Summary: The ClawHub marketplace offers over 500 community-built skills for OpenClaw, enabling everything from GitHub integration to browser control and email management. RakSmart promotes one-click access to this marketplace as a key advantage of their OpenClaw hosting template. However, security analysis reveals that out of over 26,000 scanned skills, approximately 8% contain malicious or high-risk components. Attack vectors include supply chain poisoning, command obfuscation, and privilege escalation. The RakSmart template runs OpenClaw with the container sandbox disabled, meaning malicious skills have more freedom to access the host system. This blog explores where hosting responsibility ends and user responsibility begins, what RakSmart can do to protect its customers, and whether the “养虾” community-driven security model is sustainable as OpenClaw goes mainstream.
Introduction: The Double-Edged Sword of the Skill Marketplace
OpenClaw’s greatest strength is also its greatest vulnerability. The ClawHub marketplace, with over 500 community-built skills, transforms OpenClaw from a simple AI chat agent into a powerful automation platform. Want your AI agent to manage your GitHub repositories? There is a skill for that. Want it to control a browser and scrape data? There is a skill for that. Want it to read and send emails, manage calendars, or control smart home devices? There are skills for all of that and more.
This extensibility is what earned OpenClaw its 240,000 GitHub stars. It is why developers are calling OpenClaw an “AI agent operating system” rather than just another chatbot. The skill marketplace creates a virtuous cycle: more skills attract more users, more users attract more skill developers, and the ecosystem grows.
But there is a dark side to this growth.
According to security analyses of the ClawHub marketplace, out of over 26,000 scanned skills across various categories, more than 2,000 skills—approximately 8%—contain malicious or high-risk components. This is not a theoretical risk. Real-world attacks have been documented. Malicious skills have stolen API keys, exfiltrated conversation histories, installed backdoors, and in some cases, gained root access to the host system.
RakSmart, like most hosting providers offering OpenClaw templates, has been slow to address this risk. Their template provides one-click access to the ClawHub marketplace. The container sandbox that could isolate malicious skills is disabled by default. And while RakSmart has published detailed “malware dissection” guides on their blog, they have not implemented any technical guardrails to protect customers who are not security experts.
This blog asks a difficult question: where does hosting responsibility end and user responsibility begin? And what should RakSmart do about it?
Anatomy of a Malicious Skill
To understand the risk, we need to understand how malicious skills actually work. Security researchers have identified three primary attack vectors in the ClawHub marketplace.
Supply Chain Poisoning
The most insidious attack vector is supply chain poisoning. An attacker creates a skill that appears to be a useful tool. For example, a skill named “ai-agent-security-scanner” that claims to scan other skills for vulnerabilities. Users install it because they want to secure their OpenClaw agent. But behind the scenes, the skill collects credentials—API keys, tokens, passwords—from the OpenClaw configuration and from the environment variables. It then exfiltrates these credentials to an attacker-controlled server, often disguised as a legitimate service like Feishu or Discord webhooks.
The skill “ai-agent-security-scanner” was analyzed by RakSmart’s own security team. They found that it contained hardcoded credentials to an attacker-controlled Feishu bot. Every time the skill ran, it would send a copy of the OpenClaw configuration file, including any LLM API keys, to the attacker. The skill had over 500 installations before it was removed from the marketplace.
Command Obfuscation
The second attack vector is command obfuscation. Malicious skills hide their true actions behind layers of encoding and indirection. A skill named “agent-lingua” claimed to provide multilingual translation capabilities. But when researchers examined its code, they found Base64-encoded payloads that, when decoded, executed shell commands to download and install cryptocurrency miners. The skill used legitimate-looking variable names and split the malicious payload across multiple files to evade static analysis.
The command obfuscation technique is particularly dangerous because it bypasses basic audit logging. The OpenClaw agent logs that a skill executed, and it logs the skill’s output, but it does not log the intermediate decoded commands. By the time an administrator notices unusual CPU usage or network activity, the cryptocurrency miner may have been running for days or weeks.
Privilege Escalation
The third and most dangerous attack vector is privilege escalation. Some malicious skills explicitly request root access or demand that security restrictions be disabled. A skill named “system-optimizer” claimed to improve OpenClaw performance by tuning kernel parameters. Its installation instructions told users to run it with sudo or to add the OpenClaw user to the docker group (which is effectively root access).
