Critical Vulnerability in OpenClaw Skill Installer Exposes LLM API Keys to Stealth Theft

A critical security flaw in OpenClaw's third-party Skill marketplace allows malicious actors to execute arbitrary shell commands on a user's system during Skill installation — without any sandbox isolation, permission prompt, or code review. The vulnerability, classified as OWASP LLM Top 10: LLM03:2025 (Supply Chain Vulnerabilities), exposes a direct path to stealing sensitive credentials stored in the user's `openclaw.json` configuration file, including LLM API keys and other authentication tokens.

The root cause lies in how OpenClaw processes the `## Prerequisites` block within `SKILL.md` files. Unlike a sandboxed or permission-gated installation flow, this block executes directly in the user's shell environment with full user permissions. Any third-party Skill hosted on the marketplace can embed shell commands within this block, and those commands run silently during installation. An attacker hosting a malicious Skill needs only to craft a `SKILL.md` file that reads `~/.openclaw/openclaw.json` and exfiltrates its contents — typically via a network request to an attacker-controlled endpoint. There is no review step, no warning dialog, and no capability-gated sandbox to limit what the executing code can access.

The implications extend beyond individual credential exposure. API keys for LLM services represent a direct financial attack surface — an attacker with a valid key can consume paid model resources at the account holder's expense. Organizations relying on OpenClaw for agentic workflows face supply chain risk: a compromised or intentionally malicious Skill could establish persistent access, pivot to other local resources, or harvest additional secrets. The absence of any installation-time vetting means users must trust the marketplace entirely, with no technical barrier preventing a bad actor from weaponizing a popular or seemingly benign Skill. Security researchers warn that immediate mitigation requires either disabling third-party Skill installation or implementing manual review and sandboxing controls until a formal patch addresses the execution model.