what this is
A scanner that says
what it can prove.
ClawAudit reads AI agent configs — CLAUDE.md, .mcp.json, .cursorrules, ClawHub skills — and reports what their code can do before you install them. It does not guess intent. It counts capability.
How it works
Agents are configured through markdown (CLAUDE.md), MCP server configs (.mcp.json), and skill definitions (SKILL.md). Those files grant permissions, wire up tools, and define what an agent can do. ClawAudit parses them zone-aware:
- Code blocks are weighted as executable instructions and parsed with an AST
- Prose is analyzed for social engineering and prompt-injection patterns
- YAML frontmatter and JSON configs are read for declared permissions
- Cross-file trust tracing connects CLAUDE.md and MCP configs to surface escalation paths
The engine applies 115 detection patterns, maps findings to OWASP LLM Top 10 (2025) and Agentic Top 10 ASI (2026), and reports as text, JSON, or SARIF for CI.
The calibration thesis
This is the most important sentence on the site, so it gets its own section. Across the corpus, 12.8% of skills can read environment variables — roughly one in six. Environment variables are where apps keep API keys and tokens, so that number sounds alarming, and most scanners would stop there and call it credential theft.
But reading process.env is not the same as reading your secrets. The narrow capability that actually means "can read SSH keys, AWS configs, keychains" sits at 0.4% — about one in 250. We count those two things separately, on purpose.
Conflating the broad capability with the narrow one is how a scanner overstates its own findings. We report what the code can do, and exactly how sure we are.
And the env-var + network combination — 6.2% of skills — is co-occurrence, not proof. It's the shape of data exfiltration: both capabilities present in one skill. We don't verify the two ever connect, and we don't say "can exfiltrate." Capability, not conduct. Can, not will.
Why it exists
Platform scans catch known-bad URLs. ClawAudit surfaces what they miss — capability combinations, cross-file trust-declaration gaps, undeclared permissions, and escalation across config boundaries — and reports them in a register you can act on without being misled.
Built by
ClawAudit is built by 4Worlds. Audit any skill via the free REST API — no authentication required. Read the State of OpenClaw Security report for ecosystem-wide findings, browse the registry, or check the one you're about to install on the home page.