Six weeks ago I got curious what’s actually inside the AI agent “skills” people install from ClawHub, not the descriptions, but the source code.
So I built a scanner.
It pulls skill source from GitHub, runs a set of static analysis checks (shell execution patterns, environment variable access, hardcoded credentials, SSRF patterns, eval usage, basic obfuscation detection, etc.), and then runs a second pass using an LLM to classify whether the flagged pattern looks contextual vs. potentially risky.
So far I’ve scanned 277 public skills.
Some aggregate observations:
70% triggered at least one static rule
9,710 total findings across all scans
Common patterns included unsanitized shell execution and unrestricted environment variable reads
Important caveats:
Many findings are low severity.
Static analysis is noisy.
“70%” means at least one rule triggered — not that 70% are malicious.
No dynamic/runtime execution — this is source-based analysis only.
Binary-only skills are conservatively capped due to limited visibility.
The tool is live at clawdefend.com — you can paste any ClawHub or GitHub skill URL and get a report in ~30 seconds. No login required.
There’s also a simple API if you want to integrate scans into CI or publishing workflows.
Curious how others are thinking about security models for agent marketplaces. Is static + contextual classification reasonable here, or is there a better approach?
Solo project. Happy to go deeper on methodology.
openclawed•1h ago
This is interesting. I'm going to scan some of the skills I have installed and see if it finds any issues. We need reliable scanners for these skills.
pakmania•1h ago
Thanks, let me know what you think about the results and if you run into any issues. There's also a Contact & Support link at the bottom of the page.
pakmania•2h ago
So I built a scanner.
It pulls skill source from GitHub, runs a set of static analysis checks (shell execution patterns, environment variable access, hardcoded credentials, SSRF patterns, eval usage, basic obfuscation detection, etc.), and then runs a second pass using an LLM to classify whether the flagged pattern looks contextual vs. potentially risky.
So far I’ve scanned 277 public skills.
Some aggregate observations:
70% triggered at least one static rule
9,710 total findings across all scans
Common patterns included unsanitized shell execution and unrestricted environment variable reads
Important caveats:
Many findings are low severity.
Static analysis is noisy.
“70%” means at least one rule triggered — not that 70% are malicious.
No dynamic/runtime execution — this is source-based analysis only.
Binary-only skills are conservatively capped due to limited visibility.
The tool is live at clawdefend.com — you can paste any ClawHub or GitHub skill URL and get a report in ~30 seconds. No login required.
There’s also a simple API if you want to integrate scans into CI or publishing workflows.
Curious how others are thinking about security models for agent marketplaces. Is static + contextual classification reasonable here, or is there a better approach?
Solo project. Happy to go deeper on methodology.