Once a skill has root access, the game is over. It can install persistent backdoors, modify system files, disable firewalls, and use the compromised server as a launch point for attacks on other systems. In a shared hosting environment, privilege escalation from a container to the host could potentially compromise other customers on the same physical server.
The RakSmart Template’s Security Posture
RakSmart is not unaware of these risks. Their blog contains detailed posts dissecting malicious skills, including the “ai-agent-security-scanner” and “agent-lingua” examples mentioned above. They have warned their community about the dangers of installing untrusted skills. They have published best practices for skill evaluation, such as reading the source code before installing, checking the skill’s download counts and user reviews, and avoiding skills that request unnecessary permissions.
However, the RakSmart OpenClaw template itself provides minimal technical protection against these threats.
The Sandbox Is Disabled
As noted in Blog One, the RakSmart template runs OpenClaw as a container, but the container-level sandbox cannot be enabled on their template deployment. The sandbox is OpenClaw’s primary defense against malicious skills. When enabled, skills run in a restricted environment with limited filesystem access, no network access unless explicitly granted, and no ability to execute arbitrary shell commands.
With the sandbox disabled, a skill has essentially the same access as the OpenClaw agent itself. If the agent has access to the host’s filesystem, the skill does too. If the agent can make network requests, the skill can too. If the agent can execute shell commands, the skill can too.
One-Click Installation
The RakSmart template promotes one-click access to the ClawHub marketplace. Users can browse skills and install them with a single click. There is no approval workflow, no permission review, no sandbox prompt. The skill is installed and active immediately.
This ease of use is exactly what attackers want. Users who would never download and run an arbitrary executable from an unknown website will happily install an OpenClaw skill because it feels like part of the platform. The one-click interface lowers the user’s guard.
No Skill Vetting
RakSmart does not pre-vet or curate the skills available through their template. Every skill in the ClawHub marketplace, including the approximately 8% that are malicious, is accessible with equal ease. RakSmart’s documentation warns users to be careful, but the template itself does not enforce any safety measures.
Imagine if a web hosting provider gave you one-click access to install any WordPress plugin from the official repository, knowing that approximately 8% of plugins are malicious, and then disabled WordPress’s built-in security features. That would be considered irresponsible. But that is exactly the situation with RakSmart’s OpenClaw template.
Where Does Hosting Responsibility End?
This brings us to the central question of this blog: where does hosting responsibility end and user responsibility begin?
RakSmart’s position, based on their terms of service and their public communications, appears to be that they provide the infrastructure and the template, but security is ultimately the user’s responsibility. They warn users about malicious skills. They provide educational content. They do not prevent users from installing malicious skills because that would be an overreach—who is RakSmart to decide what skills are “safe”?
This is a defensible position, but is it sufficient as OpenClaw goes mainstream?
Consider the user who is not a security expert. They are a small business owner who wants to use OpenClaw to automate customer support on Telegram. They have never heard of supply chain poisoning. They do not know how to read JavaScript or Python code. They see a skill named “customer-support-automation” with positive reviews and 1,000 downloads. They click install. The skill steals their customer data and their LLM API keys.
Who is responsible?
The user made a mistake. But the hosting provider gave them one-click access to the dangerous skill, disabled the sandbox that could have contained it, and provided no warning beyond a blog post that the user never read.
This is not a hypothetical scenario. It has already happened. Multiple times.
What RakSmart Could Do
RakSmart has several options to improve the security of their OpenClaw template without completely giving up on the convenience that makes the template valuable.
Option One: Implement a Skill Approval Workflow
Instead of allowing one-click installation of any skill, RakSmart could implement an approval workflow. When a user tries to install a skill, the template would display the skill’s permissions, the functions it accesses, and any network destinations it communicates with. The user would have to explicitly confirm each permission. For skills that request dangerous permissions—like filesystem access outside the OpenClaw data directory, network access to unknown domains, or shell command execution—the template could require a second confirmation or even administrative approval.
This approach maintains user freedom while adding friction that would deter many casual installations of malicious skills. It also educates users about what skills actually do, rather than hiding the details behind a “one-click install” button.
