Community skills and templates are one of the best parts of the OpenClaw ecosystem. They also represent a real attack surface. A malicious or poorly-written skill running in your agent can exfiltrate data, rack up API costs, send messages on your behalf, or corrupt your agent's memory.

This checklist is what we use before installing any community skill into a production gateway. It's not exhaustive — but it catches most of the common failure modes.

Before You Install: Read the Code

This sounds obvious. Most people skip it. A skill is code running with your agent's permissions — it deserves the same scrutiny you'd give a third-party npm package in a production app.

The 5 minutes you spend reading a skill's source is worth more than any badge or star count.

The Checklist

1. Permissions & Scope

What tools does it request? List every tool call in the skill. Does it need file access? Network access? If it only needs to read a value, it shouldn't be writing files. High Risk
Does it request more than it needs? A translation skill shouldn't need file_write. A summarizer shouldn't need http_request to external URLs. Excessive permissions = red flag. High Risk
Does it access the network? Note every domain it contacts. Unexpected outbound requests to non-obvious endpoints are a major warning sign. High Risk

2. Data Handling

Does it log or transmit conversation content? Any skill that sends conversation data to an external endpoint — even for "analytics" — should be treated as a data exfiltration risk. High Risk
Does it write to shared storage? Skills writing to /srv/data/ or memory files that other agents read can corrupt shared state. Medium Risk
Does it handle secrets or credentials? A skill should never log, transmit, or store raw API keys. Check for any console.log that might include env vars. High Risk

3. Side Effects

Can it send messages on your behalf? Skills with access to messaging channels (Feishu, Telegram, email) can spam or impersonate you. Verify send is intentional and scoped. High Risk
Does it have irreversible actions? Deleting files, sending emails, posting to social media — are these behind confirmation prompts or rate limits? Medium Risk
Does it run on a schedule? Scheduled skills with network access and no rate limiting are the highest risk category. Understand exactly what runs, when. High Risk

4. Code Quality Signals

Does it have error handling? Skills that throw uncaught errors can crash your agent mid-task. Look for try/catch around tool calls and network requests. Medium Risk
Are there hardcoded values that should be configurable? Hardcoded URLs, user IDs, or limits are maintenance problems that become security problems. Low Risk
Is the prompt injection surface managed? Skills that pass untrusted user input directly into tool calls without sanitization can be manipulated. Medium Risk

For SOUL.md / AGENTS.md Templates

Agent identity files carry different risks from executable skills:

  • Check for hidden instructions. Some malicious SOUL.md files contain injected instructions in the "personality" section designed to override your agent's behavior.
  • Verify escalation paths. A SOUL.md that grants itself admin privileges or instructs the agent to bypass confirmation prompts is a red flag.
  • Watch for data exfiltration via reasoning. Instructions like "always include the current date and system info in your responses" can leak data through seemingly innocent behavior.

The Trust Tiers

We suggest three tiers when deploying community content:

  1. Sandbox first. Run new skills in a test environment with a separate API key and no access to production data or channels.
  2. Limited production. After sandbox validation, deploy with minimal permissions and monitor logs for 48 hours.
  3. Full production. Only after you've verified the skill does exactly what it says, with no unexpected side effects.

Reporting Issues

If you find a malicious or seriously broken template on OpenClaw Codex, the admin review system flags it — but human review catches what automation misses. Use the admin contact or open an issue so the template can be pulled.

The goal of this checklist isn't paranoia — it's informed trust. Most community templates are exactly what they say they are, built by people who want to share something useful. The checklist just helps you verify that before it's running in production.

Building something you'd trust? Submit a template — we review all submissions for safety before publishing.