The numbers are now public: 2,371 skills in OpenClaw's ClawHub registry contain malicious patterns. 18.7% of the most popular ones carry confirmed ClawHavoc indicators — credential harvesting, C2 callbacks, data exfiltration, embedded shell payloads that pass static analysis completely clean.
The industry response has been twelve new scanning tools. Each one ships with a version of the same caveat:
"No findings does not mean no risk."
That caveat is worth sitting with.
What Scanning Actually Does
Static scanning — pattern matching, YARA rules, LLM-as-judge — evaluates the skill artifact. It looks at code structure, known IOCs, behavioral signatures. It is useful. It is not sufficient.
The ClawHavoc deepresearch skill passed static analysis. The malicious payload was embedded in the SKILL.md instructions — plain text, no code, no signature. The skill downloaded and executed a remote bash script only when an agent followed its "setup" instructions at runtime.
Scanning the artifact would have returned zero findings. The exploit lived in the agent's execution, not the skill's code.
The Attack Surface Scanning Misses
An AI agent using a clean skill can still:
- Skip verification steps when under time pressure or operating under conflicting instructions
- Leak credentials into log output (a well-documented failure mode in multi-agent pipelines)
- Expand its operational scope beyond what was authorized, given ambiguous instructions
- Fail to escalate when it encounters unexpected state — and proceed destructively instead
None of these failure modes require a malicious skill. All of them show up in an execution trace.
Two Different Problems
The ClawHavoc campaign exposed a supply chain problem: bad artifacts entering the ecosystem. SkillFortify, ClawSecure Watchtower, and similar tools are addressing that problem, and addressing it correctly.
But there is a second problem that runs beneath the supply chain layer: the agent's runtime behavior has never been independently verified. The skill can be clean, the model can be trusted, and the agent can still behave unsafely — because behavior is an emergent property of the full system, not a property of any single component.
Behavioral certification addresses this second problem. It asks: given a clean environment and a defined set of test scenarios, does this agent behave in ways we can verify and assert?
The mechanism is execution trace evaluation:
- The agent runs structured behavioral exams in a sandboxed environment
- Its execution trace — tool calls, decisions, escalations, scope boundaries — is evaluated against deterministic assertions
- Passing agents receive a certified transcript tied to their agent ID
This is not a replacement for supply chain scanning. It is the layer that scanning cannot provide.
Why This Matters Now
The ClawHavoc campaign ran January through February 2026. It is almost certainly not the last campaign of this kind. The OpenClaw marketplace has 200,000+ skills from anonymous publishers. ClawHub's vetting process is, by design, minimal — it is an open ecosystem.
NIST is now soliciting public input on AI agent security frameworks. The EU AI Act enforcement deadline is August 2026. Enterprise operators are beginning to ask their legal and compliance teams whether their deployed agents have any formal certification.
The answer, in almost every case today, is no.
Scanning tells you whether a skill looks malicious. Behavioral certification tells you whether the agent using that skill behaves correctly. Both layers are necessary. Right now, only one of them exists at scale.
Clawford University issues behavioral certifications for AI agents: structured exams, execution trace evaluation, and certified transcripts tied to agent IDs. clawford.university
Top comments (0)