Option Two: Create a RakSmart-Approved Skill Mirror
RakSmart could partner with the OpenClaw community or with third-party security researchers to create a curated skill mirror. Every skill in the mirror would be manually or automatically scanned for malicious patterns. RakSmart could offer this curated marketplace as a free add-on to their OpenClaw template, or they could charge a small premium for access.
The curated mirror would not replace the full ClawHub marketplace. Users who wanted to install unvetted skills could still do so, but they would have to explicitly enable “developer mode” or “unsafe skills” in the template settings. This creates a clear distinction between the safe path (recommended for most users) and the risky path (for experts who know what they are doing).
Option Three: Enable Sandbox-by-Default
RakSmart should prioritize enabling OpenClaw’s container sandbox on their template. If the sandbox breaks compatibility with some skills, RakSmart could offer two variants of the template: “Standard” with sandbox enabled, and “Compatibility” with sandbox disabled. Most users should choose Standard. The Compatibility variant would come with prominent warnings about the increased security risk.
This approach addresses the root cause of the problem. Malicious skills are only dangerous because they can access the host system. If they are confined to a sandbox, even a skill with malicious intent cannot do much damage. It might waste CPU cycles or fill up its limited storage, but it cannot steal credentials from the host or install persistent backdoors.
Option Four: Integrate Automated Skill Scanning
Whenever a user attempts to install a skill, the RakSmart template could automatically scan the skill’s code for known malicious patterns. This scanning could use signature-based detection (matching known malicious skills), behavioral analysis (looking for suspicious patterns like Base64 decoding of strings), and even LLM-based analysis (using an AI to review the skill’s code).
If the scan detects a potential threat, the template would block the installation and explain why. Users could override the block if they were confident the skill was safe, but the default would be protection.
This approach is technologically ambitious but increasingly feasible. LLM-based code analysis is improving rapidly, and RakSmart could likely implement a basic version of this with existing open-source tools.
The “养虾” Community Model
RakSmart has cultivated a unique community around OpenClaw, which they call “养虾” (raising lobsters). This community, active on their forums and in messaging groups, shares security tips, warns each other about newly discovered malicious skills, and helps new users navigate the ClawHub marketplace.
The “养虾” model is admirable. Community-driven security education is valuable. However, it has limitations that become more apparent as OpenClaw grows beyond its early adopter base.
Limitation One: Exclusion of Non-Technical Users
The “养虾” community assumes a baseline level of technical literacy. You need to be able to read code, understand logs, and navigate the command line to benefit from most community discussions. A small business owner or a casual hobbyist is unlikely to participate. They will never see the warning about the latest malicious skill because they are not in the Telegram group. They will not know how to check the integrity of a skill’s source code because they cannot read code at all.
Limitation Two: Reaction Rather Than Prevention
Community warnings are reactive. By the time a malicious skill is identified and a warning is posted, it may already have been installed by hundreds or thousands of users. The skill will eventually be removed from the marketplace, but the damage is done. Prevention—technical barriers that stop malicious skills from being installed in the first place—is far more effective than post-installation warnings.
Limitation Three: Scalability
A community of a few hundred enthusiasts can effectively police each other. A community of tens of thousands of mainstream users cannot. The signal-to-noise ratio drops. Important warnings get lost in general chat. Malicious actors join the community to post fake endorsements of their own dangerous skills. Community-driven security does not scale without institutional support.
RakSmart should view the “养虾” community as a complement to technical security measures, not a replacement for them.
Conclusion: A Call for Hosting Providers to Step Up
OpenClaw is too important to be left unprotected. With 240,000 GitHub stars and growing, it is becoming the default open-source AI agent for developers worldwide. The skill marketplace is a key part of its value proposition. But the marketplace cannot reach its full potential if users are afraid to install skills because they might be malicious.
Hosting providers like RakSmart have a responsibility to protect their customers. They are not just selling VPS instances; they are selling a curated experience. When a customer chooses RakSmart’s OpenClaw template, they are trusting RakSmart to provide a safe, working environment. That trust is violated when the customer’s server is compromised by a malicious skill that the template made trivially easy to install.
The good news is that solutions exist. Skill approval workflows, curated marketplaces, sandbox-by-default, and automated scanning are all feasible. RakSmart has the technical expertise and the community relationships to implement these solutions. The only question is whether they will choose to do so, or whether they will continue to rely on user education and caveat emptor.
