What Are OpenClaw Skills?
When you first install OpenClaw, it can do a lot out of the box — chat, schedule tasks, connect to exchanges. But its real power comes from skills: markdown-based plugins that extend what OpenClaw can do.
Think of skills like apps for your phone. The base OpenClaw is the operating system. Skills add specific capabilities: portfolio tracking, DeFi protocol interactions, advanced order types, market analysis tools, and more.
Technically, a skill is just a GitHub repository containing a SKILL.md file (and sometimes supporting scripts). The SKILL.md is a structured markdown document that tells OpenClaw what the skill does, what permissions it needs, and how to use it. When you install a skill, OpenClaw reads this file and integrates the skill’s capabilities into its own reasoning.
Here’s what a minimal SKILL.md looks like:
# My Trading Skill
## Description
Provides limit order management for Binance spot trading.
## Commands
- `set limit buy [amount] [asset] at [price]` - Places a limit buy order
- `set limit sell [amount] [asset] at [price]` - Places a limit sell order
- `cancel order [id]` - Cancels a pending order
- `show open orders` - Lists all pending orders
## Required Permissions
- Exchange API: read, trade (NO withdrawal)
## Dependencies
- ccxt >= 4.0This simplicity is both a strength and a serious vulnerability, which I’ll get into shortly.
How to Install Skills
Installing a skill is straightforward. You give OpenClaw a GitHub repo URL:
Install the skill from https://github.com/bankrbot/bankr-skillOpenClaw will:
- Clone the repo
- Read the
SKILL.md - Check for any dependency scripts
- Ask you to confirm the installation
- Integrate the skill’s capabilities
You can also install skills through the dashboard UI or by manually cloning a repo into your OpenClaw skills directory (usually ~/.openclaw/skills/).
To see what’s installed:
What skills do I have installed?To remove a skill:
Remove the [skill-name] skillSimple enough. The problem is that “simple to install” also means “simple to install something dangerous.”
The Official BankrBot Skills Repo
Before we get into the scary stuff, let’s talk about what’s safe.
The BankrBot skills repo (github.com/bankrbot) is the official, maintained collection of OpenClaw skills. These are built by the same team behind OpenClaw and are the closest thing to a “verified” source.
What the BankrBot repo offers:
- Bankr skill — Core trading and portfolio management. Spot orders, portfolio tracking, P&L calculations across exchanges.
- Trading assistant skills — Exchange-specific integrations with deeper features (Hyperliquid perps, Binance margin, etc.)
- DeFi skills — Interact with on-chain protocols. Swap tokens, check liquidity pools, monitor yields.
- Market monitoring — Price alerts, volume spikes, funding rate tracking.
I’ve used the Bankr skill and the Hyperliquid trading assistant extensively. They work as advertised and the code is clean, open-source, and actively maintained.
A general rule: start with BankrBot skills. They cover most of what a typical trader needs. Only go looking for third-party skills when you genuinely need something specific that the official repo doesn’t offer.
The Malware Problem
Here’s where I need to be blunt.
In January 2026, Infosecurity Magazine reported that researchers found 386 malicious skills on an unofficial OpenClaw skill hub. Three hundred and eighty-six. These weren’t subtle either — some of them exfiltrated exchange API keys, others installed crypto miners, and a few attempted to redirect withdrawal addresses.
This isn’t surprising if you think about it. OpenClaw skills can run code on your machine with access to your exchange credentials. That’s an incredibly attractive target for attackers. The barrier to creating a skill is low (it’s just a markdown file and some scripts), and many OpenClaw users are traders, not security experts.
I don’t say this to scare you away from skills. I say it because you need to treat every third-party skill as potentially hostile until you’ve verified it yourself.
The official BankrBot repo was not affected. The malicious skills were all on unofficial third-party directories and random GitHub repos that looked legitimate but weren’t.
How to Evaluate a Skill Before Installing
I’ve developed a process for vetting skills that I follow every single time, even for skills that look legit at first glance. Here’s my step-by-step:
1. Check the GitHub repo
Before installing anything, visit the repo URL and look at:
- Stars and forks — Not a guarantee of safety, but a skill with 0 stars and 1 commit is suspicious. Popular skills have community oversight.
- Commit history — Is there a history of meaningful commits over weeks or months, or was the entire repo uploaded in a single commit yesterday?
- Contributors — Is this a single anonymous account, or are there multiple contributors? Does the main contributor have other legitimate repos?
