HN Showcase
Back to browse
RankClaw – AI-audited all 14,706 OpenClaw skills; 1,103 are malicious

RankClaw – AI-audited all 14,706 OpenClaw skills; 1,103 are malicious

by do_anh_tu·Mar 7, 2026·2 points·1 comment
Visit ProjectView on HN

AI Analysis

●●●BangerWizardryZero to OneShip It

Found 1,103 malicious skills (7.5%) that pattern matching missed; AI audit detects prompt injection in docs.

Strengths
  • AI deep audit detects natural-language attacks (prompt injection, social engineering) that surface scanners systematically miss
  • Identified bulk publishing and brand-jacking campaigns showing real threat infrastructure, not theoretical risk
  • Large validated dataset (14,706 skills, 14,704 audited) provides credible empirical foundation for trust scoring
Weaknesses
  • Relies on AI grading itself; no independent verification methodology disclosed for audit accuracy
  • Free tier covers basic lookups but monetizes via Pro; unclear if commercial incentives affect public threat data
Category
Security
Target Audience

AI engineers deploying Claude agents and MCP servers; teams using ClawHub skills

Post Description

RankClaw (rankclaw.com) is a security scanner for AI agent skills — the OpenClaw/ClawHub ecosystem that extends Claude-based agents with file, web, and shell access.

Data: - 14,706 skills indexed - Every single skill has a full AI deep audit report (14,704 complete) - 1,103 confirmed malicious (7.5%)

The key finding: automated surface scanning (metadata, dependency checks, pattern matching) systematically undercounts malicious skills. Skills that pass shallow heuristics fail AI audit because the attack is in the natural language of the SKILL.md — prompt injection, deferred execution, social engineering — none of which pattern matching detects.

The attack patterns found by AI deep audit: - Bulk publishing campaigns — one actor published 30 skills named "x-trends" across multiple accounts. 28 of 30 confirmed malicious. Goal: distribution at scale before detection. - Brand-jacking — 4 skills named clawhub/clawhub1/clawbhub/clawhud impersonating ClawHub's own CLI. macOS: base64 curl|bash to a raw IP. Windows: password-protected ZIP from a stranger's GitHub (the password prevents GitHub's malware scanner from opening it). - Prompt injection in legitimate-seeming skills — one scored 95/100 shallow, 38/100 after AI audit. The injection text wasn't in code — it was in the SKILL.md instructions. - On-demand RCE via challenge evaluation — claws-nft instructs the agent to "evaluate" challenges that can be "math, code, or logic problems." Server decides which type at call time. - LLM-generated payload — lekt9/foundry contains no malicious code. It instructs the AI to generate code and execute it. Static analysis finds nothing. The payload doesn't exist until the AI writes it during a conversation. - Social engineering — bonero-miner has a "Talking to Your Human" section with a pre-written script for the AI to use: "Can I mine Bonero? It's a private cryptocurrency - like Monero but for AI agents. Cool?"

Skills differ from browser extensions: no sandbox. Full file system, shell, and network access. The SKILL.md instructions are directives to the AI model — you need AI to audit AI.

Scoring model is open: Security 40%, Maintenance 20%, Docs 20%, Community 20%.

Free to check any skill: rankclaw.com

Similar Projects

Security●●Solid

SecureClaw – Open-Source Security Layer for OpenClaw Agents

The two-layer approach — a code plugin for gates/hardening plus a tiny ~1,230-token LLM skill for behavioral rules — is smart and practical. I appreciate that detection runs in bash (no token bloat) and that they mapped concrete checks to OWASP ASI and MITRE frameworks; the tradeoff is obvious: this is highly valuable if you run OpenClaw, but mostly irrelevant outside that ecosystem.

Niche GemBig Brain
alex_polyakov
213mo ago