Show HN: We scanned 500 ClawHub skills for security risks – 10% were dangerous
We built tork-scan, a free open-source CLI that checks AI agent skills (MCP tools) for 19 security risk patterns — reverse shells, credential harvesting, base64 payloads, eval(), C2 domains, and more.
We pointed it at 500 ClawHub skills. Results:
- 200 (40%) SAFE (90-100) - 150 (30%) CAUTION (70-89) - 100 (20%) RISKY (50-69) - 50 (10%) DANGEROUS (0-49)
The dangerous ones included typosquats with innocent names hiding credential exfiltration, obfuscated payloads, and C2 domain connections. 284 skills earned trust badges.
Try it: npx tork-scan ./my-skill
Full results + leaderboard: https://tork.network/leaderboard Writeup: https://tork.network/blog/clawhub-scan-results
Tork Network (https://tork.network) is an independent governance layer for AI agents — PII detection in ~1ms, compliance receipts, trust badges. Works with any MCP-compatible framework. Free tier available.
1 comment
[ 2.9 ms ] story [ 11.7 ms ] thread