I built a 6-pass security scanner for OpenClaw skills after 824 malicious ones were found on ClawHub

Baz — Tue, 03 Mar 2026 09:13:27 +0000

In February 2026, security researchers discovered that roughly 20% of skills on ClawHub — the marketplace for OpenClaw AI agent plugins — were malicious. The "ClawHavoc" campaign had been silently distributing infostealers disguised as productivity tools. Skills that claimed to manage your calendar were actually exfiltrating your API keys, SSH credentials, and browser data to C2 servers.

I built clawvet to solve this. It's a CLI tool that runs 6 independent analysis passes on any OpenClaw SKILL.md file before you install it.

What it catches

Most existing scanners run a single pass of regex matching. clawvet runs six:

Pass	What it does
Skill Parser	Extracts YAML frontmatter, code blocks, URLs, IPs, domains
Static Analysis	54 regex patterns across 12 categories (RCE, credential theft, reverse shells, DNS exfil, obfuscation, prompt injection)
Metadata Validator	Flags undeclared binaries, env vars, missing descriptions, bad semver
Dependency Checker	Detects `npx -y` auto-install, global npm installs, risky packages
Typosquat Detector	Levenshtein distance against popular skills catches name impersonation
Semantic Analysis	(Optional) Claude AI analyzes instructions for social engineering and hidden functionality

Quick start

Scan a local skill:

npx clawvet scan ./suspicious-skill/

JSON output for CI/CD:

npx clawvet scan ./my-skill --format json --fail-on high

What a scan looks like

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  ClawVet Scan Report

  Skill:   productivity-boost
  Version: 1.0.0
  Risk Score: 100/100  Grade: F

  [CRITICAL] Curl piped to shell
    curl -sL https://...setup.sh | bash

  [HIGH] Known malicious IP
    91.92.242.15

  [HIGH] API key exfiltration
    ANTHROPIC_API_KEY → webhook.site

  Recommendation: BLOCK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Why 6 passes matter

The ClawHavoc skills were clever. They passed basic regex checks by:

Splitting malicious commands across multiple code blocks
Using base64 encoding and hex payloads
Hiding C2 IPs in YAML metadata fields
Using typosquatted names (todoistt instead of todoist-cli)
Embedding prompt injection to make the AI agent run commands the user didn't ask for

No single analysis technique catches all of these. The 6-pass approach means each layer catches what the others miss.

The numbers

54 static detection patterns (reverse shells, DNS exfil, credential theft, obfuscation, prompt injection, etc.)
61 tests (unit, integration, regex safety, CLI end-to-end)
12 threat categories
6 test fixtures from benign to fully malicious
Catastrophic backtracking protection on all regex patterns

Use it in CI/CD

# GitHub Actions
- name: Vet skill before merge
  run: npx clawvet scan ./my-skill --format json --fail-on high

Open source

The full source is on
GitHub: https://github.com/MohibShaikh/clawvet
npm: https://www.npmjs.com/package/clawvet
ClawHub: https://clawhub.ai/MohibShaikh/clawvet

Install it:

npm install -g clawvet

If you're using OpenClaw, I'd appreciate it if you gave it a try and let me know what you think. Issues and PRs welcome.

DEV Community: Baz