Show HN: We scanned 500 ClawHub skills for security risks – 10% were dangerous

We built tork-scan, a free open-source CLI that checks AI agent skills (MCP tools) for 19 security risk patterns — reverse shells, credential harvesting, base64 payloads, eval(), C2 domains, and more.

We pointed it at 500 ClawHub skills. Results:

- 200 (40%) SAFE (90-100) - 150 (30%) CAUTION (70-89) - 100 (20%) RISKY (50-69) - 50 (10%) DANGEROUS (0-49)

The dangerous ones included typosquats with innocent names hiding credential exfiltration, obfuscated payloads, and C2 domain connections. 284 skills earned trust badges.

Try it: npx tork-scan ./my-skill

Full results + leaderboard: https://tork.network/leaderboard Writeup: https://tork.network/blog/clawhub-scan-results

Tork Network (https://tork.network) is an independent governance layer for AI agents — PII detection in ~1ms, compliance receipts, trust badges. Works with any MCP-compatible framework. Free tier available.

3 points | by yusufjacobs 3 hours ago

1 comments

  • chris_hammers 17 minutes ago
    how cool it would to have this as mobile app.