- Issues and discussions — Are people actually using this? Are there bug reports and responses?
2. Read the SKILL.md thoroughly
The SKILL.md tells you what the skill claims to do. Pay attention to:
- Required permissions — Does a “price alert” skill really need write access to your exchange? Does a “portfolio tracker” need trade permissions? If the requested permissions don’t match the stated functionality, walk away.
- Dependencies — What external packages does it pull in? Are they well-known libraries (like
ccxt) or obscure packages you’ve never heard of? - Commands — Do the commands make sense for the stated purpose? A skill that says it monitors prices but has a command called
export_keysis obviously suspicious.
3. Read the actual code
This is the step most people skip, and it’s the most important.
If the skill includes Python scripts, shell scripts, or any executable code, read them. You don’t need to be a developer to spot red flags:
# Clone the repo without installing it
git clone https://github.com/some-user/some-skill /tmp/skill-reviewThen search for dangerous patterns:
# Look for anything touching private keys or secrets
grep -ri "private_key\|secret\|password\|api_key\|seed_phrase\|mnemonic" /tmp/skill-review/
# Look for network calls to unknown servers
grep -ri "requests.post\|urllib\|fetch\|curl\|http" /tmp/skill-review/
# Look for encoded or obfuscated content
grep -ri "base64\|eval\|exec\|compile\|__import__" /tmp/skill-review/
# Look for file system access outside the skill directory
grep -ri "os.path\|pathlib\|open(\|shutil\|subprocess" /tmp/skill-review/If any of those greps return something that looks like it’s sending data to an external server or reading files it shouldn’t, do not install the skill.
4. Check if the skill phones home
Some malicious skills look clean in their source code but pull additional code at runtime from a remote server. This is a classic supply-chain attack.
Look for:
- URLs that aren’t to well-known services (GitHub, exchange APIs)
- Any
curlorwgetcommands in setup scripts - Dynamic imports or code that’s loaded from a URL at runtime
5. Test in a sandbox first
Even after all these checks, I always test a new skill in an isolated environment before letting it anywhere near my real API keys. I’ll cover sandboxing in detail below.
Red Flags Checklist
I keep a mental checklist when evaluating skills. Here it is in table form:
| What to Check | Green Flag | Red Flag |
|---|---|---|
| GitHub repo age | Created months ago, steady commit history | Created this week, single bulk commit |
| Stars / Forks | 10+ stars, some forks | 0 stars, 0 forks |
| Contributors | Multiple, with real profiles | Single anonymous account |
| SKILL.md permissions | Matches stated functionality | Over-requests (withdrawal, full account access) |
| Source code | Clean, readable, commented | Obfuscated, minified, or base64-encoded sections |
| Dependencies | Well-known packages (ccxt, pandas) | Unknown packages, pinned to suspicious versions |
| Network calls | Only to exchange APIs | Calls to random domains or IP addresses |
| Private key handling | Never reads or stores private keys | Accesses, stores, or transmits keys/secrets |
| Setup scripts | Simple dependency installs | Downloads and executes remote code |
| README / Docs | Explains what the skill does and how | Vague description, promises unrealistic returns |
| License | MIT, Apache, or similar open-source license | No license or restrictive/unusual terms |
| Issue tracker | Open issues exist, some are resolved | No issues (disabled) or only glowing praise |
If a skill hits more than two red flags, I don’t install it. Period.
Skills I’ve Tested and Recommend
I’ve tried about a dozen skills over the past month. Here’s my honest take on the ones worth installing, all from verified sources:
Bankr Skill
Source: github.com/bankrbot/bankr-skill
What it does: Core trading and portfolio management. Spot market and limit orders, portfolio overview across exchanges, P&L tracking, trade history.
This is the first skill I installed and it’s still the one I use most. The portfolio overview is genuinely useful — I can say “show my portfolio” and get a table of all my holdings across Binance and OKX with current values and 24h changes.
Limitations: It doesn’t handle derivatives or complex order types (OCO, trailing stop). For those, you need exchange-specific skills.
My rating: Solid daily driver. Install this first.
Trading Assistant (Hyperliquid)
Source: github.com/bankrbot/hyperliquid-skill
What it does: Perpetual futures trading on Hyperliquid. Open/close positions, set leverage, manage margin, track funding rates.
I use this for a small perps position. The integration is smooth — I can say “open a 3x long on ETH with $200 margin” and it handles the rest. Funding rate tracking is handy for basis trades.
