Methodology
Selection: For each of 8 scanners, skills were ranked by severity score
(critical×4 + high×3 + medium×2 + low×1) and the top 5 selected, yielding 40 total findings
(35 unique skills due to overlap).
Investigation: Each skill was analyzed by an independent AI agent examining
the SKILL.md content against the scanner findings to determine intent and legitimacy.
Classifications:
True Positive genuinely malicious,
Benign True Positive correctly detected patterns with legitimate purpose,
False Positive incorrectly flagged benign content.
Limitations: All scanners were run in offline mode using static/pattern-based analysis only.
Some scanners support LLM-based semantic analysis which was not enabled for this benchmark.
Scanner Overlap Matrix
Skills appearing in multiple scanners' top 5 flagged lists
| Skill |
aid |
agentvet |
agentguard |
aguara |
caterpillar |
cisco |
nova |
skill-sec |
Count |
| snail3d_clawd |
- |
- |
✓ |
✓ |
- |
- |
- |
✓ |
3 |
| ahuserious_nautilus-trader |
✓ |
- |
- |
✓ |
- |
- |
- |
- |
2 |
| snail3d_clawforgod |
- |
- |
✓ |
✓ |
- |
- |
- |
- |
2 |
| snail3d_voice-devotional |
- |
- |
✓ |
✓ |
- |
- |
- |
- |
2 |
Ground Truth Analysis
Performance against 3 known malicious skills from a coordinated trojan campaign (C2: 91.92.242.30)
| Malicious Skill |
Attack Vector |
Detected |
Missed |
Detection Fidelity |
seedamir/amir
Fake "Solana Wallet CLI" |
glot.io paste + GitHub ZIP
curl|bash to C2 |
5/8 |
aid, cisco, nova |
HIGH agentvet (shell/network)
MED aguara (EXTDL, MCPCFG)
LOW caterpillar (generic exfil)
|
zaycv/polymarket-assistant
Fake "Trading Agent" |
base64 curl|bash
password-protected ZIP |
5/8 |
cisco, nova, caterpillar |
CRIT aid (base64 payload)
HIGH agentvet (obfuscation)
MED aguara (base64 patterns)
|
jordanprater/yahoofinance
Fake "Yahoo Finance CLI" |
glot.io paste link
GitHub ZIP download |
3/7 |
aid, cisco, skill-sec, caterpillar |
HIGH agentvet (URL patterns)
MED agentguard, aguara
|
Key Observations:
- agentvet detected all 3 (100%) - best performer on ground truth
- cisco-skill-scanner missed all 3 (0%) - likely needs semantic/LLM analysis for social engineering
- nova-proximity missed all 3 (0%) - pattern rules didn't match this campaign's TTPs
- aid only detected base64 payload (1/3) - invisible char focus missed paste-site attacks
- Detection fidelity varies: agentvet flagged specific shell/network IOCs; others flagged generic patterns
Key Findings
- No true positives in top-flagged: All 40 top-flagged skills are either benign or false positives
- 77.5% benign true positives: Security tools, scanners, and legitimate infrastructure correctly flagged
- 22.5% false positives: Mostly emoji variation selectors and empty/aggregation directories
- snail3d_clawd appears in 3 scanners: Multi-camera surveillance system with legitimate but risky capabilities
- Top flagged category: Security scanning tools (detecting patterns they're designed to find)
aid Scanner - Top 5 Flagged Skills
Invisible Unicode / ASCII smuggling detection
Found 7 instances of variation selector-16 (U+FE0F) modifying emoji characters. These are legitimately used for markdown formatting/documentation clarity, not malicious payload injection.
Found 1 instance of variation selector-16 modifying a warning sign emoji in Chinese documentation. Used for visual emphasis in legitimate technical documentation.
Found 7 instances of variation selector-16 modifying decorative emoji in Chinese markdown documentation for visual formatting and emphasis.
No invisible Unicode characters detected in SKILL.md file. Scanner may have crashed during initial scan. Manual analysis found zero variation selectors or zero-width characters.
Found 3 instances of variation selector-16 modifying common emoji in documentation. These control emoji rendering in markdown for visual consistency.
agentvet Scanner - Top 5 Flagged Skills
YARA rules, credential detection, URL analysis
Legitimate infrastructure tool for decentralized AI inference. High scanner flags reflect security-sensitive operations (private key management, blockchain transactions) that are expected and well-implemented: keys stored only in Keychain, never on disk.
Defensive prompt injection detection tool. Scanner flags reflect the detection patterns it intentionally contains. This is a SECURITY TOOL - flags show it successfully identifies threat patterns.
Pre-installation malware scanner. Flags reflect detection categories for actual malware (reverse shells, crypto stealers, credential harvesters). This is a MALWARE DETECTOR, not malware itself.
Legitimate database development tool. Flags for database credentials and network calls are EXPECTED. High finding count reflects comprehensive documentation with examples.
