How to Audit OpenClaw Skills for Safety?

Before installing a skill, especially from community contributors, it's important to verify it's safe. OpenClaw provides tools for auditing skills and the community maintains quality standards.

Built-in auditing: - openclaw skill audit <name>: Scans the skill's source code for suspicious patterns — network calls to unexpected domains, filesystem access outside sandbox, obfuscated code, and known malware signatures. - VirusTotal integration: Skills can be automatically checked against VirusTotal's database. Enable this in the security config.

Manual review checklist: 1. Check the source: Is the code on GitHub? How many stars and contributors? 2. Read the code: MCP skill servers are typically small (<1000 lines). Skim for suspicious network calls or file operations. 3. Check permissions: Does the skill request more permissions than it needs? A calendar skill shouldn't need filesystem access. 4. Check reviews: ClawHub shows ratings, download counts, and community reviews. 5. Check updates: Is the skill actively maintained? Abandoned skills may have unpatched vulnerabilities.

Trusted sources: - Official skills (marked with a verified badge on ClawHub) - Skills from well-known developers with verified identities - Skills with 1000+ downloads and positive reviews

For enterprise deployments, consider running a private ClawHub registry where only approved skills are available.

Tip: Start with official and popular skills. Only add community skills after reviewing their source code.

# Audit a skill before installing
openclaw skill audit tavily-search

# Enable VirusTotal checking
openclaw config set security.virustotal true

# View skill source code
openclaw skill source tavily-search