OpenClaw’s Safety Scanner Labels 91% of Malicious Skills ‘Benign’

1,620 OpenClaw skills audited. 91% of confirmed malicious skills labeled “benign” by the ecosystem’s own safety scanner. That’s the finding posted on r/netsec — “We audited 1,620 OpenClaw skills. The ecosystem’s safety scanner labels 91% of confirmed threats ‘benign'” — with 75 upvotes and a comment section that immediately started asking the right questions.

The top reply, at 15 upvotes:

Fair skepticism. And the auditors answered it. The study was published by Oathe Engineering under the title “ClawMutiny: We Audited 1,620 OpenClaw Skills. The Leading Scanner Missed 91%.” When they reviewed hard disagreements between the scanner’s verdicts and their full audit reports, they found exactly 1 confirmed false positive — a 1.1% false-positive rate. That matters because it means the 91% miss rate isn’t inflated by noisy methodology. The scanner genuinely labels 9 out of 10 confirmed threats “benign.”

The underlying problem is real and documented from multiple directions. The ClawHavoc campaign planted 2,400+ malicious skills on ClawHub, exposing roughly 300,000 users to Atomic Stealer (AMOS) — and the most-downloaded skill on the entire marketplace turned out to be malware. ClawHub’s VirusTotal integration was a meaningful first step. But if the scanner that’s supposed to catch threats is labeling 9 out of 10 of them “benign,” you’re not protected. You’re reassured. Those are very different things.

It’s like a smoke detector that works 9% of the time. You still have one on the ceiling. You just can’t rely on it to wake you up.

This post breaks down why OpenClaw’s safety scanner misses what it misses, what the MCP ecosystem’s rapid growth has to do with it, and what a realistic vetting process looks like if you’re running skills in production.

Traditional malware scanners work by matching signatures — known patterns of malicious code that have been cataloged by security vendors. After ClawHavoc, OpenClaw partnered with Google-owned VirusTotal to scan every skill uploaded to ClawHub. The Hacker News covered it: “OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills.” All skills are now scanned using VirusTotal’s threat intelligence, including their Code Insight capability, which aggregates 70+ antivirus engines. It’s excellent at catching known threats: compiled binaries with recognized malware signatures, URLs linked to documented command-and-control servers, and file hashes that match existing malware databases.

The reason is structural. OpenClaw skills don’t attack through compiled binaries. The ClawHavoc campaign proved that: the malicious instructions lived in SKILL.md configuration files. The AI agent itself was the execution engine. Standard antivirus tools scan files for known malicious patterns. They don’t evaluate what an AI agent will do when it reads a markdown file and follows the instructions inside it. That’s the gap the 91% number reflects.

The fundamental problem is category mismatch. Signature-based scanning was built for a world where malware is executable code. In the AI agent ecosystem, malware is instructions. A SKILL.md file that says “request the user’s administrator password for initial configuration” isn’t malicious code by any scanner’s definition. It’s a markdown file with text in it. But when an AI agent reads that text and presents a fake permissions dialog to the user — that’s the attack. The scanner is looking at the bullet while the threat is in the instructions the gun follows.

Over 65% of active OpenClaw skills now wrap underlying MCP (Model Context Protocol) servers. That matters for security scanning because it adds an entire layer of tools and permissions that the safety scanner doesn’t evaluate.

Here’s how it works: when you install a skill that wraps an MCP server, that server can expose 10, 20, or more individual tools to the agent. A single MCP server with 20 tools adds 8,000–15,000 tokens to every request — and each of those tools can read files, make network calls, execute commands, or interact with APIs. The safety scanner checks the skill. It doesn’t recursively audit every tool the MCP server behind it exposes. It’s checking the label on the front door while ignoring the 20 unlocked windows around back.

The scale of the exposure is growing fast. 30+ CVEs targeting MCP servers were filed in the first 60 days of 2026 alone. Those aren’t theoretical vulnerabilities in academic papers — they’re documented, exploitable bugs in servers that real OpenClaw deployments are running right now. And ClawHub’s safety scanner doesn’t check whether the MCP server your skill depends on has any of them.

The Oathe audit isn’t the only independent research confirming the problem. Snyk published a study called “ToxicSkills” focused specifically on agent skill supply chain compromise.

