Six weeks ago I got curious what’s actually inside the AI agent “skills” people install from ClawHub, not the descriptions, but the source code.

So I built a scanner.

It pulls skill source from GitHub, runs a set of static analysis checks (shell execution patterns, environment variable access, hardcoded credentials, SSRF patterns, eval usage, basic obfuscation detection, etc.), and then runs a second pass using an LLM to classify whether the flagged pattern looks contextual vs. potentially risky.

So far I’ve scanned 277 public skills.

Some aggregate observations:

70% triggered at least one static rule

9,710 total findings across all scans

Common patterns included unsanitized shell execution and unrestricted environment variable reads

Important caveats:

Many findings are low severity.

Static analysis is noisy.

“70%” means at least one rule triggered — not that 70% are malicious.

No dynamic/runtime execution — this is source-based analysis only.

Binary-only skills are conservatively capped due to limited visibility.

The tool is live at clawdefend.com — you can paste any ClawHub or GitHub skill URL and get a report in ~30 seconds. No login required.

There’s also a simple API if you want to integrate scans into CI or publishing workflows.

Curious how others are thinking about security models for agent marketplaces. Is static + contextual classification reasonable here, or is there a better approach?

Solo project. Happy to go deeper on methodology.

Thanks, let me know what you think about the results and if you run into any issues. There's also a Contact & Support link at the bottom of the page.

This is interesting. I'm going to scan some of the skills I have installed and see if it finds any issues. We need reliable scanners for these skills.