Earlier this year, researchers discovered 1,184 malicious skills on ClawHub, the largest public registry for AI agent skills. At the time, no alarms went off. No marketplace review caught them. They sat there, available for any developer to install with a single command, until someone decided to look.
That incident, now known as ClawHavoc, changed the conversation. OpenClaw has since partnered with VirusTotal to add automated scanning to every skill published to ClawHub, and other registries are moving in similar directions. That's a meaningful first layer, and we're glad to see it. But it's a floor, not a ceiling, and it only covers one registry feeding one agent.
Your developers don't work that way. They install skills into Claude Code on Monday, extensions into Cursor on Tuesday, and plugins into Windsurf on Wednesday. They pull from ClawHub, Skills.sh, GitHub gists, internal mirrors, and whatever link a teammate drops in Slack. A per-agent, per-registry gate gives you three different trust stories and no consolidated view. That's not security governance. That's a checklist.
Today we're making Mondoo AI Skills Check available as a free service to anyone who wants it. No subscription required. Search any skill by name, registry, or PURL and see exactly what it claims to do, what it actually does, and where the risks are, before you install.
AI Skills Check is deliberately agent-agnostic. It works for skills you run in Claude Code, Cursor, Windsurf, custom Anthropic SDK agents, and MCP servers, across the registries that feed all of them, ClawHub and Skills.sh today, with more coming. Your agent estate is heterogeneous. Your security layer should be too.
Why an Independent, Agent-Agnostic Layer Matters
Registry-side scanning is a good gate. It catches known-bad binaries, flags obvious behavioral patterns, and blocks the most blatant attacks from ever being published. Defense in depth says you shouldn't stop there.
A registry operator's scanner runs at publish time, on the registry's terms, for the skills it hosts. An independent scanner runs at your terms, on any skill from any source, destined for any agent, with a structured output you can plug into your own governance. Those are different jobs. You want both.
Beyond ClawHavoc, the broader threat landscape keeps widening. Trend Micro found 492 MCP servers exposed to the internet with zero authentication. Google DeepMind published "AI Agent Traps," identifying six distinct classes of attacks that target AI agents through their environment: content injection, semantic manipulation, cognitive state poisoning, behavioral control, systemic attacks, and human-in-the-loop exploitation. These aren't theoretical. The ClawHavoc skills used several of these techniques, and similar patterns keep appearing in novel skills every week.
Cisco's State of AI Security 2026 report found that only 29% of organizations report readiness to secure agentic AI deployments. Your AppSec tools weren't built for this. Your SCA scanners don't understand SKILL.md files. Your vulnerability management program has a blind spot shaped like an AI agent, and it's a different blind spot for every agent your team uses.
What AI Skills Check Does
Mondoo AI Skills Check scans AI agent skills across four security layers, each designed to catch different categories of risk:
Pattern Match identifies known malicious signatures, credential harvesting patterns, data exfiltration URLs, and behavioral indicators that match documented attack campaigns like ClawHavoc.
ML Classifier uses machine learning models trained on both malicious and benign skills to score risk probability, catching novel threats that don't match known patterns.
Semantic Analysis reads the skill's description, instructions, and behavioral claims to detect contradictions, misleading language, and scope creep. A skill that claims to be "open-source" and "auditable" but specifies a proprietary backend license gets flagged.
Deep Inspection performs the most thorough analysis, examining how the skill interacts with external services, what permissions it requests, whether it encourages reduced human oversight, and whether its actual behavior matches its stated purpose.
The result is a scored assessment with detailed findings, each tagged by severity (Critical, High, Medium, Low) and category (behavioral_control, semantic_manipulation, systemic, human_in_the_loop, cognitive_state, description_mismatch). That structure is the part that matters when you're building governance across a heterogeneous agent estate, not just a single-agent gate.
"Claims to Do" vs. "Actually Does"
The feature that makes AI Skills Check different from a registry-side verdict is behavioral comparison. Every assessment includes a side-by-side breakdown: what the skill says it does in its description and documentation, and what it actually does based on deep code and configuration analysis.
Take one of the skills flagged in our initial scans, a "business automation agent" that claimed to handle prospecting, email management, and content generation. Sounds productive. Here's what it actually did: monitored Gmail inboxes, drafted and sent emails autonomously without per-action approval, posted to Twitter/TikTok/LinkedIn on a schedule, learned from past email patterns (storing historical communication data), and routed all traffic through a free-tier hosting service with no organizational trust signals.
The skill had 14 distinct security findings. Eight were High or Critical severity. Without behavioral comparison, you'd just see a description that sounds like a helpful assistant.
How to Use AI Skills Check
AI Skills Check is live and free. Search for any skill by name, registry, or PURL at the AI Skills Check dashboard. Every scanned skill gets a public assessment page showing its risk score, security check results, behavioral analysis, findings breakdown, and SKILL.md hashes (MD5, SHA-1, SHA-256, TLSH) for integrity verification.
Browse the Leaderboard to see the most popular skills ranked by stars, and the Most Risky list to see which widely-used skills carry the highest risk scores. It's a fast way to audit what your team is likely already using, regardless of which agent they run it in.
For organizations that want assessments on private or internal skills, or want to integrate AI Skills Check into their CI and governance workflows across every agent in their estate, hit the "Get Assessment" button to talk to us.
What Comes Next
AI agent skills are becoming infrastructure. They're the connective tissue between your developers' intent and the actions agents take on their behalf. Securing that layer isn't optional, it's the same category of problem as securing your software supply chain, your container images, or your IAM policies. And like those categories, it needs a unified control plane, not one gate per vendor.
Free, agent-agnostic scanning across any registry is the right starting point for a category this young. We built AI Skills Check because Mondoo has spent years helping 300+ organizations, including Fortune 50 companies, close the gap between finding vulnerabilities and actually fixing them. AI agent security is the next frontier of that mission, and it's one we'd rather raise the floor on for everyone, across every agent your team runs, than gate behind a paywall.
Scan your first skill at mondoo.com/ai-agent-security. No subscription required.
