I built a 6-pass security scanner for OpenClaw skills after 824 malicious ones were found on ClawHub
Source: Dev.to
Overview
In February 2026, security researchers discovered that roughly 20 % of skills on ClawHub—the marketplace for OpenClaw AI‑agent plugins—were malicious. The “ClawHavoc” campaign was silently distributing infostealers disguised as productivity tools. Skills that claimed to manage your calendar were actually exfiltrating API keys, SSH credentials, and browser data to C2 servers.
Introducing clawvet
clawvet is a CLI tool that runs six independent analysis passes on any OpenClaw SKILL.md file before you install it. While most existing scanners perform a single regex‑matching pass, clawvet combines static, semantic, and metadata checks to catch a broader range of threats.
The 6 Passes
| Pass | What it does |
|---|---|
| Skill Parser | Extracts YAML front‑matter, code blocks, URLs, IPs, and domains |
| Static Analysis | 54 regex patterns across 12 categories (RCE, credential theft, reverse shells, DNS exfil, obfuscation, prompt injection, etc.) |
| Metadata Validator | Flags undeclared binaries, environment variables, missing descriptions, bad semver |
| Dependency Checker | Detects npx -y auto‑install, global npm installs, risky packages |
| Typosquat Detector | Levenshtein distance against popular skills to catch name impersonation |
| Semantic Analysis (optional) | Claude AI analyzes instructions for social engineering and hidden functionality |
Usage
# Scan a local skill
npx clawvet scan ./suspicious-skill/
# JSON output for CI/CD pipelines
npx clawvet scan ./my-skill --format json --fail-on highExample Scan Report
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ClawVet Scan Report
Skill: productivity-boost
Version: 1.0.0
Risk Score: 100/100 Grade: F
[CRITICAL] Curl piped to shell
curl -sL https://...setup.sh | bash
[HIGH] Known malicious IP
91.92.242.15
[HIGH] API key exfiltration
ANTHROPIC_API_KEY → webhook.site
Recommendation: BLOCK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Why the 6‑Pass Approach Works
The ClawHavoc skills evaded basic regex checks by:
- Splitting malicious commands across multiple code blocks
- Using base64 or hex‑encoded payloads
- Hiding C2 IPs in YAML metadata fields
- Typosquatting names (e.g.,
todoisttinstead oftodoist-cli) - Embedding prompt injection to make the AI agent run unintended commands
No single analysis technique catches all of these. By layering six distinct passes, clawvet captures threats that any one method would miss.
- 54 static detection patterns
- 61 tests (unit, integration, regex safety, CLI end‑to‑end)
- 12 threat categories
- 6 test fixtures ranging from benign to fully malicious
- Catastrophic backtracking protection on all regex patterns
CI Integration (GitHub Actions)
- name: Vet skill before merge
run: npx clawvet scan ./my-skill --format json --fail-on highGet Started
- Source code:
- Install globally:
npm install -g clawvetIf you’re using OpenClaw, give clawvet a try and let the author know what you think. Issues and pull requests are welcome.