Limitations: Hyperliquid-specific only. If you trade perps on Binance or Bybit, this won’t help. Also, this is a perps skill — please don’t use leverage if you don’t understand liquidation risk. I learned that lesson the expensive way years ago.
My rating: Good if you trade on Hyperliquid. Skip otherwise.
Market Monitoring Skills
Source: github.com/bankrbot/market-monitor
What it does: Price alerts, volume spike detection, RSI-based notifications, whale transaction tracking.
I set up a few alerts: notify me when BTC drops more than 5% in an hour, notify me when ETH trading volume spikes above 2x the 24h average. These work reliably — I get Telegram messages within a minute of the condition triggering.
Limitations: The whale tracking feature is hit-or-miss. It relies on public on-chain data and sometimes lags behind real-time significantly. The price alerts and volume monitors are solid though.
My rating: Useful for staying informed without staring at charts.
Patterns to Avoid (Without Naming Names)
I won’t call out specific malicious skills or repos — they get taken down and new ones appear. Instead, here are the patterns I’ve seen in dangerous skills:
The “guaranteed profit” skill. Any skill that promises consistent returns, “risk-free arbitrage,” or “guaranteed alpha” is either a scam or a fantasy. Real trading tools don’t promise profits.
The “all-in-one” skill from an unknown author. If a single person you’ve never heard of has built a skill that supposedly handles trading, DeFi, NFTs, portfolio management, tax reporting, and makes you breakfast, it’s probably doing one thing well (stealing your keys) and everything else poorly.
The fork of a legitimate skill with “improvements.” This is the sneakiest attack. Someone forks the real Bankr skill, adds a few “features,” and injects key-exfiltration code in the middle of an otherwise legitimate file. Always check: is the original skill missing a feature you need, or is this fork just adding code you can’t verify?
The skill that asks you to disable security features. “For this skill to work, you need to enable withdrawal permissions on your API key” — no, you don’t. No legitimate trading skill needs withdrawal access.
The skill with a post-install script that phones home. Legitimate skills might run npm install or pip install for dependencies. They should not be running curl commands to download additional code from random servers.
How to Sandbox Skills Safely
Even after vetting a skill, I recommend testing it in a sandboxed environment before giving it access to your real trading setup. Here are two approaches:
Approach 1: Docker Isolation
Run OpenClaw inside a Docker container with limited permissions:
FROM node:22-slim
RUN npm install -g openclaw@latest
# Create a non-root user
RUN useradd -m ocuser
USER ocuser
WORKDIR /home/ocuser
# Copy only the skill you're testing
COPY --chown=ocuser:ocuser ./skill-to-test /home/ocuser/.openclaw/skills/test-skill
# Use test API keys with minimal permissions
COPY --chown=ocuser:ocuser .env.test /home/ocuser/.openclaw/.env
CMD ["openclaw", "gateway", "start"]Build and run:
docker build -t openclaw-sandbox .
docker run --rm -it --network=bridge openclaw-sandboxKey points:
- The container has no access to your host filesystem
- Use test API keys with read-only permissions (no trading, no withdrawal)
- The
--network=bridgelimits network access to just outbound connections - If the skill tries to read files outside its directory or exfiltrate data, it can’t reach your real credentials
Approach 2: Separate API Keys with Limited Permissions
If Docker feels like overkill, create a separate set of API keys specifically for testing:
- On your exchange, create a new API key named
openclaw-test - Set permissions to read-only — no trading, no withdrawal, no transfer
- Fund the associated sub-account with a trivial amount ($10)
- Use these keys in a separate OpenClaw config when testing new skills
This way, even if a malicious skill steals the keys, all it can do is read your $10 test account balance. Not ideal, but not catastrophic.
What to watch during sandbox testing
While running a new skill in your sandbox:
# Monitor network connections (macOS)
nettop -p $(pgrep -f openclaw) -J bytes_in,bytes_out
# Monitor file access (macOS)
sudo fs_usage -f filesystem $(pgrep -f openclaw) 2>&1 | grep -v "CACHE"On Linux:
# Monitor network connections
ss -tnp | grep openclaw
# Monitor file access
strace -e trace=open,openat -p $(pgrep -f openclaw) 2>&1If you see connections to servers that aren’t your exchange API or the LLM provider, that’s a problem. If you see file reads targeting ~/.ssh/, ~/.env, or other sensitive directories outside the OpenClaw folder, that’s a bigger problem.
