Is VoltAgent/awesome-openclaw-skills safe?
https://github.com/VoltAgent/awesome-openclaw-skills.git
This is a curated 'awesome list' repository containing only markdown documentation that links to 3,002+ OpenClaw skills. The SKILL.md is empty, making it functionally inert as an agent skill. There is no executable code, no data exfiltration risk, and no prompt injection content. The only minor concern is that it serves as a discovery mechanism for third-party skills, some of which could be malicious, though the repository includes appropriate security disclaimers.
Category Scores
Findings (5)
INFO Empty SKILL.md 0 ▶
The SKILL.md file is completely empty, meaning this repository provides no skill instructions to an agent. It is functionally a documentation-only repository.
LOW Large curated list could serve as context pollution -5 ▶
The README.md contains links to 3,002+ skills organized by category. If the full content were injected into an agent's context window, it could consume significant tokens and potentially influence the agent to install or reference listed skills. However, this is the intended purpose of an 'awesome list' and not malicious in nature.
INFO Curated list includes disclaimer about malicious skills 0 ▶
The repository transparently documents that 396 skills were excluded from the OpenClaw registry for being identified as malicious by security audits. This demonstrates responsible curation practices.
LOW Indirect risk from skill recommendations -15 ▶
While this repository itself is safe, it serves as a discovery mechanism for thousands of third-party skills. An agent following links from this list could install unvetted or malicious skills. The README includes appropriate disclaimers but does not enforce verification.
INFO No executable content whatsoever 0 ▶
Repository contains only markdown files and a LICENSE. No package.json, no scripts, no hooks, no submodules, no symlinks. Zero code execution risk.