Attack vector

Skills as the entry point

The most dangerous memory-poisoning vector isn't hidden text on a web page — it's a skill you install yourself. Marketplaces like ClawHub turn third-party code into a supply chain straight into your agent's memory.

~7 min read · Attack vector

A skill is a stored instruction — with privileges

An OpenClaw skill is a SKILL.md file: Markdown instructions that teach the agent when and how to use tools. That sounds harmless — but that's exactly the point: a skill isn't "just a tool", it's a permanently stored instruction carrying your agent's privileges. Whoever controls the skill controls a piece of the behavior — anew in every session.

ClawHub: the massive entry point

OpenClaw's skill registry ClawHub hosts over 13,700 community skills. You install one with a single command — openclaw skills install <slug> — and it lands in ~/.openclaw/skills. With --global it applies instantly to all local agents. It's as convenient as an app store — and just as much a supply chain: you pull third-party instructions straight into your agent's control center.

One command is enough — and third-party instructions live on permanently, with your agent's privileges, in ~/.openclaw/skills.

"Verified" doesn't mean "safe"

ClawHub checks installs against origin and version (.clawhub/origin.json), and a scanner flags dangerous code. But: verification proves where a skill comes from — not what it intends. The scanner is heuristic and only warns on "suspicious". The OpenClaw docs say it themselves: "treat third-party skills as untrusted code." A flawlessly verified skill can still carry a prompt-injection payload.

The walkthrough

From marketplace to damage — and where PoisonZero severs the chain:

1 · Marketplace

Skill from the registry

ClawHub · 13,729 skills. "Verified" checks the origin — not the intent.

2 · Install

One command, full privileges

openclaw skills install <slug>
~/.openclaw/skills

3 · Active

Skill = stored instruction

Writes to memory at session start or switches the protection off.

PoisonZero

The daemon evaluates every write to the protected paths.

danger 0.96 → revert
✕ Prevented

Memory poisoned → damage

↳ "Source X is trustworthy"
↳ Agent acts with OS privileges (Gmail · Stripe · Files)
↳ Exfiltration / sabotage at the next heartbeat
Without protection the chain runs all the way to damage — on OpenClaw with full OS privileges. With PoisonZero it ends at the memory write: evaluated, rolled back, logged.

Why OpenClaw is especially explosive — unlike Claude

OpenClaw isn't a chat window but an autonomous agent: it runs in the background, works through its tasks on a heartbeat and has full access to the operating system — filesystem, Gmail, Stripe, connected messengers. A poisoned skill here doesn't just lead to a wrong answer; it makes the agent act — on its own, with your privileges.

With Claude an agent errs. With OpenClaw it acts — autonomously, with your OS privileges. That's exactly why a local guardian on the filesystem isn't optional here.

Claude is more tightly fenced in (permissions, confirmations, a narrower sandbox). OpenClaw's openness is its appeal — and its risk: the blast radius of a single poisoned skill is orders of magnitude higher.

How PoisonZero covers this

PoisonZero steps in exactly where the damage happens: at write access to the skill and memory directories. The daemon monitors ~/.openclaw/skills, ~/.agents/skills, ~/.claude & co. locally and evaluates every change.

The result: even a "verified" skill that secretly tries to write a poisoned memory is intercepted — before your agent acts on it. More on the principle behind it: Memory Poisoning and Prompt Injection.

Protect your agents' skills.

PoisonZero monitors ~/.openclaw/skills & co. and rolls back poisoned entries fail-closed.

Try 14 days free

Read next: ClawHavoc: 1,184 poisoned skills · Claude, MCP & tool poisoning · What is memory poisoning?

All articles