State of ClawHub Trust — April 2026

OpenClaw skills get system-level access — filesystem, shell, network, browser, credentials. Publishing to ClawHub requires a GitHub account that's at least seven days old. There's no code signing, no human review, no audit trail. VirusTotal scanning was added in February 2026 — but the OpenClaw team explicitly said it "cannot assess trust, detect prompt injection, or evaluate code quality."

So I scored 200 of them.

TL;DR

200Skills scored

10.5%Verified

81%Established

7.5%Blocked

Mean composite score: 6.17/10. Median: 6.20. The sample represents 1.36 million GitHub stars. Zero skills declared their security posture in the SKILL.md frontmatter — not 1.5%, not "rare" — literally none.

Tier Distribution

10.5%

81%

7.5%

Verified (7.0+, strong dimensions) Established (5.0+, sufficient signals) Blocked (disqualifier present) New (insufficient signal coverage)

The ClawHub ecosystem clusters in the middle band. Twenty-one skills earned the Verified tier; fifteen tripped a hard disqualifier. The 162 in the middle are "good enough" — established projects with sufficient signal coverage but missing one or more pieces that would push them up.

Where the Weakness Lives

Average dimension scores across the rich-data subset (n=31):

Alive 8.69

Legit 7.36

Solid 5.48

Usable 6.05

The pattern is consistent and counterintuitive: ClawHub skills are alive (8.69) and legit (7.36) — they have active commits, real maintainers, broad community adoption. Where they fall down is Solid (5.48). That's the dimension covering security posture, dependency health, tool safety, supply-chain safety, and known vulnerabilities.

The polished outer shell (popular repo, real org, recent commits) often hides a thinner security layer underneath. That's the gap a trust score is built to find.

Top 20 Most Trusted

Skill	Score	Tier	Stars
moeru-ai/airi	7.74	Verified	38,691
activeloopai/deeplake	7.71	Verified	9,103
siyuan-note/siyuan	7.53	Verified	43,024
iOfficeAI/OfficeCLI	7.52	Verified	2,157
cablate/mcp-google-map	7.50	Verified	277
CherryHQ/cherry-studio	7.45	Verified	44,582
iOfficeAI/AionUi	7.36	Established	22,688
BlockRunAI/ClawRouter	7.36	Verified	6,370
HKUDS/nanobot	7.33	Verified	41,075
casdoor/casdoor	7.31	Verified	13,495
mindsdb/anton	7.31	Verified	637
afshinm/zerobox	7.25	Verified	544
vava-nessa/free-coding-models	7.23	Verified	1,538
23blocks-OS/ai-maestro	7.19	Verified	647
yunionio/cloudpods	7.18	Verified	2,886
iamlukethedev/Claw3D	7.14	Verified	1,399
chrysb/alphaclaw	7.10	Verified	1,234
zhayujie/CowAgent	7.08	Verified	43,775
aiming-lab/AutoResearchClaw	7.05	Verified	11,732
openclaw/openclaw	7.04	Verified	365,344

Notice the pattern: most of the top 20 are not skill libraries in the strict sense. They're full applications (cherry-studio, siyuan, casdoor, cloudpods) that ship with skill manifests as one feature among many. Their trust scores reflect the health of the broader project, not the focused craftsmanship of a single skill. Pure-play skill repos (cablate/mcp-google-map at 277 stars, mindsdb/anton at 637 stars) prove that small skills can earn Verified — but the head of the distribution is dominated by mature multi-feature codebases.

What Got Blocked

Fifteen skills hit a hard disqualifier. From the rich-data subset (n=31), the disqualifier breakdown looks like:

SUPPLY_CHAIN_RISK3

SAFETY_BLOCK2

Across the rich-data subset, supply-chain risk (token exfiltration patterns or PR-target checkout in CI workflows) was the most common gating disqualifier — narrowly edging out direct safety-pattern detection. The full sample of 200 has 15 blocked, so the absolute counts above understate the ecosystem-wide rate; the distribution should be similar.

Lowest 10 Composite Scores

Skill	Score	Tier
miaoxworld/OpenClawInstaller	4.45	New
photon-hq/qclaw-wechat-client	4.53	New
SafeAI-Lab-X/ClawKeeper	4.56	Established
LAVARONG/wechat-automation-api	4.66	Established
xianyu110/clawbot	4.69	Established
yeuxuan/openclaw-docs	4.77	Established
golutra/golutra	4.79	Established
wwbin2017/bailing	4.79	Established
wexare-ai/openbrowserclaw	4.83	Established
slhleosun/EvoClaw	4.84	Established

The Transparency Gap

The SKILL.md format supports a security frontmatter section where authors declare what credentials they touch and what permissions they need. They can also declare allowed-tools to constrain what shell or HTTP calls a skill is allowed to make. Both are optional. Both reward authors with bonus points on the tool_safety signal.

