Each skill is graded by litmus-skill-v2, a deterministic STATIC scan of its SKILL.md + bundle: S-01 prompt-injection / context-poisoning, S-03 data-exfiltration instructions, and S-04 dangerous bundled commands. The scan reads the files — it never runs them — so the malicious skills below are safe to grade.
Snyk’s ToxicSkills analysis of 3,984 skills across ClawHub and skills.sh found 36.8% carried at least one security flaw, 13.4% critical, and 76confirmed malicious payloads — several still live at publication. The flagged cohort here each ships a fake “prerequisites” step that runs a base64-decoded curl | bash written into the SKILL.md; the litmus grades them D on the static text alone.
Static scanning has a disclosed edge: a sibling of these skills that instead tells the agent to “visit this link and run the command it shows”, or hides the payload in a bundled archive, keeps its dangerous command out of the scanned bytes and grades clean. That gap — a command fetched or assembled at runtime — is precisely why a static grade is a floor, not a guarantee, and why the behavioral harness and continuous re-grading matter. Grades are read live from hosted_runs and none are published onchain.
Flagged in Snyk’s ToxicSkills report · 11
D
whatsapp-mgvfake WhatsApp skill — base64 curl|bash in the SKILL.md body (Snyk ToxicSkills, actor aztr0nutzs)
passpassfail
0xfeb865edae…
fake WhatsApp skill — base64 curl|bash in the SKILL.md body (Snyk ToxicSkills, actor aztr0nutzs)
S-01 passS-03 passS-04 fail
D
coding-agent-1gxfake coding-agent skill — same in-body payload
passpassfail
0x0ab89cf157…
fake coding-agent skill — same in-body payload
S-01 passS-03 passS-04 fail
D
clawhubfake ClawHub skill — same in-body payload
passpassfail
0x3421270438…
fake ClawHub skill — same in-body payload
S-01 passS-03 passS-04 fail
D
twitter-sumsecond actor, identical payload (Snyk-named)
passpassfail
0xb2adf49aef…
second actor, identical payload (Snyk-named)
S-01 passS-03 passS-04 fail
D
waclimarketplace redistribution — in-body base64 curl|bash
passpassfail
0x8f3ad3e21c…
marketplace redistribution — in-body base64 curl|bash
S-01 passS-03 passS-04 fail
D
birdmarketplace redistribution — in-body base64 curl|bash
passpassfail
0x248f900492…
marketplace redistribution — in-body base64 curl|bash
S-01 passS-03 passS-04 fail
D
gorgerin-body base64 curl|bash
passpassfail
0x258c948f4d…
in-body base64 curl|bash
S-01 passS-03 passS-04 fail
in-body base64 curl|bash
S-01 passS-03 passS-04 fail
D
polymarketagentfake Polymarket agent — in-body base64 curl|bash
passpassfail
0x0bc1dcf985…
fake Polymarket agent — in-body base64 curl|bash
S-01 passS-03 passS-04 fail
D
summarizein-body base64 curl|bash
passpassfail
0x01ee42772e…
in-body base64 curl|bash
S-01 passS-03 passS-04 fail
D
bybit-agentfake Bybit agent — in-body base64 curl|bash (+ sudo variant)
passpassfail
0x4ee3ed02c3…
fake Bybit agent — in-body base64 curl|bash (+ sudo variant)
S-01 passS-03 passS-04 fail
Popular ClawHub skills · 10
self-improving-agent — #1 by installs
S-01 passS-03 passS-04 pass
A
SkillScana security gate for skills
passpasspass
0xc8c745b6d8…
a security gate for skills
S-01 passS-03 passS-04 pass
A
passpasspass
0xcab4189f1c…
S-01 passS-03 passS-04 pass
A
api-gatewaythird-party API proxy
passpasspass
0xf65c80395c…
third-party API proxy
S-01 passS-03 passS-04 pass
A
passpasspass
0xd483436f90…
S-01 passS-03 passS-04 pass
A
passpasspass
0x16bd21e341…
S-01 passS-03 passS-04 pass
A
passpasspass
0x90f9e7ee8e…
S-01 passS-03 passS-04 pass
A
ankispaced-repetition flashcards
passpasspass
0x685be752ee…
spaced-repetition flashcards
S-01 passS-03 passS-04 pass
A
amazonbuyer/seller/affiliate helper
passpasspass
0x3988ae76da…
buyer/seller/affiliate helper
S-01 passS-03 passS-04 pass
A
airtaglocate items, diagnostics
passpasspass
0x8d05561354…
locate items, diagnostics
S-01 passS-03 passS-04 pass
Developer tooling · 8
A
ansibleAnsible pitfalls, idempotence
passpasspass
0x5073f7bd5c…
Ansible pitfalls, idempotence
S-01 passS-03 passS-04 pass
A
angularRxJS leaks, change detection, DI
passpasspass
0xfd62e34d82…
RxJS leaks, change detection, DI
S-01 passS-03 passS-04 pass
A
androidbuild system + deployment
passpasspass
0xddf0122ccf…
build system + deployment
S-01 passS-03 passS-04 pass
A
npmregistry ops: login, publish
passpasspass
0x300152d388…
registry ops: login, publish
S-01 passS-03 passS-04 pass
A
one-password1Password secret read/store/inject
passpasspass
0xb95430a9e9…
1Password secret read/store/inject
S-01 passS-03 passS-04 pass
A
beeperlocal Beeper chat history + FTS
passpasspass
0xf739a1272d…
local Beeper chat history + FTS
S-01 passS-03 passS-04 pass
PDF/Office/HTML/audio → Markdown
S-01 passS-03 passS-04 pass
A
peekaboomacOS screenshots + UI automation
passpasspass
0xa3fed543b3…
macOS screenshots + UI automation
S-01 passS-03 passS-04 pass
Skills: S-01 prompt-injection · S-03 exfil instructions · S-04 dangerous bundled commands (static, content-hash anchored). Reproduce a skill grade with npx -p @polygraphso/litmus polygraphso-litmus-skill <dir>. Incident source: Snyk ToxicSkills · each row links to its polygraph skill report.