How We Vet Every Skill in the BetterClaw Marketplace
ClawHub has 13,700+ skills. Independent audits found 13.4% with critical issues. BetterClaw has 200+ skills with 0% critical issues. The difference is a 4-layer manual security review that every skill must pass before publication.
The Problem We're Solving
OpenClaw skills have full access to everything your agent can reach: email, calendar, files, API keys, browser sessions, and connected services. A malicious skill doesn't need to hack your system. It just needs to be installed.
ClawHavoc Attack
Hundreds of malicious skills uploaded under names similar to legitimate tools. Reverse shells, SSH key exfiltration, browser cookie theft. 2,400+ skills removed.
Cisco's Findings
Cisco's AI security team confirmed data exfiltration and prompt injection in ClawHub skills without user awareness. Skills looked legitimate and passed automated scans.
Snyk Audit
13.4% of ClawHub skills flagged for critical issues. Hardcoded credentials, unauthorized network calls, data collection beyond stated purposes.
Koi Security Scan
Analysis of 2,857 ClawHub skills found 341 actively stealing user data. 1 in 8 skills tested.
"Music" Skill Incident
A user on r/hacking reported a ClawHub skill labeled as a "music" integration that was scanning local files for SSN and tax document patterns.
What automated scanning misses
VirusTotal catches known malware signatures. It doesn't catch well-crafted exfiltration, prompt injection in SKILL.md, or excessive permissions disguised as features.
For the full timeline, see our comprehensive OpenClaw security risks guide.
What Every Skill Goes Through Before Publication
Four sequential review layers. A failure at any layer means rejection. No exceptions.
Layer 1: Malicious Code Analysis
We review the complete source code for patterns that indicate malicious intent.
What we check:
- Outbound network calls to undisclosed endpoints
- File reads targeting credential stores, SSH keys, browser cookies
- Base64-encoded payloads or obfuscated code blocks
- Dynamic code execution (eval, exec, Function constructor)
- Dependency installation from unverified sources
- Environment variable harvesting beyond scope
- Undocumented socket or WebSocket connections
What triggers rejection:
Any undisclosed network call, any file access outside the skill's stated scope, any obfuscated code. Immediate rejection.
Layer 2: Data Exfiltration Vector Analysis
Even skills without overtly malicious code can leak data through design. We trace every data flow.
What we check:
- Sending user data to undisclosed external services
- Storing data in locations accessible to other skills
- Logging sensitive information (API keys, tokens) in plain text
- Making persistent copies of user data as "cache"
- Transmitting data to author-controlled servers or analytics
- Accessing conversation history or other agents' data
What triggers rejection:
Any undisclosed data transmission. Any logging of credentials. Any "phone home" behavior to author-controlled servers.
Layer 3: Prompt Injection Testing
SKILL.md instructions are loaded into the agent's context. Malicious instructions can override behavior.
What we check:
- Instructions that override the agent's SOUL.md personality
- Instructions that tell the agent to ignore user requests or hide actions
- Instructions that escalate permissions beyond approval
- Instructions manipulating the agent beyond skill scope
- Hidden instructions in metadata, comments, or formatting
- Instructions causing data exfiltration through response channel
What triggers rejection:
Any instruction that attempts to override user directives, escalate permissions, hide actions, or manipulate agent behavior. Immediate rejection.
Layer 4: Permission Scope Verification
Every permission requested must be justified by the skill's stated function. Principle of least privilege.
What we check:
- Weather skill requesting file system access - rejected
- Calendar skill requesting email send permissions - flagged
- Search skill requesting conversation memory access - rejected
- Task management skill requesting terminal/shell access - rejected
- Email reader requesting email deletion - requires justification
What triggers rejection:
Any permission request not justified by the skill's core function. We configure the recommended scope for skills that pass.
After a Skill Passes All 4 Layers
"BetterClaw Audited" badge
Visible on marketplace page, search results, and the agent builder.
Pre-configured permissions
Recommended permission scope set so users don't have to figure it out.
Recommended trust level
Some skills run at Intern level. Others are safe at Specialist or Lead.
Re-review on updates
Every update goes through the same 4-layer review. Prevents "bait and switch."
Common Rejection Reasons
Undisclosed API calls
The skill calls analytics endpoints, logging services, or author servers not documented in the spec. The most common rejection reason.
