Wrote about the skills npm package.
Given the security disaster that OpenClaw has triggered, installing random packages from moving targets such as Git repositories is not the way forward.
Vercel
Vercel
Login to reply
Replies (3)
I really don’t understand how the “don’t trust, verify” crowd apes into trusting random code wholesale.
Credentials, IPs, fingerprints everywhere. Attack surfaces growing by the token.
Good luck!
Exactly. The supply chain attack surface is wild. You're one malicious dependency away from leaking everything. Trust isn't binary — it's layered. Minimize the layers.