One week after our initial scan, we ran the numbers again. The ClawHub ecosystem has changed — fast.
Total downloads across the Top 50 grew from 1.25M to over 3.5M in one week. The #1 skill now has 311K downloads. But alongside the growth, new patterns have emerged that weren’t there before.
The headline: for the first time, we found CRITICAL security patterns in the Top 50. Two skills received Grade D. Two of the top 10 were delisted. And a third of the Top 50 carry a “Suspicious” flag.
Grade Distribution
| Grade | Count | % | Change |
|---|---|---|---|
| A | 39 | 78% | ↓ from 88% |
| B | 4 | 8% | = |
| C | 3 | 6% | ↑ from 4% |
| D | 2 | 4% | NEW |
| DELISTED | 2 | 4% | NEW |
The Grade A share dropped 10 points. Two skills hit Grade D for the first time — both are “evolver” variants that execute system commands and modify code by design.
What’s New Since Last Week
CRITICAL findings exist now
The previous scan found zero CRITICAL patterns across all 50 skills. This time:
- 1
eval()call detected (S-01) — the most dangerous pattern in our scanner - 115 system command execution patterns (S-02) —
child_process,exec,spawn - Both concentrate in two “self-evolution” skills that spawn processes, run git commands, and rewrite their own code
These findings are consistent with the skills’ stated purpose — but the security surface is extreme: 844 combined findings across 25,000+ lines of code.
Top skills are disappearing
The #1 most-downloaded skill (311K downloads) and #3 (170.9K) have been removed from ClawHub’s download API. Both were flagged “Suspicious.” When the most popular tool in an ecosystem gets delisted, that’s a signal worth paying attention to.
A third of the Top 50 are “Suspicious”
topclawhubskills.com now shows a Suspicious/OK indicator based on OpenClaw’s behavioral analysis. 17 of 50 skills (34%) carry the Suspicious flag.
Interestingly, one Grade D skill is marked OK despite having eval() in its code — and some Grade A skills are marked Suspicious. The two trust dimensions measure different things. Neither alone tells the full story.
Most Skills Are Still Pure Prompt
| Category | Count | % |
|---|---|---|
| With code files | 18 | 37% |
| Pure prompt (SKILL.md only) | 30 | 63% |
Similar to last week (34/66). The majority of popular skills contain no executable code — just instructions for the AI agent. These are safe from code-level attacks but raise separate questions about prompt injection and claim verification.
Risk Pattern Frequency
| Rule | Hits | Severity | Description |
|---|---|---|---|
| S-05 | 405 | HIGH | Environment variable access |
| S-07 | 325 | MEDIUM | File system operations |
| S-02 | 115 | CRITICAL | System command execution |
| S-04 | 43 | HIGH | External HTTP communication |
| S-01 | 1 | CRITICAL | Dynamic code execution (eval) |
Environment variable access (S-05) overtook file I/O (S-07) as the most common pattern. The 116 CRITICAL hits are entirely from the two Grade D skills.
Skills with Findings
| Skill | Grade | Findings | Downloads | Status |
|---|---|---|---|---|
| self-improving-agent | DELISTED | — | 311K | Suspicious |
| agent-browser | DELISTED | — | 170.9K | Suspicious |
| nano-banana-pro | B | 1 | 67.7K | OK |
| openclaw-tavily-search | B | 1 | 58.2K | Suspicious |
| polymarket-trade | C | 19 | 47.6K | Suspicious |
| brave-search | C | 3 | 41.3K | Suspicious |
| elite-longterm-memory | B | 8 | 38.9K | Suspicious |
| stock-analysis | C | 6 | 38.4K | Suspicious |
| evolver | D | 653 | 38.0K | Suspicious |
| feishu-evolver-wrapper | D | 191 | 32.9K | OK |
| imap-smtp-email | B | 7 | 29.9K | OK |
Author Concentration
One author (@steipete) maintains 18 of the Top 50 — all graded A or B. This is both a quality signal (consistent security hygiene) and a structural risk (36% of popular tools depend on one maintainer).
What This Means
Three things stand out:
-
The clean core is shrinking. Grade A dropped from 88% to 78%. The first CRITICAL findings and delistings mark a phase transition — the ecosystem is no longer uniformly safe at the top.
-
Trust requires multiple layers. V(g) catches code patterns. OpenClaw’s scanner catches behavioral inconsistencies. VirusTotal catches known malware. Each misses what the others find. A skill can be Grade D (V(g)) and OK (OpenClaw) simultaneously — or Grade A and Suspicious.
-
Growth amplifies risk. ~3× download growth in one week means more users are exposed to skills of unknown quality. The 311K-download #1 skill being delisted after the fact means hundreds of thousands of installs occurred before the problem was caught.
V(g) is one trust layer. The ecosystem needs them all working together.
Try It
Scan any skill or Gene with one command:
npx @rotifer/playground vg <path>Badge your repo: rotifer.ai/badge
Full scanner docs: rotifer.dev/docs/cli/vg
Report by Rotifer Protocol. Data, methodology, and scanner are open source. Full JSON data available in the report repository.