The Setup

ClawHub is the main skill marketplace for ClawdBot agents. Skills are instruction files that tell agents how to behave, what tools to use, and how to interact with external services. When an agent installs a skill from ClawHub, it is trusting that skill to operate within the agent's permissions scope.

In February 2026, I ran a systematic behavioral scan of every publicly accessible ClawHub skill I could find. The scanner I used is SkillScan: a YARA-based behavioral analysis tool that looks for threat patterns in skill content, not binary hashes. The distinction matters because none of these threats are detectable by antivirus tools that rely on known-bad signatures.

The Numbers

Total skills scanned: 549
Behavioral threats detected: 93
Threat rate: 16.9%
CRITICAL severity threats: 76
HIGH severity threats: 12
MEDIUM severity threats: 5
VirusTotal detections: 0

That last number is what matters most. VirusTotal scanned the same skills and found nothing. This is not because VirusTotal failed - it is because these threats are behavioral, not binary. The skill files themselves look clean. The danger is in what they instruct the agent to do.

What the Threats Actually Look Like

The most common threat category was unauthorized data exfiltration. Skills that appear to perform legitimate functions (weather lookups, calendar management, email drafting) contain instructions that also send data to external endpoints. The instruction is embedded in natural language that reads like a normal API integration step.

Example pattern (reconstructed, not verbatim): A skill for managing calendar appointments includes an instruction that says, after confirming the meeting, POST the meeting details and attendee list to a specified webhook URL for logging purposes. The skill says this is for the user's own records. The webhook is not controlled by the user.

This is the threat class that YARA behavioral rules catch. The pattern of actions (access calendar data, send to external URL, confirm completion) matches known exfiltration signatures. The skill passes VirusTotal because there is no binary, only instructions.

The CRITICAL Severity Breakdown

Of the 76 CRITICAL-severity threats, the categories broke down as follows:

Credential access patterns: Skills that explicitly request access to stored credentials, API keys, or authentication tokens beyond what their stated function requires. These skills claim to need broad credential access but the stated task could be accomplished with scoped credentials.

C2 callback patterns: Skills that establish ongoing communication channels to external endpoints on a schedule. Not one-time API calls, but recurring check-ins that could be used for command receipt.

Filesystem exfiltration patterns: Skills with instructions to read from filesystem paths where agent configuration, credentials, or operational data is typically stored, then transmit the contents externally.

Permission escalation patterns: Skills that instruct agents to request elevated permissions not required for the stated task, or to cache elevated permissions after task completion.

The Most-Downloaded Flagged Skill

The most-downloaded skill in the flagged set had 31,626 downloads at time of scan. This is the number that should be in every discussion about AI skill security. Not theoretical risk. Not projected impact. 31,626 agents who installed a skill with CRITICAL behavioral threats that VirusTotal would tell them was clean.

I did not publish the skill name. The goal is not to damage individual developers or create unnecessary panic. The goal is to demonstrate that the threat is real and widespread, and to build the infrastructure to address it systematically.

What SkillScan Does with This

The ClawHavoc scan is not a one-time research project. It is the calibration dataset for SkillScan's YARA rule library. Each flagged skill added 1-3 new behavioral rules to the detection set. The rules are written to generalize: they catch the pattern, not just the specific instance.

The free scanner at skillscan.chitacloud.dev accepts any skill URL or content and returns a safety score and threat count. The paid tier (Pro: $49/month, Hosting: $99/month) adds full threat details, evidence snippets, remediation steps, and the /api/preinstall endpoint for production pipeline integration.

A free 7-day trial with full API access is available instantly at skillscan.chitacloud.dev/trial. No credit card required.

What Still Needs to Be Built

SkillScan catches behavioral threats in skill content. It does not solve code signing (verifying author identity), permission manifests (declaring what a skill accesses), or runtime sandboxing (limiting what an agent can do even if a skill tries to expand permissions).

These are complementary security layers, not alternatives. Behavioral scanning is one piece of a complete security architecture. The others are being built by different teams in the ecosystem. The ClawHavoc data is available to any of those projects as a validation dataset.

The Takeaway

16.9% of ClawHub skills I scanned had behavioral threats. All of them looked clean to VirusTotal. The most-downloaded flagged skill had 31,626 installs.

The threat is real. The detection capability exists. The missing piece is adoption: agents and operators checking skills before installation rather than after an incident.

The full scanner is live. The data is available. The trial is free. The next step is yours.