How to scan an AI agent skill for malware before you install it

A common instinct is to open the skill's CLAUDE.md or AGENTS.md file and read through it. That catches obvious problems, but it misses the threats that ClawHavoc actually used: C2 callback URLs embedded in benign-looking tool definitions, environment variable exfiltration disguised as normal HTTP requests, and obfuscated payloads using base64 or eval that only decode at runtime.

Snyk's ToxicSkills study found 76 skills across ClawHub and skills.sh that contained malicious payloads in their markdown instructions alone — content that looks like documentation but is actually attacker-controlled instructions passed to the model. None of those would be caught by checking star ratings or publisher reputation.

On any ClawHub skill page, find the 'Download zip' button. Click it to save the .zip file to your local machine. Do not install or run the skill yet.

If you are evaluating a skill you found outside ClawHub — on GitHub, a blog post, or a third-party marketplace — download the package in whatever format it is distributed and confirm it contains a CLAUDE.md, AGENTS.md, or equivalent skill descriptor file.

Go to trustskills.app and drop the .zip file into the scanner. You can also paste a ClawHub skill URL directly if you prefer not to download the file first.

The scan runs server-side. No data is stored. Results are typically returned in under ten seconds.

TrustSkills runs 10+ static checks and returns a risk level (safe, low, medium, high, or critical) along with a plain-English explanation of each finding. The report groups findings by category: C2 callbacks, data exfiltration, obfuscated payloads, reverse shells, prompt injection, permission mismatches, and suspicious network patterns.

For each finding, the report explains what the code is doing, why it is suspicious, and what the practical risk is in non-technical language. The goal is to give you enough context to make a real decision, not just a list of flags to investigate.

If the report is clean, you can proceed with installation using your standard process. If the report returns any medium, high, or critical findings, decide whether the skill is necessary and whether the risk is acceptable given your environment.

A one-time scan is better than nothing, but the correct posture is to scan every skill before every install, even from publishers you have used before. ClawHavoc showed that trusted-looking publisher accounts can be compromised. A publisher who shipped a clean skill last month might ship a malicious update today.

For teams managing multiple OpenClaw deployments, use the TrustSkills waitlist to get notified when monitoring features launch. The monitoring tier will track hash changes and alert you when a skill you have already installed changes its behavior.