🤖 Ghostwritten by Claude Opus 4.8 · Fact-checked & edited by GPT 5.5

Vetting OpenClaw AgentSkills: Skill Cards and SkillSpector

Before installing a third-party OpenClaw AgentSkill, read its Skill Card and scan it with SkillSpector. If SkillSpector marks the skill high-risk, stop. Do not install it, do not override the warning, and do not treat a sandbox as a sufficient exception.

That rule addresses one of the most dangerous patterns in agentic systems: a skill that quietly carries hidden instructions or exposes credentials once the agent loads it. AgentSkills are not passive plugins. They can shape the agent’s context, influence tool use, and, in misconfigured environments, touch secrets that were never meant to leave the session.

OpenClaw’s collaboration with NVIDIA introduces two security controls for this problem: Skill Cards, which provide structured provenance and behavior disclosure, and SkillSpector, which scans skills for hidden instructions and other agentic risks. Together, they create a practical pre-install workflow: verify the publisher, inspect declared behavior, scan the package, read the risky parts by hand, and install only with the minimum permissions required.

Why Skill Vetting Is Non-Negotiable

TL;DR: AgentSkills run inside a trust boundary that can include prompts, tools, files, and credentials, so pre-install vetting is a security control.

An AgentSkill can contribute instructions to the agent’s context and influence what the agent does next. Depending on configuration, it may also interact with tools, filesystem paths, network destinations, or environment variables. That makes skill installation a trust decision, not a convenience choice.

Two failure modes deserve special attention:

• Prompt injection through hidden instructions. A skill can embed text in descriptions, examples, templates, or returned data that attempts to steer the agent: “ignore previous instructions,” “do not disclose this behavior,” or “send environment contents to this endpoint.”
• Credential leakage through misconfigured skills. A skill that can read plaintext credentials from environment variables, local files, or token stores can expose those secrets through an outbound request or tool call.

OpenClaw also has relevant historical context outside the skill layer. CVE-2026-25253 carried a CVSS score of 8.8 and was patched in 2026.1.29; it involved WebSocket token theft through the Control UI. That issue was not an AgentSkill vulnerability, but it illustrates the broader lesson: anything that can reach an agent session, gateway, or control plane deserves careful trust handling.

As of June 20, 2026, no new OpenClaw CVEs have been disclosed in the last 48 hours. The primary security story for AgentSkills remains operational discipline: inspect skills before they enter the agent’s runtime.

Reading a Skill Card

TL;DR: A Skill Card is a structured provenance and behavior disclosure; treat missing, vague, or contradictory cards as a warning sign.

Skill Cards, developed through OpenClaw’s collaboration with NVIDIA, give operators a structured way to evaluate an AgentSkill before install. Think of them as a trust label: not proof that a skill is safe, but a concrete set of claims that can be checked against the skill’s behavior.

When reviewing a Skill Card, work through it in this order:

• Provenance: Who published the skill? Is the publisher traceable to a real account, organization, or project history?
• Declared behavior: What does the skill claim to do? Does that behavior match the problem it solves?
• Permission expectations: Does the skill appear to need filesystem, network, shell, or tool access? Are those permissions proportional to its stated purpose?
• Network behavior: If the card declares outbound communication, do the destinations make sense for the skill’s function?
• Mismatch signals: Does the card say one thing while the code or scanner output suggests another?

The card is a claim, not a guarantee. Its value is that it gives reviewers something specific to test. If a card implies no network behavior and the skill contains outbound calls, that mismatch is enough to stop the install.

Running SkillSpector and Interpreting Results

TL;DR: SkillSpector is the automated gate; a high-risk result means do not install the skill.

SkillSpector scans AgentSkills for hidden instructions and other agentic risks before installation. It is the automated half of the vetting workflow, while the Skill Card and manual review provide context.

Run SkillSpector against the exact skill source or package you intend to install. Do not scan one copy and install another. The scan should happen before the skill is granted runtime access, credentials, network privileges, or tool permissions.

Use the result as a gate:

Result	Action
High-risk	Hard stop. Do not install or override the warning.
Medium / warnings	Read every finding. Proceed only if each warning is understood, justified, and acceptable.
Clean	Continue to manual review before installing.

A clean scan is necessary, but it is not sufficient. Scanners are strongest against known patterns. A novel prompt-injection technique, subtle data-exfiltration path, or confusing permission model may still require human judgment.