Security auditing tool with 18 safety checks. High flags expected - contains comprehensive threat knowledge to detect malicious skills. Test suite includes 8 malicious + 4 clean samples.
agentguard Scanner - Top 5 Flagged Skills
Security rules, risk scoring
Legitimate cryptocurrency portfolio management skill for the Kraken exchange. High risk score due to financial keywords and API credential handling, which are normal for exchange integrations.
ClawCamera - multi-camera surveillance system with legitimate use cases. Risk patterns detected (subprocess, file I/O, network calls) are justified by its intended surveillance function.
Variant of clawd with AI agent personality features. Contains identical surveillance components. Detected risk patterns are legitimate given stated purpose.
Another clawd variant focused on voice/devotional features. Same legitimate surveillance infrastructure with properly disclosed capabilities.
Legitimate security analysis tool designed to scan AI agent skills for 35+ threat categories. The risk patterns flagged are expected behavior for a security scanner - this IS genuine security tooling.
aguara Scanner - Top 5 Flagged Skills
YARA-based pattern detection, 177 rules
Legitimate algorithmic trading platform for NautilusTrader. Contains financial transaction code, environment variable handling (private keys), and SDK patches for production trading - all expected for a trading bot.
AI security validation suite with 6 detection modules (prompt injection, command injection, URL validation, path traversal, secrets detection). High pattern match count reflects comprehensive security detection.
Composite skill container. High pattern match count reflects shared utility code, message bus implementations, and event handling libraries across multiple related skills.
Companion/derived skill with identical infrastructure code. Pattern matches reflect shared libraries rather than malicious code.
Voice-based devotional/assistant application. High pattern match count reflects shared infrastructure code common across the snail3d skill ecosystem.
caterpillar Scanner - Top 5 Flagged Skills
Credential theft, data exfil, persistence, obfuscation detection
Security scanner skill that teaches threat detection methodology. Contains descriptions of malicious behaviors (base64 encoding, eval, curl piping) but only in the context of detection examples.
Programmatic security scanner with Python scanner implementation. Contains security detection patterns and descriptions of threats as examples of what to detect.
Security scanner for OpenClaw skills (npm package) with 54 pattern rules. Contains threat descriptions for detection purposes only.
Security scanning skill with ClamAV integration. Threat detection framework documenting threat indicators for protective purposes.
Security gate for package installation. Contains security patterns documented for preventing malicious installations. The gate 'never installs or executes' packages, only checks them.
cisco-skill-scanner - Top 5 Flagged Skills
Static analysis, bytecode analysis, policy violations
Legitimate meta-skill for AI agent self-improvement that intentionally uses shell execution, git operations, and code generation. Wrapped in safety controls (policy checks, blast radius analysis, rollback strategies).
Official Evolver meta-skill maintained by autogame-17. Contains intentional high-risk patterns for self-improvement with comprehensive safety mitigations.
Fork/variant of the Evolver system. Contains similar self-modifying capabilities with intentional shell access and code evolution features with safety guardrails.
Evolver fork/reimplementation. Shares the core self-evolution architecture with controlled execution environments and policy constraints.
Evolver variant (version 1.17.1). Legitimate self-improving system with intentional dangerous operations within controlled safety boundaries.
nova-proximity Scanner - Top 5 Flagged Skills
Pattern-based, manifest validation, security flags
ClawAudit is a legitimate security auditing tool that scans skills for malicious patterns. High flag count expected because it contains pattern matching rules that intentionally look for dangerous code signatures.
LobsterGuard is a bilingual security auditor (68 checks across 6 categories). High finding count is legitimate for a comprehensive security scanner with multi-layer threat detection.
Agent Memory Continuity Protocol - sophisticated but legitimate persistence and resurrection system. Findings due to cryptographic operations (Ed25519, X25519), IPFS interaction with proper security measures.
Enterprise email alias/domain control tool integrating Microsoft 365 and Cloudflare DNS. Findings reflect legitimate credential handling and API authentication with proper security measures.
Similar enterprise email control plane skill managing mailbox + domain via Microsoft 365 and Cloudflare. Uses strict credential autodiscovery with proper security validation.
skill-security-scan - Top 5 Flagged Skills
Risk scoring with severity levels
Legitimate self-improvement automation using standard file I/O and text analysis. High score triggered by extensive use of Read, Write, Edit, Grep, Glob, Bash tools which are appropriately declared. Includes human-in-the-loop safeguards.
Same skill as above (identical content). High score stems from metadata and allowed tools declarations necessary for legitimate reflection/learning mechanism. Includes proper safety guardrails.
FastAPI skill containing legitimate API development patterns and best practices documentation. Flagged due to mentions of child_process, environment variables, network calls - all appropriate for API development.
Comprehensive official documentation covering gateway configuration, authentication, deployment, CLI commands. High score from coverage of security-sensitive topics in documentation context.
Actual SKILL.md file is empty (0 bytes) - this is a collection/aggregation folder. High count represents cumulative analysis of sub-skills, not a single skill with malicious patterns.