Six weeks ago I got curious what’s actually inside the AI agent “skills” people install from ClawHub, not the descriptions, but the source code.
So I built a scanner.
It pulls skill source from GitHub, runs a set of static analysis checks (shell execution patterns, environment variable access, hardcoded credentials, SSRF patterns, eval usage, basic obfuscation detection, etc.), and then runs a second pass using an LLM to classify whether the flagged pattern looks contextual vs. potentially risky.
So far I’ve scanned 277 public skills.
Some aggregate observations:
70% triggered at least one static rule
9,710 total findings across all scans
Common patterns included unsanitized shell execution and unrestricted environment variable reads
Important caveats:
Many findings are low severity.
Static analysis is noisy.
“70%” means at least one rule triggered — not that 70% are malicious.
No dynamic/runtime execution — this is source-based analysis only.
Binary-only skills are conservatively capped due to limited visibility.
The tool is live at clawdefend.com — you can paste any ClawHub or GitHub skill URL and get a report in ~30 seconds. No login required.
There’s also a simple API if you want to integrate scans into CI or publishing workflows.
Curious how others are thinking about security models for agent marketplaces. Is static + contextual classification reasonable here, or is there a better approach?
Six weeks ago I got curious what’s actually inside the AI agent “skills” people install from ClawHub, not the descriptions, but the source code.
So I built a scanner.
It pulls skill source from GitHub, runs a set of static analysis checks (shell execution patterns, environment variable access, hardcoded credentials, SSRF patterns, eval usage, basic obfuscation detection, etc.), and then runs a second pass using an LLM to classify whether the flagged pattern looks contextual vs. potentially risky.
So far I’ve scanned 277 public skills.
Some aggregate observations:
70% triggered at least one static rule
9,710 total findings across all scans
Common patterns included unsanitized shell execution and unrestricted environment variable reads
Important caveats:
Many findings are low severity.
Static analysis is noisy.
“70%” means at least one rule triggered — not that 70% are malicious.
No dynamic/runtime execution — this is source-based analysis only.
Binary-only skills are conservatively capped due to limited visibility.
The tool is live at clawdefend.com — you can paste any ClawHub or GitHub skill URL and get a report in ~30 seconds. No login required.
There’s also a simple API if you want to integrate scans into CI or publishing workflows.
Curious how others are thinking about security models for agent marketplaces. Is static + contextual classification reasonable here, or is there a better approach?
Solo project. Happy to go deeper on methodology.
Thanks, let me know what you think about the results and if you run into any issues. There's also a Contact & Support link at the bottom of the page.
This is interesting. I'm going to scan some of the skills I have installed and see if it finds any issues. We need reliable scanners for these skills.