I Ran SkillCompass on the Top 100 ClawHub Skills: Here's What I Found

TL;DR: One CRITICAL command injection flaw A supply-chain prompt injection risk ~199,000 installs exposed to documented vulnerabilities The most popular skill in the ecosystem has a near-failing score Last week I wrote about why I built SkillCompass — the measurement problem at the core of AI agent skill development, and why tweaking descriptions when the real bug is in D4 (Functional) sends you in circles. The launch got more traction than I expected: 40 GitHub stars and 420 downloads on ClawHub in the first four days, which told me the frustration was widely shared. The obvious next question: if individual skills fail silently, what does the ecosystem look like at scale? The timing felt right to ask it. OpenClaw's founder put it well when he launched on March 22nd: " With ClawHub enabled, the agent can search for skills automatically and pull in new ones as needed. " That's powerful, and it means the registry's quality floor becomes your agent's quality floor. Until now, no one had l