Skill Scanning Is Not a Security Boundary

This report analyzes OpenClaw's Clawhub marketplace security, demonstrating a plausible Skill that abused a URL-based import vulnerability to achieve arbitrary command execution on host systems; it shows how static scanners and AI moderation can be bypassed or delayed (e.g., VirusTotal pending), and argues that review-based defenses are brittle without default sandboxing and per-Skill permissions, concluding with recommendations to make isolation the default and enforce least-privilege capabilities.