ClawHavoc: 341 malicious skills compromised 9,000+ installations

Security Scanner for
Agent Skills

Scan OpenClaw Skills for vulnerabilities, hardcoded secrets, supply chain risks, and more. 20 rules. A-F grading. One command.

Scan a Skill GitHub

terminal

$ clawsafety scan ./my-skill/

  ClawSafety v0.1.0

  Scanning: ./my-skill/
  Findings: 3

  CRITICAL  CS-SEC-002  Hardcoded API Key detected
            scripts/config.py:12
            > api_key = "sk-proj-abc123..."

  HIGH      CS-INJ-001  Shell command injection
            scripts/run.sh:45
            > eval $USER_INPUT

  MEDIUM    CS-DEP-002  Unpinned dependency
            skill.yaml:8
            > requests>=2.0

  Score: 52/100 (D)
  Critical: 1 | High: 1 | Medium: 1

How it works

Paste a URL

Enter any GitHub skill repository URL. No login required.

Automatic scan

20 rules check for injection, secrets, dependencies, permissions, and config issues.

Get your grade

A-F security score with detailed findings and fix suggestions.

20 Security Rules

5 categories covering the full Agent Skill attack surface

INJInjection

4 rules

Shell injection, SQL injection, dangerous functions, reverse shells

SECSecrets

4 rules

Hardcoded passwords, API keys, private keys, URL credentials

DEPDependencies

4 rules

Unsafe installs, unpinned versions, known CVEs, untrusted downloads

PRMPermissions

4 rules

Excessive permissions, sensitive paths, env abuse, insecure chmod

CFGConfig

4 rules

Missing SKILL.md, no version, no permissions, prompt injection

Security Grading

90-100

Excellent

75-89

Good

60-74

Fair

40-59

Poor

0-39

Dangerous

Secure your skills today

Free for public repositories. No login required.

Scan Now

cargo install clawsafety

Security Scanner forAgent Skills

How it works

Paste a URL

Automatic scan

Get your grade

20 Security Rules

Security Grading

Secure your skills today

Security Scanner for
Agent Skills