OpenClaw and NVIDIA Ship Three-Scanner Security Pipeline for Agent Skills, Release 67,000-Row Public Dataset

OpenClaw announced today that every skill published to ClawHub now passes through a three-scanner security gate before reaching users, with NVIDIA’s SkillSpector joining the pipeline alongside VirusTotal and OpenClaw’s own static analysis. The company also released the full scan results for 67,453 skill versions as a public dataset on Hugging Face, according to OpenClaw’s blog post.

What the Pipeline Does

ClawHub’s pre-publication gate, called ClawScan, feeds the output of all three scanners into an OpenAI GPT-5.5 agent that weighs findings alongside provenance metadata and moderation history. The agent produces a final verdict for each skill: Clean, Suspicious, or Malicious.

Every published skill now also ships with an NVIDIA Skill Card, a machine-readable trust record documenting who published it, what ClawScan found, and where the code came from. The cards are verified by ClawHub rather than taken from publishers’ self-descriptions. Users can inspect them on the skill detail page or from the terminal with openclaw skills verify <slug> --card.

SkillSpector itself combines static checks with AI-assisted semantic analysis. NVIDIA’s developer blog describes it as scanning for hidden instructions, prompt injection, trigger abuse, excessive agency, tool poisoning, and mismatches between a skill’s declared purpose and its actual behavior. Its coverage is grounded in OWASP guidance for LLM and agentic AI risks, plus MITRE ATLAS.

The Scanners Barely Overlap

The most striking finding from the dataset: the three scanners catch almost entirely different things.

No scanner pair agrees on more than 10.4% of their combined positives (Jaccard similarity). Static analysis and SkillSpector share a 0.104 Jaccard score. VirusTotal and SkillSpector share 0.094. Static analysis and VirusTotal overlap least at 0.065. Only 468 skills out of 67,453, or 0.69%, are flagged by all three scanners at once. 81.9% of positive findings come from a single scanner alone.

The composition shifts by severity. Among the 25,504 rows with a Suspicious verdict, SkillSpector is positive on 75.3%. Among the 206 rows marked Malicious, VirusTotal dominates at 72.8% while SkillSpector drops to 6.8%. The pattern makes sense: VirusTotal catches known malware signatures, while SkillSpector catches agentic risks that traditional scanners were never designed to detect.

Why It Matters Now

Agent skills execute with an agent’s full permissions, reading what the agent reads and writing where the agent writes. Security researcher Roan Brasil Monteiro documented that 341 malicious skills were found stealing credentials from ClawHub in January 2026, a number that grew to 1,184 within three months.

OpenClaw’s earlier defense relied on a closed-source Codex agent prompted to look for OWASP agentic risks. That approach caught real threats but was opaque. The shift to an open, multi-scanner pipeline with a public dataset marks a deliberate move toward community-verifiable security: researchers can now audit the scan outcomes, identify blind spots, and build competing detection methods.

The Open Dataset

The clawhub-security-signals dataset covers 67,453 latest public skill versions. Each row includes the skill’s SKILL.md content, ClawScan verdict and confidence score, and individual results from all three scanners: static analysis reason codes, VirusTotal engine stats, and SkillSpector severity scores with issue codes and categories. OpenClaw says it processes thousands of new skill publication events daily using GPT-5.5 for the ClawScan evaluation layer.

NVIDIA contributors Jacob Tomlinson, Agustin Rivera, and Michael Appel are credited on the project. NVIDIA’s own verified skills catalog uses SkillSpector as part of its publication pipeline, with cryptographic signing and Skill Cards for its CUDA-X and AI Blueprint skills.

The Supply-Chain Bet

The collaboration pairs the dominant GPU vendor for agent workloads with the largest open-source agent skill registry. The low scanner overlap, under 10.4% on every pair, validates what both companies are betting on: that agent-skill security is a genuinely novel problem requiring purpose-built tooling, not a repackaging of existing malware detection. Whether the open dataset produces better community scanners or simply becomes a benchmark for vendors to compete against will determine how much this announcement changes the security posture of agent deployments at scale.