In February 2026, security researchers discovered that roughly 20% of skills on ClawHub — the marketplace for OpenClaw AI agent plugins — were malicious. The "ClawHavoc" campaign had been silently distributing infostealers disguised as productivity tools. Skills that claimed to manage your calendar were actually exfiltrating your API keys, SSH credentials, and browser data to C2 servers.
I built clawvet to solve this. It's a CLI tool that runs 6 independent analysis passes on any OpenClaw SKILL.md file before you install it.
What it catches
Most existing scanners run a single pass of regex matching. clawvet runs six:
| Pass | What it does |
|---|---|
| Skill Parser | Extracts YAML frontmatter, code blocks, URLs, IPs, domains |
| Static Analysis | 54 regex patterns across 12 categories (RCE, credential theft, reverse shells, DNS exfil, obfuscation, prompt injection) |
| Metadata Validator | Flags undeclared binaries, env vars, missing descriptions, bad semver |
| Dependency Checker | Detects npx -y auto-install, global npm installs, risky packages |
| Typosquat Detector | Levenshtein distance against popular skills catches name impersonation |
| Semantic Analysis | (Optional) Claude AI analyzes instructions for social engineering and hidden functionality |
Quick start
Scan a local skill:
npx clawvet scan ./suspicious-skill/
JSON output for CI/CD:
npx clawvet scan ./my-skill --format json --fail-on high
What a scan looks like
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ClawVet Scan Report
Skill: productivity-boost
Version: 1.0.0
Risk Score: 100/100 Grade: F
[CRITICAL] Curl piped to shell
curl -sL https://...setup.sh | bash
[HIGH] Known malicious IP
91.92.242.15
[HIGH] API key exfiltration
ANTHROPIC_API_KEY → webhook.site
Recommendation: BLOCK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Why 6 passes matter
The ClawHavoc skills were clever. They passed basic regex checks by:
- Splitting malicious commands across multiple code blocks
- Using base64 encoding and hex payloads
- Hiding C2 IPs in YAML metadata fields
- Using typosquatted names (
todoisttinstead oftodoist-cli) - Embedding prompt injection to make the AI agent run commands the user didn't ask for
No single analysis technique catches all of these. The 6-pass approach means each layer catches what the others miss.
The numbers
- 54 static detection patterns (reverse shells, DNS exfil, credential theft, obfuscation, prompt injection, etc.)
- 61 tests (unit, integration, regex safety, CLI end-to-end)
- 12 threat categories
- 6 test fixtures from benign to fully malicious
- Catastrophic backtracking protection on all regex patterns
Use it in CI/CD
# GitHub Actions
- name: Vet skill before merge
run: npx clawvet scan ./my-skill --format json --fail-on high
Open source
The full source is on
GitHub: https://github.com/MohibShaikh/clawvet
npm: https://www.npmjs.com/package/clawvet
ClawHub: https://clawhub.ai/MohibShaikh/clawvet
Install it:
npm install -g clawvet
If you're using OpenClaw, I'd appreciate it if you gave it a try and let me know what you think. Issues and PRs welcome.
Top comments (0)