Tork is AI agent governance middleware that sits between AI agents and the tools they call. It scans every interaction for PII, enforces configurable policies, and generates cryptographic compliance receipts.

Does Tork work with MCP?

Yes. Tork provides 48 MCP governance tools and a published MCP server that works with Claude, Cursor, Windsurf, and any MCP-compatible client.

What AI frameworks does Tork support?

Tork supports 116+ framework adapters including LangChain, CrewAI, AutoGen, OpenAI Agents, LlamaIndex, Semantic Kernel, Haystack, and more across 11 programming languages.

How much latency does Tork add?

Tork adds approximately 20ms per governance check via the cloud API. PII detection runs locally at sub-millisecond speeds via the Gravity Field engine.

How does Tork detect PII?

Tork detects 50+ PII types including emails, phone numbers, SSNs, credit cards, Medicare numbers, and regional formats across 13 countries. Detection uses a hybrid regex + NER approach running locally with sub-millisecond latency. Detected PII is redacted before reaching AI models.

Yes. Tork's core SDK is MIT licensed and available on GitHub. The open source core includes policy enforcement, PII detection, and local audit logs. Tork Cloud adds centralised dashboards, team management, SSO, and enterprise features.

How do I install Tork?

Install via your language's package manager: pip install tork (Python), npm install @tork-network/tork-js (JavaScript), go get github.com/torkjacobs/tork-go-sdk (Go), gem install tork-ruby (Ruby), cargo add tork-rust (Rust). Add 3 lines of code to start governing your AI agents.

Back to Blog

Research

We Scanned 500 ClawHub Skills. Here's What We Found.

Name: Tork
Author: Tork Network Pty Ltd

50 dangerous. 100 risky. 284 badges issued. The first independent security audit of the ClawHub ecosystem.

February 24, 2026 · 10 min read · Tork Network Team

ClawHub is the largest registry for OpenClaw skills — thousands of community-built tools that give AI agents access to databases, APIs, file systems, and more. After 900+ malicious skills were detected in the ecosystem, we wanted to understand the full picture.

So we built tork-scan — a free, open-source CLI that checks skill directories against 19 risk patterns — and pointed it at 500 ClawHub skills. This is the first independent, systematic security audit of the ClawHub ecosystem.

Here's what we found.

The Numbers

500

Skills Scanned

~72

Average Score

284

Badges Issued

Dangerous Skills

SAFE 200

CAUTION 150

RISKY 100

SAFE (90-100) — 40%

CAUTION (70-89) — 30%

RISKY (50-69) — 20%

DANGEROUS (0-49) — 10%

What “DANGEROUS” Looks Like

50 skills scored below 50 out of 100. These aren't governance gaps — they're active threats. Here are the most alarming patterns we found:

CRITICALC4 — Reverse Shell Pattern

Found in: wallet-drainer-v2

Opens a reverse connection back to an attacker-controlled server. Once active, the attacker has full control of the host machine. Found in skills disguised as cryptocurrency utilities.

CRITICALC6 — Obfuscated Base64 Payload

Found in: helpful-utils

Contains a Base64-encoded string over 100 characters decoded at runtime. This is the #1 technique for hiding malicious code in plain sight. The skill name looks innocent — the payload isn't.

CRITICALC5 — C2 Domain Connection

Found in: simple-logger

Sends data to known command-and-control domains (webhook.site, pipedream.net). A "logger" that logs your data to an attacker's server.

CRITICALC1 — Shell Execution (execSync)

Found in: auto-updater

Executes arbitrary shell commands with user privileges. Combined with network access, this enables full system compromise — downloading and running any payload the attacker wants.

HIGHH1 — Sensitive File Path Access

Found in: config-manager

Reads ~/.ssh/id_rsa, .env files, or credentials.json. A "configuration manager" that's actually harvesting your SSH keys and API tokens.

