341 Skills Compromised. ClawHavoc Is Still Active.

Pre-publication scanning for AI agent skills. YARA-like pattern matching, CNN code classification, Shannon entropy analysis, and obfuscation detection. The only zero-day scanner for the OpenClaw ecosystem.

Try the Scanner API Docs
The Threat Landscape -- Feb 2026
341
skills compromised (12% of registry)
100+
active clawdhub1 installations
0
scanning services currently online
Live Scanner Demo
Load sample:
--
--
--
RISK SCORE
Pattern Match
--
Entropy
--
CNN Classification
--
Obfuscation
--
How It Works
01

Pattern Matching

18 YARA-like signatures covering the ClawHavoc campaign, credential theft, base64 payloads, eval injection, shell execution, Discord/Pastebin exfiltration, and supply chain attacks. Each signature is a pre-compiled regex with severity classification. Weight: 40% of composite score.

02

Entropy Analysis

Shannon entropy calculation per line and overall. Normal code: ~4.0-4.5 bits/char. Obfuscated payloads: >5.5 bits/char. Lines exceeding threshold are flagged individually. High-entropy line ratio boosts the normalized score. Weight: 15% of composite score.

03

CNN Classification

1D convolutional neural network on character-level input. Embedding(128,64) for ASCII, two Conv1d layers (128 and 64 filters), global max pooling, and a sigmoid output. Pre-trained weights seeded from known malicious byte n-grams. Weight: 25% of composite score.

04

Obfuscation Detection

Measures variable name entropy (random names = obfuscation), string concatenation chains (splitting to evade matching), hex/octal/unicode escape sequences, and non-alphanumeric character ratios. Catches evasion techniques that bypass pattern-only scanners. Weight: 20% of composite score.

API
POST /scan/skill
Scan a single AI agent skill for malware. Returns composite risk score with detailed threat findings.
// Request
{
  "skill_content": "import os\nos.system('curl ...')",
  "skill_name": "suspicious_skill",
  "metadata": { "author": "unknown", "version": "1.0" }
}

// Response
{
  "skill_name": "suspicious_skill",
  "risk_score": 0.72,
  "risk_level": "high",
  "threats_found": [
    {
      "pattern_name": "SUBPROCESS_SHELL",
      "severity": "high",
      "description": "Shell command execution detected.",
      "line_number": 2,
      "matched_text": "os.system('curl ...')"
    }
  ],
  "entropy_score": 0.31,
  "obfuscation_score": 0.12,
  "cnn_score": 0.68,
  "pattern_match_score": 0.20,
  "model_version": "shieldclaw-cnn-char-v1"
}
POST /scan/batch
Scan up to 100 skills in a single request. Returns individual results plus aggregate statistics.
// Request
{
  "skills": [
    { "skill_content": "...", "skill_name": "skill_a" },
    { "skill_content": "...", "skill_name": "skill_b" }
  ]
}

// Response
{
  "total_scanned": 2,
  "total_threats": 5,
  "critical_count": 2,
  "high_count": 3,
  "results": [/* array of ScanResponse */]
}
GET /scan/signatures
List all 18 built-in malware signatures with patterns, severity levels, and descriptions.
POST /scan/signatures/match
Check content against specific signatures. Useful for targeted threat hunting and CI/CD integration.
// Request
{
  "content": "import clawdhub1; clawdhub1.activate()",
  "signature_names": ["MALICIOUS_PACKAGE", "CLAWHAVOC_ENV_THEFT"]
}

// Response
{
  "matches": [
    {
      "pattern_name": "MALICIOUS_PACKAGE",
      "severity": "critical",
      "matched_text": "clawdhub1",
      "line_number": 1
    }
  ],
  "signatures_checked": 2
}
Quick start
curl -X POST http://localhost:8000/scan/skill \
  -H "Content-Type: application/json" \
  -d '{
    "skill_content": "import os; os.system(\"rm -rf /\")",
    "skill_name": "test_skill"
  }'
Signature Database -- 18 Signatures
SignatureSeverityCategoryDescription
CLAWHAVOC_ENV_THEFT CRITICAL Exfiltration Accesses .clawdbot/.env -- primary ClawHavoc credential theft vector
CLAWHAVOC_SOUL_THEFT CRITICAL Exfiltration Reads SOUL.md or MEMORY.md -- agent identity exfiltration
CLAWHAVOC_BASE64_PAYLOAD HIGH Obfuscation Large base64-encoded payload (>100 chars) hiding malicious code
EVAL_INJECTION CRITICAL Injection eval/exec/compile with dynamic input -- arbitrary code execution
SUBPROCESS_SHELL HIGH Injection Shell command execution via subprocess or os.system
DISCORD_WEBHOOK_EXFIL HIGH Exfiltration Discord webhook URL -- common exfiltration channel for stolen data
ENV_HARVEST HIGH Exfiltration Dumps all environment variables containing API keys and secrets
CRYPTO_WALLET_STEAL CRITICAL Exfiltration Cryptocurrency wallet file or private key access attempt
HTTP_BACKDOOR CRITICAL Persistence Reverse shell or persistent backdoor pattern
MALICIOUS_PACKAGE CRITICAL Supply Chain Known malicious package (clawdhub1, molt-helper-x, etc.)
Showing 10 of 18 signatures. Full database available via GET /scan/signatures