Update: This is the original March 25 scan. For the latest data (March 27 refresh), see We Re-Scanned the Top 50 — Things Have Changed.
We took our V(g) security scanner and ran it against the Top 50 most-installed ClawHub Skills — totaling over 1.25 million downloads. The goal was simple: apply the same static analysis we use for Rotifer Genes to the most popular tools in the Claw ecosystem, and publish the results.
The headline: zero CRITICAL findings across all 50 Skills. No eval(), no child_process, no code obfuscation.
But the details tell a more nuanced story.
Grade Distribution
| Grade | Count | % | Meaning |
|---|---|---|---|
| A | 44 | 88% | Zero CRITICAL + zero HIGH |
| B | 4 | 8% | Zero CRITICAL + ≤2 HIGH (explainable) |
| C | 2 | 4% | Zero CRITICAL + >2 HIGH |
| D | 0 | 0% | — |
88% of the Top 50 received the highest grade. That’s a strong signal for the ecosystem’s security baseline — at least among the most popular tools.
Most Skills Are Pure Prompt
| Category | Count | % |
|---|---|---|
| With code files (.ts/.js/.py/.sh) | 17 | 34% |
| Pure prompt (SKILL.md only) | 33 | 66% |
66% of the Top 50 are prompt-only Skills. They contain no executable code — only a SKILL.md instruction file. These are inherently safe from code-level attacks (though prompt injection is a separate concern outside V(g) scope).
This ratio raises an interesting question: if most popular AI tools are just prompts, what does “quality” mean beyond security? Documentation completeness, error handling patterns, and claim-vs-reality alignment become the more meaningful dimensions.
Most Common Risk Patterns
Among the 34% that ship code:
| Rule | Hits | Severity | Description |
|---|---|---|---|
| S-07 | 12 | MEDIUM | File system operations (readFile, writeFile) |
| S-05 | 10 | HIGH | Environment variable access (process.env) |
| S-04 | 4 | HIGH | External HTTP communication (fetch) |
S-07 (File I/O) is the most common — many Skills need to read/write configuration files. Expected for CLI tooling.
S-05 (Env Access) is standard practice for API key management. The concern isn’t reading env vars per se, but which vars and where the values are sent.
Every finding was explainable and context-appropriate.
Skills with Findings
| Skill | Grade | Findings | Downloads | Key Patterns |
|---|---|---|---|---|
| elite-longterm-memory | B | 8 | 19,322 | Heavy file I/O (memory persistence) |
| imap-smtp-email | B | 7 | 16,931 | File I/O + HTTP (email protocol) |
| stock-analysis | C | 6 | 20,778 | Env vars for API keys (Yahoo Finance) |
| brave-search | C | 3 | 25,056 | HTTP requests (search API) |
| nano-banana-pro | B | 1 | 31,591 | Env var for Gemini API key |
| free-ride | B | 1 | 26,138 | Env var for OpenRouter API key |
All findings are legitimate operations for the Skills’ intended functionality.
Comparison with ClawHavoc
In February 2026, the ClawHavoc incident revealed that ~12% of ClawHub’s 38,000+ Skills had been compromised. Our Top 50 scan shows a markedly healthier profile:
| Metric | ClawHavoc (Full Registry) | V(g) Top 50 |
|---|---|---|
| CRITICAL findings | 12% infection rate | 0% |
| Code obfuscation | Multiple cases | 0 hits |
| Suspicious exec | Widespread | 0 hits |
| External comms | Undisclosed endpoints | 4 hits (all to known APIs) |
The most popular Skills have stronger security hygiene — likely because high-visibility tools attract more scrutiny, 28 of the 50 are Certified Skills that undergo review, and established authors maintain quality.
But what about the other 12,950?
Methodology
- Scanner: Rotifer V(g) v0.7.9, 7 regex-based detection rules (S-01 through S-07)
- Scope: Top 50 Skills by download count
- Date: March 2026
- Code types scanned:
.ts,.js,.py,.sh,.mjs,.cjs - Excluded:
node_modules/,.git/,dist/directories - Limitation: Static analysis only — does not evaluate runtime behavior, prompt injection, or supply chain dependencies
What This Means
The data suggests two things:
-
The top of the ecosystem is clean. Security tooling like VirusTotal + manual review has kept the most popular Skills safe. V(g) confirms this with a different methodology.
-
Security is necessary but not sufficient. When 66% of popular tools are just prompts, code-level security scanning catches one dimension. Quality scoring — documentation, error handling, claim verification — addresses the rest.
V(g) is one layer of trust. We think the ecosystem needs more layers. If you’re interested in quality scoring as a complement to security scanning, we’d love to hear your perspective.
Try It
Scan any Skill or Gene with one command:
npx @rotifer/playground vg <path>Badge your repo: rotifer.ai/badge
Full scanner docs: rotifer.dev/docs/cli/vg
Report by Rotifer Protocol. Data, methodology, and scanner are open source.