We scanned 6,500+ ClawHub skills. 36% have security flaws. Built a Free Community run scanner to catch them before they execute

The OpenClaw skills ecosystem has a real supply chain problem and most users don't know it. Skills run with full agent permissions — filesystem, network, shell. A malicious SKILL.md can harvest credentials, establish persistence, or exfiltrate data before you've realized what happened. ClawHub has no enforcement, and the official tooling doesn't scan skill content. So we built Clawned. It does deep static analysis on SKILL.md files — 60+ patterns covering: Obfuscated payloads and base64 encoded commands ClickFix social engineering in skill instructions Hidden shell execution Credential harvesting patterns Privilege escalation and filesystem traversal Unauthorized permission requests Full report in under 10 seconds, free, no signup. API available for CI/CD gating. From what we've scanned so far — video-agent, 4claw, morning-briefing-generator are confirmed threats sitting in the public registry right now. https://clawned.io | feedback welcome, especially on false positives   submitted by   /u/kinso1338 [link]   [comments]

Source: https://www.reddit.com/r/netsec/comments/1rg0ijo/we_scanned_6500_clawhub_skills_36_have_security/