ClawAudit v0.5: AST Analysis, VirusTotal Threat Intel, and the First Dual OWASP Mapping

When we launched ClawAudit, it was a regex scanner. Pattern matching against SKILL.md files. Useful, but limited. A smart attacker could evade it. A benign skill could trigger false positives.

v0.5 changes that. The analyzer now has four distinct detection layers, each catching what the others miss. And every finding is now dual-mapped to both OWASP frameworks that matter for agent security.

What's new

1. Acorn AST Analysis

JavaScript and TypeScript code blocks in skills are now parsed into Abstract Syntax Trees using Acorn. Instead of matching text patterns, we walk the actual code structure.

This catches things regex can't:

• Indirect eval() calls hidden behind variable assignments
• fetch() calls buried in promise chains
• process.env access through destructuring
• child_process imports via dynamic require()

AST findings carry confidence: "ast" vs "pattern" for regex matches. When both detect the same issue, the AST finding wins in deduplication. Graceful fallback for non-JS code or unparseable blocks — no crashes, regex still runs.

2. VirusTotal URL Enrichment

The API now extracts URLs from skill code and checks them against 94+ antivirus engines via the VirusTotal API. Results are cached in KV with tiered TTLs (24h for flagged, 7d for clean).

This adds a third signal beyond static analysis: is this URL actually known to be malicious? A skill that fetch()es from a URL flagged by 8+ AV engines is qualitatively different from one that fetches from a clean API.

SSRF-safe: the URL filter blocks private IP ranges, cloud metadata endpoints (169.254.x.x), IPv6 loopback, and common documentation domains before any external lookup.

3. OWASP Agentic Top 10 (ASI 2026) Mapping

OWASP released a new framework specifically for agentic applications — separate from the LLM Top 10 we already mapped to. It covers agent-specific risks: goal hijacking, tool misuse, identity abuse, supply chain, unexpected code execution, memory poisoning, inter-agent communication, cascading failures, trust exploitation, and rogue agents.

ClawAudit is now the first open agent security tool to dual-map every finding to both frameworks. Every pattern match, compound threat, integrity issue, trust trace finding, and VT enrichment result carries both owasp[] (LLM) and owaspAsi[] (Agentic) tags.

4. Security Hardening

A security tool should be secure. We ran a full internal audit and fixed:

• ReDoS vulnerabilities in base64 and shell injection patterns
• SSRF protection for the VirusTotal integration
• Error message sanitization (no more stack traces to clients)
• Rate limiting tightened (atomic KV writes, CF-Connecting-IP only)
• Security headers on all responses (HSTS, X-Content-Type-Options, X-Frame-Options)

124 tests across 15 suites. Zero regressions.

The rescan: 19,351 skills with 4 detection layers

We re-scanned the entire OpenClaw registry with the new capabilities.

The overall distribution hasn't changed much: 43.4% Trusted, 23.6% Caution, 25.0% Risky, 8.1% Dangerous. But the depth of what we find in the dangerous tier is new.

ASI distribution in dangerous skills

The OWASP Agentic Top 10 mapping reveals what kinds of threats dominate the dangerous corpus:

The standout: 93.2% of dangerous skills trigger ASI03 (Identity & Privilege Abuse). Nearly every dangerous skill in the ecosystem is accessing credentials — API keys, tokens, environment variables, credential stores — in ways that exceed what their declared permissions suggest.

The second highest, ASI04 (Supply Chain) at 45.4%, reflects the prevalence of obfuscation and runtime package installation in dangerous skills. These are the skills that download and execute code you can't audit before install.

AST findings: what regex missed

The Acorn AST analyzer found 570 confirmed findings across 318 dangerous skills (20.4%). These are code execution patterns, credential access, and network calls that the AST parser verified structurally — not just text that happens to match a regex.

In 20% of dangerous skills, the AST layer added signal that pattern matching alone would have missed or reported at lower confidence. That's the value of multi-layer detection.

VirusTotal: live threat intelligence

We scanned a sample of 200 dangerous skills through the API with VirusTotal enrichment enabled. Of the 580 URLs checked against 94+ antivirus engines:

• 154 URLs were flagged by at least one engine
• Multiple URLs flagged by 8-12 engines as malicious
• We found coordinated patterns: multiple skills from the same author routing to the same flagged endpoint
• Some flagged URLs appear in skills that present themselves as legitimate API wrappers

We'll publish detailed findings on the most concerning patterns in a follow-up post. The data is significant enough that we want to be thorough before naming specifics.

Try it yourself

Every capability described here is live on the free API. No auth needed.

The response now includes:

• owasp[] + owaspAsi[] on every finding
• confidence: "ast" | "pattern" | "external" on each finding
• vtEnrichment with URL-level malicious/suspicious counts

Full registry browser at clauwdit.4worlds.dev/registry. SARIF output available via ?format=sarif for CI/CD integration.

What's next

We're publishing the npm package (@clawaudit/cli) so you can run this locally on your own projects. The GitHub Action for SARIF code scanning is ready. And we have more findings from the VirusTotal data that deserve their own deep dive.

The agent skill ecosystem is where npm was a decade ago — fast-growing, largely unaudited, and built on trust that hasn't been earned. We're building the tools to change that.