The Skill Evaluation Checklist
Here’s a condensed checklist you can run through in 5 minutes for any new skill:
| Step | What to Check | Pass Criteria |
|---|---|---|
| 1. Source | Is it from BankrBot or a known author? | Author has public reputation and history |
| 2. Repo age | When was the repo created? | At least 2+ weeks old with multiple commits |
| 3. Stars | Does it have community engagement? | 5+ stars (for non-BankrBot skills) |
| 4. SKILL.md | Are permissions reasonable? | No withdrawal, no excessive access |
| 5. Code review | Any obfuscated or suspicious code? | All code is readable and makes sense |
| 6. Dependencies | Are all dependencies known packages? | Only well-known, widely-used libraries |
| 7. Network calls | Does it contact external servers? | Only exchange APIs and LLM providers |
| 8. Setup scripts | What runs during installation? | Only standard package installs |
| 9. Sandbox test | Does it behave correctly in isolation? | No unexpected network or file access |
| 10. Community | Are others using it without issues? | Positive reports in forums or GitHub issues |
I printed this out and taped it next to my monitor. Sounds paranoid, but one careless install could compromise every exchange account connected to your OpenClaw instance.
The “Write Your Own Skill” Option
Here’s something a lot of people don’t realize: OpenClaw can create skills for you.
If you need a custom capability and can’t find a safe third-party skill that does it, just ask OpenClaw to build one:
Create a skill that:
- Monitors the BTC/ETH ratio every hour
- If the ratio drops below 20, send me a Telegram alert
- Log the ratio to a CSV file with timestamps
- Show me the ratio history when I ask "show ratio history"OpenClaw will:
- Generate the
SKILL.mdwith proper command definitions - Write the supporting Python scripts
- Set up the scheduling logic
- Install the skill locally
The advantage is obvious: you know exactly what’s in the code because the LLM wrote it in front of you. You can review every line, ask OpenClaw to explain any part, and modify it freely.
I’ve written three custom skills this way:
- A funding rate monitor that tracks Binance and Hyperliquid funding rates and alerts me when the spread exceeds 0.03% (useful for basis trades)
- A portfolio snapshot that saves my complete portfolio state to a JSON file every 6 hours (for my own record-keeping)
- A trade journal skill that asks me to write a brief note after each manual trade I make (helps me track my own decision-making over time)
None of these required any coding on my part. I described what I wanted, reviewed the generated code, made a few tweaks, and deployed. Total time: maybe 20 minutes per skill.
Tips for writing custom skills
- Be specific in your description. “Monitor the market” is vague. “Check BTC price every 15 minutes and alert me if it moves more than 3% in either direction” is actionable.
- Specify what you don’t want. “This skill should NOT have access to trading functions — read-only” helps constrain the generated code.
- Ask to see the code before activating. Say “show me the code you generated before installing it” so you can review it.
- Test with dry run first. Ask OpenClaw to add a dry-run mode to any skill that places trades.
What I Wish I Knew When I Started
When I first discovered OpenClaw skills, I installed five of them in an afternoon without checking any of them thoroughly. I got lucky — they were all from the BankrBot repo. But I could have easily grabbed one from a random GitHub link in a Discord channel and compromised my setup.
Here’s what I’d tell past me:
-
The official BankrBot repo covers 80% of what you need. Don’t go hunting for third-party skills until you’ve actually hit a wall with the official ones.
-
One malicious skill can compromise everything. Your exchange API keys, your LLM API key, your trade history, your strategies — all of it is accessible from the OpenClaw process. One bad skill is all it takes.
-
“Open source” doesn’t mean “safe.” The malicious skills that were discovered were all open-source too. You could read the code — most people just didn’t.
-
Writing your own skill is faster than you think. I spent 45 minutes evaluating a third-party skill that I could have had OpenClaw generate from scratch in 15 minutes. Unless the skill involves complex logic you can’t describe in plain English, building your own is often the safer and quicker path.
-
API key hygiene matters more than anything else. Never give withdrawal permissions. Use sub-accounts with limited funds for testing. Rotate keys periodically. These basics protect you even if a skill turns out to be malicious.
The OpenClaw skills ecosystem is powerful and growing. But it’s also a target. Stay informed, verify before you trust, and when in doubt, build it yourself.
Next Steps
- Just getting started? Set up your first bot with our BTC DCA strategy tutorial
- Need a 24/7 machine? Read our Mac Mini setup guide for always-on trading
- Want to build your own bot from scratch? Check out the AI trading bots track for Python-based approaches
