ClawHub Security Report
Security analysis of 9,983 AI agent skills on ClawHub, the registry where 341 malicious skills were found.
9,289
Total skills
14,108
Findings
37%
Skills with findings
96.9
Avg score
Overview
ClawHub is the largest registry Aguara monitors by finding density, with 9,983 skills and over 14,000 security findings. It is also the registry that produced the most significant discovery in Aguara Watch's history: 341 skills classified as malicious, a finding that received HackerNews coverage. ClawHub distributes skills as ZIP archives containing SKILL.md files, which means each skill carries full implementation details similar to Skills.sh but packaged for automated deployment.
The sheer volume of skills on ClawHub, combined with the depth of content in each ZIP archive, creates the highest concentration of security-relevant data across all registries we scan. This is not just a numbers game. ClawHub's packaging format means skills arrive ready to execute, with all dependencies and configurations bundled together. A malicious skill here is not theoretical. It is deployable.
The 341 malicious skills discovery underscores a fundamental problem with open skill registries: there is no gate between publication and consumption. Anyone can upload a ZIP archive, and any agent can download and execute it. ClawHub's growth rate means manual review at scale is impossible without automated scanning.
How we scan ClawHub
Aguara crawls ClawHub by querying the registry's listing endpoints, then downloading the full ZIP archive for each skill. The crawler extracts SKILL.md files from these archives and writes them to the local scan directory. This extraction step is important because ZIP archives can contain additional files beyond the SKILL.md, though our scanner focuses on the skill definition itself.
Incremental crawls run every 12 hours. We track archive hashes to detect changes, and only re-download and rescan modified or new skills. Given ClawHub's size (nearly 10,000 skills), this incremental approach keeps our Turso database within free-tier limits while maintaining freshness. The full rule engine runs against extracted content, with particular attention from the rug-pull detector, which identifies skills that appear benign on first inspection but contain conditional malicious behavior.
Key findings
The 341 malicious skills identified on ClawHub represent the clearest evidence that AI agent supply chain attacks are not hypothetical. These skills contained deliberate prompt injection, credential exfiltration paths, and permission escalation patterns that could not be explained as accidental. Many used obfuscation techniques: base64-encoded instructions, Unicode manipulation, and delimiter injection to impersonate system prompts. Some appeared to be copies of legitimate skills with malicious payloads inserted.
Beyond the overtly malicious subset, ClawHub has the highest rate of credential-related findings across all registries. Skills that bundle API interaction code frequently hardcode tokens or instruct agents to pass credentials through insecure channels. The ZIP packaging format contributes to this: developers include configuration files that contain example secrets, and these persist in the archive even when the SKILL.md itself is clean.
We also observe a pattern of "rug-pull" skills on ClawHub. These are skills that function as advertised for a period, then update their archive to include malicious payloads. Aguara's incremental scanning catches these changes, but users who installed the original version have no automatic notification of the update. This is the supply chain problem in its purest form.
Recommendations
ClawHub requires the most caution of any registry we monitor. The combination of high finding density, confirmed malicious skills, and executable packaging means you should treat every skill as untrusted until verified. Check the Aguara Watch grade before installing anything. If a skill is graded D or F, do not install it without reading the full finding details.
If you already use ClawHub skills, audit your installed set against the Aguara Watch findings database. The 341 malicious skills were identified by automated scanning, but your agent may have connected to them before they were flagged. Look for skills that request unusual permissions, interact with credential stores, or include obfuscated content in their definitions.
For ClawHub as a platform, the path forward is mandatory scanning on submission. Open registries will always attract malicious content. The question is whether it gets caught before or after users install it. Aguara Watch currently scans after publication, which means there is always a window of exposure. Registry operators need to close that window.
Grade distribution
Want to scan a specific ClawHub skill?
Scan now (free, runs in your browser)