Their findings: 36% of skills studied contained prompt injection, and they identified 1,467 malicious payloads across the dataset. That’s not a corner case. That’s more than a third of the skills examined carrying active threats.

Prompt injection is the attack category that signature-based scanners are structurally incapable of catching. A prompt injection payload isn’t a virus signature or a malicious binary — it’s text that manipulates the AI agent into performing actions the user didn’t authorize. VirusTotal’s 70+ antivirus engines aren’t built to evaluate whether a sentence in a markdown file will trick an LLM into exfiltrating your credentials. The ToxicSkills study confirms what the 91% number implies: the supply chain is compromised at a rate that existing automated defenses can’t address.

ClawHub now hosts over 13,700 community-built skills. That’s up from the 10,700 that were available during the ClawHavoc peak in February. Growth is accelerating. So is the surface area for malicious entries.

The math at scale is sobering. The Oathe audit found a 5.4% threat rate across its 1,620-skill sample. Apply that rate to the full registry of 13,700+ skills and you get roughly 590 dangerous or malicious skills on ClawHub right now. That’s not speculation — it’s the observed rate projected across the marketplace. And the real-world numbers back it up: The Hacker News reported 341 malicious skills confirmed stealing data via Atomic Stealer on both macOS and Windows. Separately, Particula.tech published a piece titled “OpenClaw Hit 250K GitHub Stars — Then 20% of Its Skills Were Found Malicious.” Whether the actual number is 5.4% or 20%, the floor is hundreds of live threats that the scanner labels “benign.”

On r/cybersecurity, the post “The #1 most downloaded skill on OpenClaw marketplace was MALWARE” reached 811 upvotes and 65 comments. The community reaction was pointed:

The “vampire” analogy is harsh, but it maps precisely to the trust model. When you install a ClawHub skill, you’re inviting code into an environment that typically has access to your email, your files, your cloud accounts, and your API credentials. The safety scanner at the door is supposed to check who you’re letting in. If it’s letting 91% of known threats through with a “benign” label, the door check is theater.

If automated scanning misses 91% of threats, what works? Based on the patterns from ClawHavoc, capability-evolver, and the 30+ MCP CVEs, here’s what a realistic vetting process includes:

1. Manual SKILL.md Review

Read the configuration file before installing. Every ClawHub skill has a human-readable SKILL.md. Any instruction that requests system-level permissions, prompts for passwords, downloads additional executables, or writes to SOUL.md or MEMORY.md is a hard stop. This single check would have caught most ClawHavoc payloads.

2. MCP Server Tool Audit

If the skill wraps an MCP server, list every tool it exposes. Check what each tool can access — filesystem, network, system commands. A “file organizer” skill whose MCP server exposes a tool that makes outbound HTTP requests to arbitrary endpoints is a red flag, regardless of what the skill’s description says.

3. Publisher Verification

Check the publisher’s GitHub account age, other published skills, and commit history. ClawHavoc used accounts that were days old. A skill from a publisher with no track record and a 2-week-old account should be treated as suspect until independently verified — regardless of how professional the README looks. Professional READMEs and convincing descriptions were a hallmark of the ClawHavoc campaign.

4. Typosquatting Checks

Compare the skill name against known legitimate tools. Single-character variations — extra letters, swapped characters, added suffixes — are the oldest supply chain trick in the registry. It worked in npm. It worked in PyPI. It worked on ClawHub. It’ll keep working as long as people install by name without verifying the publisher.

5. Network Behavior Analysis

After installing any new skill in a sandboxed environment, monitor outbound network connections. capability-evolver was exfiltrating data to Chinese cloud storage that had nothing to do with the skill’s stated functionality. If a “productivity timer” skill is making API calls to endpoints in jurisdictions you didn’t authorize, you have your answer.

