polygraph.so
Login

ClawHub skills index

Static safety grades for skills distributed through ClawHub — including the malicious skills Snyk documented, graded next to the popular ones an agent would actually install.

20A11D· 31 skills · 31 graded · 1 featured

Each skill is graded by litmus-skill-v2, a deterministic STATIC scan of its SKILL.md + bundle: S-01 prompt-injection / context-poisoning, S-03 data-exfiltration instructions, and S-04 dangerous bundled commands. The scan reads the files — it never runs them — so the malicious skills below are safe to grade.

Snyk’s ToxicSkills analysis of 3,984 skills across ClawHub and skills.sh found 36.8% carried at least one security flaw, 13.4% critical, and 76confirmed malicious payloads — several still live at publication. The flagged cohort here each ships a fake “prerequisites” step that runs a base64-decoded curl | bash written into the SKILL.md; the litmus grades them D on the static text alone.

Static scanning has a disclosed edge: a sibling of these skills that instead tells the agent to “visit this link and run the command it shows”, or hides the payload in a bundled archive, keeps its dangerous command out of the scanned bytes and grades clean. That gap — a command fetched or assembled at runtime — is precisely why a static grade is a floor, not a guarantee, and why the behavioral harness and continuous re-grading matter. Grades are read live from hosted_runs and none are published onchain.

fake WhatsApp skill — base64 curl|bash in the SKILL.md body (Snyk ToxicSkills, actor aztr0nutzs)
S-01 passS-03 passS-04 fail
fake coding-agent skill — same in-body payload
S-01 passS-03 passS-04 fail
fake ClawHub skill — same in-body payload
S-01 passS-03 passS-04 fail
second actor, identical payload (Snyk-named)
S-01 passS-03 passS-04 fail
marketplace redistribution — in-body base64 curl|bash
S-01 passS-03 passS-04 fail
marketplace redistribution — in-body base64 curl|bash
S-01 passS-03 passS-04 fail
in-body base64 curl|bash
S-01 passS-03 passS-04 fail
in-body base64 curl|bash
S-01 passS-03 passS-04 fail
fake Polymarket agent — in-body base64 curl|bash
S-01 passS-03 passS-04 fail
in-body base64 curl|bash
S-01 passS-03 passS-04 fail
fake Bybit agent — in-body base64 curl|bash (+ sudo variant)
S-01 passS-03 passS-04 fail
self-improving-agent — #1 by installs
S-01 passS-03 passS-04 pass
a security gate for skills
S-01 passS-03 passS-04 pass
S-01 passS-03 passS-04 pass
third-party API proxy
S-01 passS-03 passS-04 pass
S-01 passS-03 passS-04 pass
S-01 passS-03 passS-04 pass
S-01 passS-03 passS-04 pass
spaced-repetition flashcards
S-01 passS-03 passS-04 pass
buyer/seller/affiliate helper
S-01 passS-03 passS-04 pass
locate items, diagnostics
S-01 passS-03 passS-04 pass
Ansible pitfalls, idempotence
S-01 passS-03 passS-04 pass
RxJS leaks, change detection, DI
S-01 passS-03 passS-04 pass
build system + deployment
S-01 passS-03 passS-04 pass
registry ops: login, publish
S-01 passS-03 passS-04 pass
1Password secret read/store/inject
S-01 passS-03 passS-04 pass
local Beeper chat history + FTS
S-01 passS-03 passS-04 pass
PDF/Office/HTML/audio → Markdown
S-01 passS-03 passS-04 pass
macOS screenshots + UI automation
S-01 passS-03 passS-04 pass
AlphaFold protein-structure workflows
S-01 passS-03 passS-04 pass
semantic arXiv preprint search
S-01 passS-03 passS-04 pass

Monitor the ClawHub registry.

This index is a snapshot. We re-grade ClawHub skills on a cadence and flag regressions — a newly bundled command, a changed content hash, a fresh malicious upload — as the registry ships. Set up per registry.

Prefer to write us directly? hello@polygraph.so

Skills: S-01 prompt-injection · S-03 exfil instructions · S-04 dangerous bundled commands (static, content-hash anchored). Reproduce a skill grade with npx -p @polygraphso/litmus polygraphso-litmus-skill <dir>. Incident source: Snyk ToxicSkills · each row links to its polygraph skill report.