DISABLE_TELEMETRY=1 to opt out before using. supply-chain-poison-detectorHelps detect supply chain poisoning in AI agent marketplace skills. Scans Gene/Capsule validation fields for shell injection, outbound requests, and encoded...
Install via ClawdBot CLI:
clawdbot install andyxinweiminicloud/supply-chain-poison-detectorGrade Fair — based on market validation, documentation quality, package completeness, maintenance status, and authenticity signals.
Potentially destructive shell commands in tool definitions
curl | bashCalls external URL not in known-safe list
https://cdn.example.com/fmt.shAI Analysis
The skill's validation field directly downloads and executes arbitrary code from an external URL via 'curl | bash', enabling remote code execution without user consent. This is a classic supply chain attack pattern that could compromise the entire system, exfiltrate credentials, or install persistent backdoors. The skill's stated purpose (formatting markdown) does not justify such dangerous execution patterns.
Audited Apr 17, 2026 · audit v1.0
Generated Mar 22, 2026
Marketplace operators use this skill to scan newly submitted skills for malicious code before listing them publicly. It helps prevent supply chain attacks by flagging suspicious validation commands, such as shell injections or data exfiltration attempts, ensuring only safe skills are available to users.
Large enterprises deploying AI agents across departments use this skill to vet third-party skills from marketplaces. It scans for backdoors and encoded payloads in skill assets, reducing the risk of data breaches or unauthorized access when integrating external AI capabilities into business workflows.
AI skill developers employ this tool during the development phase to self-audit their skills for accidental security vulnerabilities. It checks validation fields and source code for patterns like outbound requests or file system access, helping ensure compliance with marketplace security standards before publication.
Financial technology companies use this skill to assess AI agent skills for regulatory compliance, scanning for hidden payloads or shell injections that could compromise sensitive financial data. It aids in maintaining security protocols and preventing supply chain attacks in automated trading or customer service agents.
Offer this skill as a cloud-based service where security teams can upload skill assets for scanning via an API. Charge a monthly or annual subscription fee based on scan volume, providing continuous updates for new threat patterns and integration with existing security tools.
License the skill to AI agent marketplaces for embedding directly into their submission and review processes. Generate revenue through one-time licensing fees or per-scan royalties, helping marketplaces enhance security and build trust with users by preventing malicious skill listings.
Provide a free basic version for individual developers to scan skills locally, with a premium tier offering advanced features like batch scanning, detailed reports, and priority support. Monetize through upgrades and partnerships with development platforms.
💬 Integration Tip
Integrate this skill into CI/CD pipelines to automatically scan skill updates before deployment, ensuring continuous security monitoring without manual intervention.
Scored Jun 19, 2026
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope,...
Comprehensive security auditing for Clawdbot deployments. Scans for exposed credentials, open ports, weak configs, and vulnerabilities. Auto-fix mode included.
Analyze and classify agent skills for safety using local evaluation. Optionally produce a signed attestation of the vetting result.
Audit codebases and infrastructure for security issues. Use when scanning dependencies for vulnerabilities, detecting hardcoded secrets, checking OWASP top 10 issues, verifying SSL/TLS, auditing file permissions, or reviewing code for injection and auth flaws.
Helps verify that skill updates publish an auditable record of what changed — catching the gap between "the registry shows the new version" and "anyone can s...
Project health and best practices enforcer. Checks security, quality, documentation, CI/CD, and dependencies. Produces a letter grade (A-F) with actionable f...