What Would Elon Do? The Malicious Skill That Gamed Its Way to Number One
The skill was called "What Would Elon Do?" It was the number one ranked skill in OpenClaw's community repository. It had been downloaded thousands of times. And when Cisco's AI Defense team ran their Skill Scanner against it, the verdict was immediate: functionally malware.
Nine security vulnerabilities. Two critical. Five high severity. The skill silently executed a curl command that transmitted data to an attacker-controlled server. It used direct prompt injection to bypass the agent's safety guidelines. It required no additional user interaction beyond installation. And it left minimal audit trail of its activities.
This is not a hypothetical attack scenario from a security whitepaper. This happened in production, to real users, on the most popular open-source AI agent in the world.
The Numbers
Cisco's research goes beyond a single malicious skill. Their AI Threat and Security Research team analyzed 31,000 agent skills across the ecosystem — including Claude Skills, OpenAI Codex skills, and OpenClaw community contributions. The finding: 26 percent of all analyzed skills contained at least one vulnerability.
That is not a typo. More than one in four skills that developers and users are installing into their autonomous AI agents contain security flaws ranging from command injection to data exfiltration to prompt injection attacks.
In OpenClaw's case specifically, the architecture allows skills to execute code on the host system with the agent's granted privileges, access environment variables including .env files that commonly store API keys and database credentials, make external network calls to infrastructure outside the user's control, influence agent behavior through prompt engineering techniques, and leverage the agent's persistent memory system across sessions.
Every one of those capabilities is a feature when the skill is legitimate. Every one is an attack vector when it is not.
The Supply Chain Problem
The parallel to traditional software supply chains is obvious and instructive. The npm ecosystem learned this lesson years ago with event-stream, a popular package that was silently modified to steal cryptocurrency. PyPI has faced similar incidents. The pattern is always the same: an open repository with minimal vetting, a popular package that attracts trust through downloads, and a malicious payload hidden inside.
OpenClaw's skill repository operates on the same model. Community members can publish skills — instruction sets and code that teach the agent new capabilities. There is no certification process. No mandatory security review. No supply chain verification. The ranking system, which determines what users see first, can be gamed.
The difference between a compromised npm package and a compromised OpenClaw skill is scope. A malicious npm package can exfiltrate environment variables from a CI/CD pipeline. A malicious OpenClaw skill can exfiltrate environment variables, read your email, browse your files, send messages on your behalf, and execute arbitrary commands on your machine — all while the agent's persistent memory ensures the compromise survives across sessions.
One of OpenClaw's own maintainers, known as Shadow, put it plainly on Discord: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely."
What Is Being Done
Cisco released their Skill Scanner as open source, enabling anyone to scan skills for threats before installation. It checks for embedded malicious instructions, data exfiltration patterns, prompt injection techniques, and unsafe code execution paths. It is a good tool. It is also a band-aid on a structural problem.
OpenClaw has been tightening security with each release. The v2026.2.6 security release introduced stricter skill sandboxing. The documentation has always been explicit about the risks — the security page literally states "There is no 'perfectly secure' setup." But documentation and tools only work if people use them, and the "What Would Elon Do?" incident demonstrates that thousands of users installed a skill without reading what it actually did.
The fundamental tension remains: OpenClaw's power comes from its extensibility, and extensibility is inherently at odds with security. Every skill that can call an API can call a malicious one. Every skill that can read a file can read .env. The question is not whether the next malicious skill will appear in the repository. It is whether it has already appeared and nobody has scanned for it yet.
What You Should Do
If you are running OpenClaw with community skills installed:
First, audit what you have. Run Cisco's Skill Scanner against every skill in your installation. It takes minutes and could prevent a breach that takes weeks to remediate.
Second, read the skill source before installing. Skills are instruction sets and code — they are human-readable. If a skill contains curl commands to external servers, network calls you do not recognize, or instructions that reference environment variables it should not need, do not install it.
Third, apply the principle of least privilege. OpenClaw's documentation covers permission models and trust boundaries. An agent that can send emails does not need access to your SSH keys. An agent that manages your calendar does not need shell execution privileges.
Fourth, keep your installation updated. The security improvements in recent releases are not optional. They are the difference between an agent that respects boundaries and one that has none.
The skills repository is powerful. It is also, right now, an unvetted supply chain for software that runs with your credentials on your machine. Treat it accordingly.