Out of 200 skills surveyed: zero use the security field. Zero use allowed-tools.

That's the actual data — not "rare," literally none in the sample. The transparency adoption rate is 0%. Authors who try to constrain their own skills get no recognition because the market hasn't priced this signal in yet. Authors who don't try face no penalty either. The result is a flat zero.

This is a coordination problem masquerading as a security problem. The first agent platform that requires a populated security block as a publishing prerequisite would create a transparency floor overnight.

What This Means for You

If you publish OpenClaw skills:

Add a security block to your SKILL.md. Declare credentials accessed, permissions needed, and constrain allowed-tools. You'll be in a literal 0% category right now — first one in gets the entire transparency narrative for free, plus a bump on tool_safety that often nudges borderline composites into the Verified tier.

If you install OpenClaw skills:

10.5% of ClawHub is Verified. 7.5% is actively Blocked. The 81% in the middle is "probably fine" — but skills get system-level access, and "probably fine" is a low bar for that kind of trust. Score before you install.

If you build agent platforms:

A 0% transparency adoption rate is a coordination failure. Make the security block required (not optional) in your skill template. The rate jumps to 100% the day you ship the requirement.

If you write security policy:

The Solid dimension is the universal weak spot — averaging 5.48 even in the rich-data subset. That's not malware; it's the slow accumulation of unpinned dependencies, missing OpenSSF Scorecard adoption, and unreviewed CI workflows. A published "OpenClaw skill security baseline" would do more for ecosystem trust than another safety scanner.

What This Data Doesn't Tell You

Honest limitations: The mcpskills.io engine scores the project around a skill — repo health, author signals, security posture, dependency hygiene — not the runtime behavior of a skill at install or invocation. A skill could include prompt injection in its instruction text and still earn Verified if its repo is otherwise healthy. Static analysis catches obvious dangerous patterns in source files (eval, exec, credential exfiltration) but not novel runtime behavior or downstream agent context leaks. Runtime monitoring is on the roadmap; until it ships, treat the trust score as a strong prior, not a verdict.

Sample size: 200 of an estimated 13,700+ ClawHub skills. Selection: top 200 by GitHub star count from a 1,098-repo discovery pool. Stars correlate with project maturity but not with skill safety; large applications with skill manifests get oversampled at the head. The Top 20 reflects this. A weighted-by-skill-only analysis would surface a different leaderboard.

Methodology

Discovery: GitHub topic search (topic:openclaw, topic:openclaw-skill, topic:claw-skill, topic:clawhub-skill, topic:agent-skill) plus code search (filename:SKILL.md). 1,098 unique repos discovered; sampled the top 200 by GitHub stars.

Scoring: every skill ran through the production mcpskills.io engine — the same 15-signal algorithm available at mcpskills.io. Skills Mode auto-detected via SKILL.md presence (confidence 3, highest). YAML frontmatter parsed for security transparency scoring. Rich data (dimensions, disqualifiers, safety findings) captured for a 31-skill subset; the full 200 were scored for tier and composite.

Full algorithm: /methodology.

Companion report: State of MCP Security — April 2026.

Data sources

Every score in this report is reproducible from public data. The trust algorithm itself is an opinionated combination, but the inputs are not.

GitHub REST API — repository metadata, contributor graph, commit cadence, release history, issue responsiveness, file tree (for SKILL.md detection and source scanning). docs.github.com/en/rest
OpenSSF Scorecard — security posture signals (branch protection, signed releases, dependency-update tooling, dangerous workflow patterns). scorecard.dev
OSV.dev — unified vulnerability database (GHSA + npm + PyPA + Go + RustSec) used to query the currently-installable version. osv.dev
CISA Known Exploited Vulnerabilities (KEV) — federal authoritative catalog of vulnerabilities with confirmed in-the-wild exploitation. cisa.gov/known-exploited-vulnerabilities-catalog
FIRST.org EPSS — Exploit Prediction Scoring System (30-day exploit probability for any CVE). first.org/epss
npm Registry — package metadata, weekly download counts, maintainer graph for partial scoring of npm-only packages. docs.npmjs.com

Prior research that motivated this work

Trail of Bits — "ClawHavoc" (Jan 2026): 1,184 malicious AI skills discovered on a major skill marketplace; 341 traced to a single actor. blog.trailofbits.com
Snyk — "ToxicSkills" study (Apr 2025): sampled OpenClaw skills; 36.82% had at least one security flaw, 2.6% had prompt injection specifically. arxiv.org/abs/2504.03767
OpenClaw — VirusTotal integration announcement (Feb 2026): explicitly notes VirusTotal "cannot assess trust, detect prompt injection, or evaluate code quality" — the gap this scoring engine fills.

Score your own skill

Free trust report — paste any GitHub repo, npm package, or ClawHub URL.

Open Scanner