AI Agent Skill Security Scanner. Detects malicious patterns in OpenClaw and Agent Skills format skill files before you install them.
Named after the insider threat from Heat (1995). He ruins everything from the inside. WAINGRO knows one when it sees one.
In February 2026, Bitdefender documented the "ClawHavoc" campaign — coordinated exploitation of the OpenClaw skill ecosystem via malicious skills disguised as legitimate tools. Skills run with system-level permissions — terminal, file system, network. A single malicious skill compromises the entire host.
pip install waingroOr with Podman:
podman build -t waingro .
podman run --rm -v ./skills:/skills:ro waingro scan /skills/some-skill/# Scan a skill before installing
waingro scan ./some-skill/
# Scan with JSON output for CI/CD
waingro scan ./some-skill/ --format json --fail-on high
# Audit all installed skills
waingro audit ~/skills/
# Version
waingro version| Rule ID | Category | Severity | Description | Reference |
|---|---|---|---|---|
| EXEC-001 | Execution | CRITICAL | curl/wget piped to shell | ClawHavoc |
| EXEC-002 | Execution | CRITICAL | Base64-encoded command execution | ClawHavoc |
| EXEC-003 | Execution | HIGH | eval/exec with dynamic content | — |
| EXEC-004 | Execution | CRITICAL | PowerShell download cradles | — |
| EXEC-005 | Execution | CRITICAL | Hex-encoded command execution | — |
| EXEC-006 | Execution | CRITICAL | Hidden execution in bundled scripts | Polymarket trojan |
| EXFIL-001 | Exfiltration | HIGH | Credential file access | Bitdefender |
| EXFIL-002 | Exfiltration | CRITICAL | macOS Keychain access | — |
| EXFIL-003 | Exfiltration | HIGH | Browser credential access | — |
| EXFIL-004 | Exfiltration | HIGH | OpenClaw workspace scraping | Bitdefender |
| EXFIL-005 | Exfiltration | HIGH | Environment variable harvesting | — |
| EXFIL-006 | Exfiltration | HIGH | Embedded credential patterns | — |
| EXFIL-007 | Exfiltration | HIGH | Clipboard monitoring | — |
| PERSIST-001 | Persistence | HIGH | Crontab modification | — |
| PERSIST-002 | Persistence | HIGH | macOS LaunchAgent/LaunchDaemon | — |
| PERSIST-003 | Persistence | HIGH | systemd unit creation | — |
| PERSIST-004 | Persistence | MEDIUM | Shell profile modification | — |
| NET-001 | Network | CRITICAL | Reverse shell patterns | AuthTool |
| NET-002 | Network | CRITICAL | Known malicious infrastructure | Bitdefender |
| NET-003 | Network | HIGH | Tunnel/proxy setup | — |
| NET-004 | Network | CRITICAL | DNS data exfiltration | — |
| OBFUSC-001 | Obfuscation | MEDIUM | Base64 encoded strings | — |
| OBFUSC-002 | Obfuscation | MEDIUM | String concatenation tricks | — |
| INJECT-001 | Injection | HIGH | Prompt injection patterns | — |
| INJECT-002 | Injection | CRITICAL | Jailbreak/DAN patterns | — |
| INJECT-003 | Injection | CRITICAL | Metadata injection | — |
| SOCIAL-001 | Social Engineering | HIGH | Fake dependency installation | 1Password |
| SOCIAL-002 | Social Engineering | HIGH | Fake error messages | ClawHavoc |
| SOCIAL-003 | Social Engineering | CRITICAL | Malicious npm lifecycle hooks | — |
| TYPO-001 | Typosquatting | HIGH | Skill name typosquatting | — |
- Bitdefender Technical Advisory: OpenClaw Exploitation
- 1Password analysis of malicious Agent Skills (Feb 2026)
- Repello AI: AI agent supply chain security research
- ClawHub Ecosystem Security Audit — March 2026 audit of 30,037 skills (aggregate results; per-skill findings embargoed pending responsible disclosure)
MIT