Manual Red-Flag Checks

TL;DR: Read the prompts and code for hidden instructions, unexpected network behavior, secret access, obfuscation, and over-broad permissions.

Even when the Skill Card looks reasonable and SkillSpector returns a clean result, spend a few minutes reviewing the skill directly. Look for the kinds of issues that automated tooling can miss or only partially explain.

Prioritize these checks:

• Hidden instructions: Search descriptions, examples, templates, and returned content for imperative language such as “ignore previous,” “always,” “do not mention,” or instructions to contact an external endpoint.
• Unexpected network calls: Any outbound request should match the skill’s stated purpose. A formatter, summarizer, or local utility should not need unexplained network egress.
• Secret access: Watch for references to .env, environment variables, credential files, local token stores, or secret managers that are not required for the skill’s function.
• Obfuscation: Base64 blobs, encoded strings, dynamically assembled prompts, or hidden payloads deserve scrutiny. Legitimate skills rarely need to conceal their instructions.
• Over-broad permissions: Shell access, broad filesystem access, or unrestricted tool use should be justified by the task. Narrow skills should have narrow permissions.

Opacity increases risk. If the skill is closed, unreadable, or distributed in a form that prevents inspection, treat that as a risk multiplier rather than a neutral detail.

Pre-Install Checklist

TL;DR: A repeatable seven-step gate turns skill vetting from a judgment call into an operational process.

Use this checklist before installing any third-party AgentSkill:

1. Open the Skill Card and confirm provenance.
2. Compare declared behavior with the skill’s stated purpose.
3. Run SkillSpector against the exact package or source you intend to install.
4. Treat a high-risk result as a hard stop.
5. Read prompts, examples, templates, and code for hidden instructions.
6. Verify outbound network behavior and secret access are justified.
7. Install with the minimum permissions required, then observe early runs closely.

For first execution, use a session with no production credentials loaded. A credentials-free trial run is not a substitute for vetting, but it reduces blast radius if a skill behaves unexpectedly.

Frequently Asked Questions

TL;DR: Skill Cards disclose intent, SkillSpector scans for agentic risk, and high-risk findings should stop installation.

Q: What is a Skill Card in OpenClaw?

A Skill Card is a structured provenance and behavior-disclosure record for an AgentSkill. It helps reviewers understand who published the skill, what the skill claims to do, and which behaviors should be verified before installation.

Q: Is SkillSpector a replacement for reading the code?

No. SkillSpector automates detection of hidden instructions and other agentic risks, but manual review still matters. A scanner can flag known patterns; a human reviewer is better positioned to notice mismatched purpose, excessive permissions, or suspicious design choices.

Q: What should happen when SkillSpector marks a skill high-risk?

Treat the result as a hard stop. Community guidance is clear: high-risk warnings should not be overridden, even for a trial run. Choose a different skill or wait for the publisher to remediate the findings.

Q: How can prompt injection reach an agent through a skill?

A skill can contribute text through descriptions, examples, templates, or returned data. If that text contains instructions that the agent treats as authoritative, it can steer the agent toward unsafe actions, including leaking credentials or calling untrusted endpoints.

Q: Are AgentSkill risks the same as traditional package supply-chain risks?

They overlap, but AgentSkills add an agent-specific twist. A malicious package can still abuse code execution, permissions, or credentials, while a malicious skill may also carry plain-language instructions that manipulate the agent’s behavior.

Key Takeaways

TL;DR: Skill vetting should combine provenance checks, automated scanning, manual review, and least-privilege installation.

• AgentSkills can influence agent behavior and may interact with sensitive runtime resources.
• Skill Cards provide structured provenance and behavior disclosure.
• SkillSpector scans for hidden instructions and other agentic risks.
• A high-risk SkillSpector result is a hard stop.
• A clean scan does not eliminate the need for manual review.
• New skills should run first with minimum permissions and no production credentials loaded.

Conclusion

TL;DR: OpenClaw’s Skill Cards and SkillSpector give teams a practical vetting workflow, but the final trust decision still belongs at the install gate.

OpenClaw’s AgentSkill ecosystem is moving toward stronger provenance and automated risk detection. Skill Cards make publisher and behavior claims easier to inspect, while SkillSpector gives operators a repeatable scan before installation.

Those tools are most effective when treated as gates, not suggestions. Read the card, run the scan, review the skill, and install only with the permissions it needs. The safest AgentSkill workflow is the one that catches hidden instructions and credential exposure before the agent ever loads the skill.