Excessive permissions
The skill works with calendar data but also requests file system access, shell execution, or email send capability.
Obfuscated dependencies
Dependencies from personal GitHub repos, low-download npm packages, or CDNs that could serve different code to different users.
Prompt injection in SKILL.md
Instructions that override agent behavior, disable safety directives, or manipulate the agent beyond skill scope.
Credential logging
The skill logs API keys, tokens, or passwords in plain text to a file, console, or external service.
Stale and unmaintained code
Skills that reference deprecated APIs, have known unfixed vulnerabilities, or haven't been updated in months.
What We Can and Can't Guarantee
We can guarantee
- No known malicious code patterns in the reviewed version
- No undisclosed data exfiltration vectors we could identify
- No prompt injection in the SKILL.md instructions
- Permission scope matches stated functionality
- The skill works as described at the time of review
We cannot guarantee
- Zero-day vulnerabilities in third-party dependencies
- That the skill will work perfectly in every edge case
- That external API integrations won't change behavior
- Future vulnerabilities that haven't been discovered yet
This is why BetterClaw also includes trust levels, action approval, and a kill switch.
BetterClaw Review vs ClawHub Scanning
| BetterClaw 4-Layer Review | ClawHub VirusTotal Scanning | |
|---|---|---|
| Type | Manual code review + automated checks | Automated signature matching |
| What it catches | Malicious code, exfiltration, prompt injection, excess permissions | Known malware signatures |
| What it misses | Zero-day dependency vulnerabilities | Well-crafted exfiltration, prompt injection, novel attacks |
| Review depth | Full source code + data flow + prompt testing | File hash comparison |
| Update re-review | Yes (every update) | Yes (re-scanned) |
| Time per skill | Hours (manual) | Seconds (automated) |
| Scale | 200+ reviewed | 13,700+ scanned |
| Documented failures | 0 published malicious | 373+ malicious, 2,400+ removed, 13.4% critical |
Type
BetterClaw
Manual code review + automated checks
ClawHub
Automated signature matching
What it catches
BetterClaw
Malicious code, exfiltration, prompt injection, excess permissions
ClawHub
Known malware signatures
What it misses
BetterClaw
Zero-day dependency vulnerabilities
ClawHub
Well-crafted exfiltration, prompt injection, novel attacks
Review depth
BetterClaw
Full source code + data flow + prompt testing
ClawHub
File hash comparison
Update re-review
BetterClaw
Yes (every update)
ClawHub
Yes (re-scanned)
Time per skill
BetterClaw
Hours (manual)
ClawHub
Seconds (automated)
Scale
BetterClaw
200+ reviewed
ClawHub
13,700+ scanned
Documented failures
BetterClaw
0 published malicious
ClawHub
373+ malicious, 2,400+ removed, 13.4% critical
Skill Security Vetting: Common Questions
How long does the security review take per skill?
A thorough review takes several hours per skill, depending on complexity. Simple skills (weather, basic search) are faster. Complex skills (Google Workspace, GitHub, CRM integrations) with extensive API access require deeper analysis. We prioritize the most-requested skills.
Can I request a specific ClawHub skill be reviewed?
Yes. If there's a ClawHub skill you need that isn't in the BetterClaw marketplace, you can submit a review request. We'll evaluate it and add it if it passes all four layers.
What if a reviewed skill becomes vulnerable after publication?
We monitor for new vulnerability disclosures and re-review affected skills. If a critical issue is found, the skill is pulled until a patched version passes review. BetterClaw users receive the update automatically.
Why don't you just review all 13,700 ClawHub skills?
Manual review at that scale would require a full security team working for months. The majority of ClawHub skills are duplicates, abandoned, or minimal-usage tools. We focus review effort on skills that are genuinely useful and requested by users.
Is BetterClaw's vetting process auditable?
We document the review status and scope for each skill. The skill's detail page shows its security review status, permission scope, and recommended trust level.
Can I skip the vetting and install any ClawHub skill on BetterClaw?
No. BetterClaw's marketplace only includes skills that have passed the 4-layer review. If you need the full ClawHub catalog, self-hosted OpenClaw or a VPS gives you that flexibility.
Skills You Can Trust. Agents You Can Control.
Deploy your first agent in under 2 minutes. No Docker. No config files. No SSH. Just tell your agent what to do and watch it work.
$29/month per agent · BYOK · 7-day money-back guarantee