Skip to main content

Frequently Asked Questions

Everything you need to know about ClawDefend, how we scan, and how we compare to ClawHub.

ClawHub already scans skills — why use ClawDefend?

ClawHub's scanner analyzes intent: it reads the SKILL.md metadata and checks if the skill's stated purpose seems suspicious. ClawDefend scans the actual code — every .py, .js, .ts, and .sh file — using static analysis, AST parsing, and pattern matching to find dangerous behavior at the line level. They answer different questions. ClawHub asks: 'does this skill seem honest?' We ask: 'what does this code actually do, and is that dangerous?' Both layers matter.

What does ClawDefend find that ClawHub misses?

Code-level findings that only appear in the source files: exact shell execution locations, hardcoded eval() payloads, environment variable exfiltration patterns (reading API keys and sending them to external servers), obfuscated network calls, and base64-encoded payloads. We show you the exact file name and line number — not just a general flag. In one popular skill we found unrestricted shell execution at hot_scanner.py:383, a finding ClawHub's intent-based scan didn't surface.

Do you scan skills not on ClawHub?

Yes. We scan any OpenClaw skill via GitHub URL — including skills in private repositories, enterprise internal skills that were never published to ClawHub, and the full openclaw/skills GitHub archive. If it has code, we can scan it. Just paste the GitHub or ClawHub URL.

Are you affiliated with OpenClaw or ClawHub?

No. ClawDefend is an independent, third-party security tool with no affiliation to OpenClaw or ClawHub. That independence is a feature: we have no incentive to soften findings, approve skills that have issues, or protect any platform's reputation. Our only job is accurate security analysis.

Is VirusTotal integrated?

Yes. Every scan includes a VirusTotal hash lookup alongside our own code analysis. We compute a SHA-256 hash of the skill's files and check it against VirusTotal's database of 70+ antivirus engines. This means you get both traditional malware detection and our AI-agent-specific code analysis in one report.

What does the risk score mean?

The risk score is 0–100, where lower is safer. It's calculated from the number and severity of findings: CRITICAL findings (data exfiltration, malicious shell execution) have heavy weight, while LOW findings (debug logging, minor best-practice issues) have minimal weight. Scores map to grades: A (0–20), B (21–40), C (41–60), D (61–75), F (76–100).

How is this different from just reading the code myself?

You'd have to read every file manually and know what to look for: obfuscated exfiltration patterns, unsafe exec() calls, credential harvesting, prompt injection vectors. ClawDefend runs 15+ automated detection rules plus GPT-4o intent analysis across all files in seconds. We also cross-reference findings against known threat patterns from real malicious skills we've analyzed.

Can I use ClawDefend in my CI/CD pipeline?

Yes — that's what the Developer plan is for. The REST API lets you scan any skill URL programmatically and get a structured JSON report. Webhooks let you receive scan results asynchronously. The npm CLI (npx clawdefend scan <url>) works in any shell environment. Free tier users can use the web scanner; Developer plan users get API key access.

What's the difference between the free tier and paid plans?

Free tier: 5 scans per month via the web scanner. User plan ($9/month): 200 scans/month. Developer plan ($29/month): 1,000 scans/month, REST API access, API key management, webhook support, and priority scanning. All plans include full scan reports with line-level findings, severity scores, and remediation guidance.

Still have questions?

Contact us at support@clawdefend.com or scan a skill to see ClawDefend in action.

Scan a Skill Free →