HIGHH2 — Credential Harvesting

Found in: env-loader

Accesses process.env.API_KEY, process.env.SECRET, process.env.TOKEN. Extracts credentials from environment variables and sends them to external endpoints.

Notice the pattern: the most dangerous skills often have the most innocent names. “helpful-utils”, “simple-logger”, “auto-updater” — these are typosquatting attacks, designed to be installed by developers who don't look too closely.

The CAUTION Zone — Legitimate But Flagged

150 skills scored between 70 and 89. These aren't malicious — they're legitimate tools by good developers who just didn't think about governance. The most common issues:

No README.md62%

No documentation means no transparency about what the skill does or how it handles data

No LICENSE file45%

Legal ambiguity for anyone integrating the skill into production systems

Overly broad permissions38%

Requesting network.unrestricted or shell.execute without justification

Hidden configuration files21%

Dotfiles that aren't standard (.gitignore, .env.example) raise questions

This is exactly the gap Tork fills. These are good skills that deserve to demonstrate they're trustworthy. A trust badge says “this skill has been independently scanned and scored” — helping good developers stand out from the noise.

What tork-scan Detects: 19 Risk Patterns

Every skill is scanned against 19 patterns across four severity levels. Here's the complete list:

CRITICALImmediate threat — indicates active malicious intent

C1: Shell execution (execSync, spawn)

C2: Dynamic code execution (eval)

C3: child_process import

C4: Reverse shell patterns

C5: Known C2/exfiltration domains

C6: Obfuscated Base64 payloads

HIGHSerious concern — likely malicious or highly dangerous

H1: Sensitive file path access (.env, .ssh, credentials)

H2: Credential harvesting from environment variables

H3: Hardcoded IP network requests

H4: Suspicious TLD connections (.tk, .ml, .ga)

H5: Direct IP socket connections

MEDIUMGovernance gap — missing best practices or suspicious patterns

M1: Overly broad permissions

M2: No README.md

M3: Hidden files or directories

M4: Downloads from file-sharing services

M5: Obfuscated/minified JavaScript

LOWBest practice — not a security threat but worth noting

L1: No LICENSE file

L2: Excessive dependencies

L3: No metadata file (package.json, skill.json)

The Trust Badge System

284 out of 500 skills — every skill scoring 70 or above — earned a “Tork Scanned” trust badge. These badges are:

Cryptographically verifiable — not self-issued. Each badge has a unique ID and verification hash.

Publicly checkable — anyone can verify a badge at tork.network/badge/[id].

Score-aware — badges include the scan score, findings summary, and scan date.

Time-limited — badges expire after one year to ensure ongoing compliance.

This is the beginning of a trust layer for the AI agent ecosystem. When you see a trust badge, you know an independent third party has scanned and scored that skill. When you don't see one, you should ask why.

Issue a badge for your own skills →

What This Means

30% of ClawHub skills had significant security or governance issues. 10% were actively dangerous. And these are just the 500 we scanned — the full registry has over 12,000 skills.

The ecosystem is growing faster than manual review can keep up. Automated, independent scanning is the only scalable solution.

Every skill that installs in your agent's context has full access to your data. It can read files, make network requests, execute code, and access credentials. The supply chain risk in AI agents mirrors early npm and PyPI — before lockfiles, before npm audit, before security scanning became standard.

The difference is that AI agents are often more powerful than a typical npm package. They have tool access. They make autonomous decisions. And they handle sensitive user data in real time.

We're not waiting for the ecosystem to catch up. We built the scanner, ran the audit, and published the results. The full leaderboard is public.

Scan Your Own Skills

tork-scan is free and open-source. No account required:

# Free, open-source, no account needed
npx tork-scan ./my-skill

# Scan with JSON output for CI/CD
npx tork-scan ./my-skill --json

See the full leaderboard — 500 skills, ranked and searchable

Add governance to your agent — Get started in 5 minutes

Read the integration guide — Guides for 6 frameworks

Get a trust badge — Issue from your dashboard

Tork Network Pty Ltd — Sydney, Australia