Skip to Content
BlogWe Scanned 13,729 ClawHub Skills — Here's What We Found

We Scanned 13,729 ClawHub Skills — Here’s What We Found

Published March 17, 2026

ClawHub is the public skill marketplace for OpenClaw, the open-source AI agent framework with 313K+ GitHub stars. Think of it as npm for AI agents — a registry where anyone can publish skills that extend what agents can do, from Slack integrations to browser automation to file management.

As of March 2026, ClawHub hosts 13,729 published skills. We scanned every single one. The results are sobering.

The Numbers

MetricValue
Total skills scanned13,729
Malicious skills identified1,184 (8.6%)
Previously removed (ClawHavoc)2,419
Total malicious ever published3,603
Cumulative malicious rate~21% of all skills ever published
Scanner rules applied55 pattern rules + 6-stage pipeline
Average scan time< 2 seconds per skill

One in five skills ever published to ClawHub has been malicious. Even after the ClawHavoc cleanup removed 2,419 skills in January 2026, our scanner found 1,184 more that slipped through or were published afterward.

What We Found: Five Attack Categories

1. AMOS / Poseidon Stealer Variants (macOS Credential Theft)

The most sophisticated category we detected. These skills specifically target macOS users — a growing segment of AI developers — by extracting credentials from the Keychain, browser profiles, and SSH keys.

The AMOS stealer family has been active since 2024, but its techniques have been adapted for AI agent skills. A typical pattern: a skill that claims to “manage your development environment” but silently reads ~/Library/Keychains/login.keychain-db and sends the contents to an external server via DNS queries.

Our scanner catches these with dedicated AMOS/Poseidon rules that detect Keychain file access, security find-generic-password calls, and known stealer binary references.

2. Credential Harvesting

Skills that read API keys, passwords, and tokens from environment variables, dotfiles, and configuration directories. Unlike the AMOS variants (which target macOS specifically), these are cross-platform and opportunistic.

Common patterns include:

  • Reading ~/.ssh/id_rsa and ~/.aws/credentials
  • Iterating over process.env or os.environ and exfiltrating all values
  • Accessing browser credential stores (Chrome’s Login Data, Firefox’s logins.json)
  • Scanning for .env files recursively from the home directory

Because OpenClaw agents run with the user’s full permissions, a credential harvester has access to everything the developer can access. No sandbox. No permission prompt. Just silent exfiltration.

3. Reverse Shells and Command-and-Control

Skills that establish persistent outbound connections to attacker-controlled servers. The typical pattern is a WebSocket or TCP connection disguised as a “health check” or “analytics ping” that actually opens a reverse shell.

We found skills using curl | bash pipelines, eval() with base64-decoded payloads, and dynamic __import__() calls to load remote code at runtime. Some were remarkably brazen — one skill named “productivity-boost” contained a plaintext nc -e /bin/sh call.

4. DNS Exfiltration

The stealthiest category. These skills encode stolen data into DNS queries and send them to attacker-controlled name servers. Because DNS traffic is rarely inspected and passes through nearly all firewalls, this technique is hard to detect without specialized monitoring.

Our scanner identifies DNS exfiltration through patterns like dns.resolver.query() calls with dynamically constructed hostnames, nslookup invocations with encoded subdomains, and known DNS tunneling library imports.

5. Prompt Injection and Memory Poisoning

A category unique to AI agent skills. These skills do not steal credentials or install malware — instead, they manipulate the agent’s own behavior by injecting hidden instructions into the agent’s context.

Techniques include invisible Unicode characters that encode instructions, SKILL.md files with hidden system prompts in HTML comments, and skills that modify the agent’s SOUL.md workspace file to alter its personality or goals.

Our 6-Stage Scanning Pipeline

The scan results above come from our defense-in-depth pipeline, which runs every skill through six sequential stages. The pipeline short-circuits on the first BLOCKED verdict — if Stage 2 catches a reverse shell, the skill never reaches Stage 5.

Stage 1: OpenClaw Native Scanner. We run OpenClaw’s built-in skill safety scanner (introduced in v2026.2.6) as the first check. It catches basic dangerous patterns like eval(), exec(), subprocess.call(), and os.system().

