70% of OpenClaw Skills Request OAuth Scopes They Don't Need

We ran two independent security scans across all 6,993 public skills in openclaw/skills. The dominant finding in both: skills routinely request OAuth permissions beyond what their stated task requires.

What the Scans Found

Snyk ToxicSkills (published static analysis):

Vessel first-party scan (full catalog, reproducible, open scripts):

These are different scans with different methodologies. They are not additive. Both are reproducible: the Snyk findings are published, and the first-party scan scripts and dataset are open source at github.com/vesselofone/openclaw-skills.

Over-scoping is the pattern that stands out. A skill that summarizes meeting notes should not hold a write token for your calendar. A skill that reads Slack channels should not have permission to post. In both scans, the majority of audited skills hold permissions beyond what they need for the described job.

OAuth grants persist after installation. The agent holds the token until you explicitly revoke it. Skills can be updated by their authors without notifying installers. The OAuth scope declared in version 1.0 may not be the same as in version 1.4.

What Hash Scanning Cannot Detect

Public reports placed the ClawHavoc campaign (malicious skills distributed through ClawHub) at between 341 and 824 skills. ClawHub responded by adding VirusTotal hash scanning. That response addresses one attack vector. It cannot address the primary one.

The attack surface in an OpenClaw skill is not executable code. It is the SKILL.md body: natural language that the agent reads and acts on. An adversarially crafted SKILL.md instructs the agent to exfiltrate data, establish persistence, or escalate access through the conversational interface. There is no binary to hash. ClawHavoc skills installed cleanly, returned clean VirusTotal results, ran without errors, and exfiltrated through the agent's normal output channel.

Hash scanning catches reused malicious binaries. It cannot detect adversarial natural language in the skill description. That surface remains uncovered.

What to Do Before Installing Any Skill

1. Read the full SKILL.md. Check what OAuth scopes it requests. Verify each scope is necessary for the stated task. Not just plausible: actually required. Before that, check whether the agent endpoint itself is exposed: vesselofone.com/tools/security-check scans your instance for open ports and auth gaps.
2. Run a static check on the SKILL.md body for injection patterns and scope justification. The free auditor at vesselofone.com/tools/skill-check covers this. Paste a slug or repo URL.
3. Test with non-sensitive data before connecting production credentials or real client files.
4. Set a review reminder for six months. Skill authors can update SKILL.md without notifying installers.

Four Predictions (2026-2028)

1. Per-skill runtime correctness monitoring becomes a commercial product. Static analysis catches code risk but cannot evaluate whether a skill produces correct output at runtime. That monitoring layer does not exist yet as a product.
2. Another named supply-chain incident affects more than 100 skills. ClawHavoc established the playbook. Hash scanning did not close the attack vector. The adversarial NL surface in SKILL.md bodies is still fully open.
3. Enterprise procurement begins requiring security attestations for skills used in business workflows. Legal and financial teams running agents on client data will not accept installability as a quality standard.
4. Registries add evaluation requirements for marketplace inclusion. Pure installability metrics will not survive the first major enterprise procurement cycle.

Full methodology and dataset: vesselofone.com/research/ai-agent-skills-ecosystem. Dataset at doi.org/10.5281/zenodo.19691714. Scan scripts at github.com/vesselofone/openclaw-skills under MIT + CC BY 4.0.

Vessel is managed OpenClaw hosting on private Linux VMs. Every agent we provision runs the skill auditor at setup. The research and dataset are open source.