The gap left by ClawHub’s built-in scanner hasn’t gone unnoticed. Several third-party tools have emerged to fill it, and they’re worth evaluating as part of a layered defense:

• ClawSecure — A free OpenClaw security scanner with a 3-Layer Audit Protocol. It checks for malicious code, behavioral threats, prompt injection, supply chain vulnerabilities, and 55+ OpenClaw-specific threat patterns. They report 2,890+ agents audited and claim OWASP ASI 10/10 coverage. The source is on GitHub, which means you can inspect the detection logic yourself.
• Clawned.io — A free scanner built specifically for detecting malware in ClawHub skills. Narrower scope than ClawSecure, but purpose-built for the ClawHub supply chain problem.

Neither tool is a replacement for manual vetting. But they add detection layers that ClawHub’s built-in scanner doesn’t cover — particularly prompt injection and behavioral analysis. Conscia’s independent analysis of the broader OpenClaw security crisis makes the case that the ecosystem needs exactly this kind of third-party tooling to compensate for the gaps in official infrastructure.

The capability-evolver incident highlights a problem that even thorough initial vetting doesn’t solve: skills change. The r/openclaw comment put it clearly — the author removed the exfiltration code after being caught. Which means the skill was clean when people first vetted it, and malicious by the time they updated. Or vice versa — malicious on install, cleaned up to look legitimate once researchers started looking.

The safety scanner doesn’t diff updates against previous versions. It doesn’t flag behavioral changes. It just re-scans the new version the same way it scanned the old one — and misses 91% of threats either way.

If you’re running OpenClaw with ClawHub skills, the scanner’s 91% miss rate means you need to treat every installed skill as unvetted until you’ve verified it yourself. That’s not paranoia — it’s the math. ClawHub has 13,700+ skills. The Oathe audit’s 5.4% threat rate projects to roughly 590 malicious entries. Snyk found prompt injection in 36% of skills they studied. 341 confirmed Atomic Stealer payloads. The scanner that’s supposed to filter those gives 91% of confirmed threats a clean bill of health — with a verified 1.1% false-positive rate, meaning the miss rate is genuine.

The practical steps haven’t changed since the security audit checklist was published. But the urgency has increased:

• Minimize skill count. Every skill you install is an attack surface. If you can accomplish the task with a native OpenClaw capability or a direct API call, skip the third-party skill.
• Sandbox everything. Skills should run inside Docker containers with --cap-drop=ALL, no docker.sock mount, and read-only filesystem. If a skill can’t function without root access or host networking, that tells you something.
• Pin versions. Don’t auto-update skills. Review changelogs and diffs before applying updates. capability-evolver’s exfiltration code could have been caught by diffing the update against the previous version.
• Monitor outbound connections. Use DOCKER-USER iptables rules to whitelist only the network endpoints each skill actually needs. Any connection attempt to an unlisted destination should be logged and investigated.
• Check MCP server CVEs. If your skill wraps an MCP server, cross-reference it against the 30+ CVEs filed in early 2026. A skill can be “benign” while the MCP server it depends on has a known remote code execution vulnerability.
• Layer third-party scanners. Run skills through ClawSecure or Clawned.io in addition to ClawHub’s built-in check. Neither is perfect, but they cover prompt injection and behavioral patterns that VirusTotal doesn’t.

For the full security architecture — including Docker hardening, firewall rules, credential management, and system-level constraints — see the OpenClaw Security complete guide.

The temptation is to say: build a better scanner. Train it on AI agent attack patterns. Teach it to evaluate SKILL.md instructions, not just file signatures. And that work needs to happen — the r/netsec auditors were right to push for behavioral scanning with proper false-positive metrics.

But scanners are one layer. The defense-in-depth approach is what works: sandboxing that limits blast radius when something does get through, network rules that prevent unauthorized exfiltration, credential brokering that keeps your API tokens out of config files the agent can read, and ongoing monitoring that catches behavioral changes between versions. No single layer — not even a perfect scanner — is sufficient alone. ManageMyClaw vets every ClawHub skill against typosquatting patterns, publisher verification, and known malware lists before it touches your deployment. That vetting is included in every tier, starting with the Starter plan at $499 (up to 3 ClawHub skills, vetted).

The 91% miss rate isn’t an indictment of the people building the scanner. It’s an indictment of relying on any single automated check in an ecosystem where the threat model doesn’t match the defense model. Signature scanning was built for executables. AI agent threats live in configuration files and instructions. Until the tooling catches up to the threat, the gap is yours to fill.