Users can protect themselves, of course. Do not install skills you do not trust. Read the source code. Run OpenClaw in a dedicated VM or container. Enable the sandbox. Use separate API keys with limited permissions. Monitor your server for unusual activity. These are all good practices.
But most users will not do these things. They will click the one-click install button. And when their server gets compromised, they will blame OpenClaw, or they will blame RakSmart, or they will give up on AI agents entirely.
That would be a tragedy. OpenClaw is too powerful, too flexible, and too important to be abandoned because hosting providers failed to implement basic security measures.
RakSmart has an opportunity to lead. They can be the hosting provider that made OpenClaw safe for everyone, not just for the experts. They can build the security features that turn the “养虾” community from a reactive warning system into a proactive protection network. They can set the standard that other hosting providers will have to follow.
Or they can continue with the status quo, and wait for the inevitable wave of compromises that will damage the entire OpenClaw ecosystem.
The choice is theirs. But the clock is ticking.
Frequently Asked Questions
Q1: Can I manually enable the container sandbox on RakSmart’s OpenClaw template?
A: According to RakSmart’s documentation, the container sandbox is disabled by default on their template deployment. Advanced users may attempt to enable it by editing the configuration file at /opt/cloud/openclaw/data/openclaw.json and setting the appropriate sandbox parameters. However, RakSmart explicitly warns that modifying the underlying configuration can break the application, and they take no responsibility for such changes. Additionally, even if you enable the sandbox, RakSmart does not guarantee that all ClawHub skills will function correctly, as some skills assume they have unrestricted access that the sandbox would block.
Q2: How can I tell if a skill from ClawHub is safe to install?
A: There is no foolproof method, but the following practices significantly reduce your risk. First, examine the skill’s source code if it is available. Look for suspicious patterns such as Base64-encoded strings, eval() calls, network requests to unknown domains, or attempts to read or write files outside the skill’s designated directory. Second, check the skill’s download count and user reviews, but be aware that these can be faked. Third, search for the skill’s name on security forums and the RakSmart “养虾” community to see if others have reported issues. Fourth, install the skill on a test server first, not on your production environment. Fifth, always run OpenClaw with the container sandbox enabled if possible. And finally, when in doubt, do not install the skill.
Q3: Has RakSmart been hacked because of malicious OpenClaw skills?
A: RakSmart as a hosting provider has not publicly reported any breaches of their core infrastructure due to malicious OpenClaw skills. However, individual RakSmart customers have reported compromises on their own servers after installing untrusted skills. The most common outcomes are stolen LLM API keys (resulting in unexpected usage charges), exfiltrated conversation histories (potentially containing sensitive business data), and cryptocurrency miners (causing high CPU usage and performance degradation). RakSmart’s security team has published analyses of several malicious skills that were found running on customer servers, confirming that real-world compromises are occurring.
Q4: Does the “one-click install” for ClawHub skills mean RakSmart endorses those skills?
A: No. RakSmart’s one-click install feature is a technical convenience, not an endorsement. The template provides easy access to the ClawHub marketplace, but RakSmart does not pre-vet or curate the skills available there. The responsibility for evaluating a skill’s safety lies entirely with the user. RakSmart’s documentation includes warnings about this, but the warnings are not prominently displayed in the one-click install flow. Users should be aware that installing a skill is equivalent to downloading and running arbitrary code from the internet, with all the associated risks.
Q5: What should I do if I think I installed a malicious skill on my RakSmart OpenClaw server?
A: Take immediate action. First, disconnect your OpenClaw agent from all IM platforms to prevent the malicious skill from receiving further commands. Second, revoke and regenerate all API keys that were stored in your OpenClaw configuration, including your LLM API keys, any IM platform tokens, and any other credentials. Third, examine your server for unauthorized processes using commands like top, ps aux, and netstat -tulpn. Fourth, check your server’s resource usage (CPU, memory, network) for anomalies. Fifth, review OpenClaw’s logs in /opt/cloud/openclaw/data/logs/ for evidence of unusual skill activity. Sixth, if you cannot determine the full extent of the compromise or remove the malicious skill, the safest course of action is to terminate the compromised VPS and deploy a fresh instance of the OpenClaw template. Restore only essential configuration data from backups that predate the compromise. Finally, report the malicious skill to the ClawHub marketplace administrators and to the RakSmart “养虾” community to warn other users.