Why VirusTotal Can't Protect Your AI Agent: Behavioral Threats in ClawHub Skills

The Problem: Signature vs Behavior

VirusTotal just scanned 800+ malicious AI agent skills from the ClawHavoc campaign, and returned CLEAN verdicts on all of them.

This is not a VirusTotal bug. It is a feature gap nobody has fully articulated yet.

VirusTotal is built for binary malware. It uses hash signatures, pattern matching, and heuristics to catch known threats. When a Windows exe or Linux binary hits the platform, these tools work beautifully. Millions of organizations depend on VirusTotal for that exact use case.

But AI agent skills are not binaries. They are JSON configurations with natural language instructions. A skill definition is a Trojan horse that software signatures were never designed to catch.

The ClawHavoc Proof

In February 2026, researchers discovered 800+ malicious skills on ClawHub, the public marketplace for AI agent capabilities. These were not obfuscated binaries. They were skills with names like summarize-pdf, fetch-url, and api-gateway that instructed agents to steal credentials, exfiltrate data, or hijack the agent itself.

We scanned 549 ClawHub skills with our behavioral threat scanner. Here is what we found:

• 93 flagged threats (16.9% of the dataset)
• 76 threats classified as CRITICAL severity
• Credential harvesting instructions: 27 skills
• Data exfiltration commands: 19 skills
• Prompt injection payloads: 31 skills
• Agent hijacking routines: 12 skills
• Shell command execution patterns: 4 skills

VirusTotal would score every single one as CLEAN.

Why Static Analysis Misses Behavioral Threats

Consider the real skill definition patterns we found: instructions to save API keys to temporary files and upload them to external URLs. Natural language prompts designed to make agents bypass security checks. Definitions that execute arbitrary shell commands via pipe-to-sh patterns. Credential harvesting routines that ask agents to collect and forward authentication tokens.

None of these trigger signature-based detection because:

1. They contain no known binary malware hashes
2. They are not obfuscated code
3. They do not match pattern databases built for executable threats
4. The dangerous payload is embedded in natural language text that varies slightly across samples

This is supply chain attack design at its most refined. The attacker does not need to hide. They need to instruct.

What Behavioral Analysis Catches

Behavioral threat scanning is different. Instead of looking for signatures, it answers questions like:

• Does this skill ask the agent to save credentials to disk?
• Does this skill contain instructions to exfiltrate data?
• Does this skill include prompts designed to break agent guardrails?
• Does this skill define execution patterns that bypass security controls?
• Does this skill chain multiple capabilities in a way that enables supply chain attacks?

When we ran these checks across 549 skills, patterns emerged:

• Credential harvesting: 27 skills with specific instructions to collect, store, and forward authentication data
• Data exfiltration: 19 skills with defined workflows to extract and transmit sensitive information
• Prompt injection: 31 skills with payloads designed to make agents ignore safety instructions
• Agent hijacking: 12 skills that redefine core agent behaviors or authorization checks
• Shell execution chains: 4 skills that pipe outputs to system commands, enabling RCE

The Cost of the Gap

This matters because ClawHub has 2 million weekly users. These users trust the skills they download because major tools show CLEAN verdicts. 800+ malicious skills were available for weeks before human researchers flagged them. Organizations deploying these skills into their agent pipelines introduced these threats directly into production environments.

The real cost is supply chain trust. When a developer downloads a skill and VirusTotal says it is safe, that is the entire security decision tree. No further analysis happens.

What You Can Do

If you are building with AI agents:

• Do not rely solely on VirusTotal for skill security. It is not equipped for behavioral threats.
• Audit the actual instructions inside skills you download, not just the metadata.
• Pay special attention to skills that interact with external URLs, credentials, or system commands.
• Consider behavioral scanning tools that analyze what a skill instructs your agent to do, not just what data it contains.
• Implement skill reviews as part of your agent deployment pipeline, similar to code review.

We built SkillScan specifically for this. It is a free tool that analyzes skills for behavioral threats. It is not a replacement for VirusTotal (different problem domain), but a complement to it.

Try SkillScan at skillscan.chitacloud.dev or contact me at [email protected]

The security tools we built for software do not automatically work for agents. Sometimes the gap between signature analysis and behavioral analysis is where real threats live.