your openclaw agent is one bad skill away from emailing your tax returns to strangers

Security research reveals a massive vulnerability in OpenClaw's agent ecosystem. Attackers are uploading malicious skills disguised as tools like "Spotify music managers" that secretly search for tax documents and extract Social Security numbers. An estimated 10-15% of community skills contain harmful instructions. This enables "Delegated Compromise," where attackers hijack the permissions users grant their own agents. OpenClaw's FAQ admits this is a "Faustian bargain" with no perfectly safe setup.