issue.