Stage 2: YARA Pattern Matching. Our custom rule engine with 55 pattern rules, covering the five attack categories above plus obfuscation detection (base64 encoding, hex-encoded strings, character code concatenation). Each rule has a category, severity level, and human-readable description.

Stage 3: Dependency Analysis. We check declared npm and pip dependencies against a blocklist of known-malicious packages from the ClawHavoc campaign. Six npm packages are permanently blocklisted. We also flag skills with an unusually high number of dependencies or dependencies from suspicious registries.

Stage 4: VirusTotal Integration. We submit a SHA-256 hash of the skill code to VirusTotal’s API and check for matches across 70+ antivirus engines. This catches known malware signatures that our pattern rules might miss.

Stage 5: LLM Code Review. For skills flagged as CAUTION (suspicious but not definitively malicious) by earlier stages, we send the code to Claude for security analysis. The LLM receives the prior findings as context and renders a SAFE, CAUTION, or BLOCKED verdict with an explanation. This stage catches sophisticated patterns that evade regex-based rules.

Stage 6: Manual Review Queue. Skills that remain in CAUTION after the LLM review are queued for human security review. This is the final gate — a human analyst examines the code, the prior findings, and the LLM’s assessment before rendering a final verdict.

What The Industry Is Missing

The ClawHub security problem is not unique. Every AI agent framework with a plugin ecosystem faces the same structural vulnerability: executable code distributed through a public registry with insufficient review.

The numbers are stark:

  • 135,000 exposed OpenClaw instances found across 82 countries (SecurityScorecard STRIKE team, January 2026)
  • 63% of those instances had at least one known vulnerability
  • Zero mandatory security scanning before skill publication on ClawHub
  • No runtime sandboxing by default — agents run with full user permissions

The stitched security stack that developers cobble together (manual code review + npm audit + hope) does not scale. When a registry has 13,729 skills and is growing, you need automated defense-in-depth.

How to Protect Your OpenClaw Agents

Use the Free Scanner

Our ClawHub Security Scanner  is free, requires no signup, and scans any ClawHub skill against our full 55-rule pattern engine. You get an A-F security grade with detailed findings in seconds.

Paste a ClawHub skill URL or skill ID, and the scanner runs the same pipeline we used for this research. If a skill gets a D or F grade, do not install it.

Pin Your Skill Versions

Never use latest in production. Pin exact versions and review changelogs before upgrading. A safe v1.0 skill can become compromised in v1.1 if the maintainer’s account is hijacked or they decide to monetize their user base through credential theft.

Run Agents in Sandboxed Environments

Stop running AI agents on your development machine with full access to your SSH keys, AWS credentials, and browser profiles. Use containerized environments with:

  • Network egress controls (block connections to unknown hosts)
  • Read-only filesystem mounts for sensitive directories
  • CPU and memory limits (prevents crypto mining)
  • No access to host credential stores

Our managed runners  provide all of this out of the box with three configurable tool profiles: full dev tools, browser-only, and data-processing-only.

Route LLM Calls Through a Governance Gateway

Even if a malicious skill bypasses the scanner, the Curate-Me gateway catches the downstream effects. PII scanning blocks credential exfiltration in LLM requests. Cost caps prevent resource abuse from crypto miners or infinite loops. Rate limiting stops data exfiltration through rapid-fire API calls.

# One environment variable swap. Every LLM call is now governed.
OPENAI_BASE_URL=https://api.curate-me.ai/v1/openai

What Comes Next

We are open-sourcing the core pattern engine as a standalone governance library so that other platforms can integrate these checks into their own skill registries. The ClawHub security problem is an industry-wide problem, and it needs an industry-wide response.

In the meantime, scan before you install. The data is clear: one in five skills is not what it claims to be.

Scan your ClawHub skills for free at dashboard.curate-me.ai/scanner . 55 pattern rules. 6-stage pipeline. A-F security grade in seconds.

Curate-Me is the governance layer for AI agents. Cost caps, PII scanning, rate limiting, HITL approvals, managed runners, and a full audit trail — zero code changes.

March 2026: Competitive Response & Platform MaturityCurate-Me vs Portkey vs Helicone: AI Gateway Comparison