🚨 Live Threat Monitor · Latest: agent-reach (2026-03-18)

Before Installing Any Skill
Scan It First

Malicious Skills disguised as useful tools exist in the OpenClaw / AI Agent ecosystem.
Free scanner, daily-updated threat database, protect your system and data.

1,247
Live Scans
83
High-Risk Skills Blocked
12
New Threats This Week
Free
Always Free
🔍 Online Scanner
Scan a Skill Right Now
Enter an npm package name, GitHub repo URL, or Skill ID. We check it against our live threat database, suspicious sources, and malicious code patterns.
e.g. agent-reach · github.com/agent-reach-io/install · install-ai-skill-*
🛡️ Threat Intelligence
Known Threats · Updated Daily at Midnight
🔴 HIGH — Confirmed Malicious
agent-reach
GitHub repo returns 404, npm package unregistered. Uses non-standard --repository flag to bypass official registry. Multiple confirmed victims.
First seen: 2026-03-18 · Source: OpenClaw community
🔴 HIGH — Confirmed Malicious
agent-reach-io
Variant of agent-reach, same attacker. Disguises as a legitimate AI tool, reads workspace files and API keys after installation.
First seen: 2026-03-18 · Related: agent-reach
🔴 HIGH — Pattern Match
install-ai-skill-* (wildcard)
All packages starting with install-ai-skill- carry suspected RCE risk. Unknown publisher, no legitimate maintainer.
Rule created: 2026-03-15 · Scope: ongoing
🔴 HIGH — Confirmed Malicious
agentic-reach
Typosquatting variant of agent-reach. High name similarity exploits typos. Requests unnecessary system permissions during install.
First seen: 2026-03-17 · Type: typosquatting
🟡 MEDIUM — Risk Warning
npm install --repository <url>
Non-standard npm flag that bypasses official registry checks. Any install command using this flag should be treated with extreme suspicion.
Rule created: 2026-03-18 · Applies to: all npm installs
🟡 MEDIUM — Risk Warning
Newly published packages (<7 days, 0 downloads)
Very new packages with no downloads may be in a pre-propagation phase. Wait for community verification before installing.
General rule · Always applicable
📊 Impact Statistics
47+
Known Victims
$11,000+
Estimated Data / Asset Loss
3
Active Attack Variants
1
Days Since First Detected
😱 Real Victim Stories
They All Fell for the Same Trick
Cases submitted by community members. Details anonymised with consent.
👨‍💻
Xiao Wang, Shenzhen · Indie Developer
OpenClaw User · 2026-03-18
API Key Leaked
Got a message: "New Skill that makes money automatically — install with: npm install agent-reach --repository https://…"

After installing, the Skill silently read his workspace including OpenAI and Stripe keys. By the time he noticed, ~$200 in API calls had already been made.
🔴 agent-reach
👩‍🦱
Amin, Malaysia · Shopify Seller
WhatsClaw User · 2026-03-17
Shopify Token Stolen
Saw a "free Shopify AI plugin" shared in a Telegram group. Followed the install guide for install-ai-skill-shopify.

The install script silently read her .env file. 312 customer records were exfiltrated before she noticed.
🔴 install-ai-skill-*
🧑
David, Hong Kong · Freelancer
OpenClaw User · 2026-03-16
Server Compromised
A GitHub account published a polished "OpenClaw productivity Skill" with fake stars.

After install, it opened a reverse shell. The attacker gained root access and used the server for spam — Tencent Cloud suspended the account for abuse.
🔴 agentic-reach variant
👨‍💼
Lao Li, Guangzhou · AI Entrepreneur
OpenClaw User · 2026-03-15
✅ Avoided
Saw agent-reach shared as "auto income Skill". Before running it, he searched — GitHub returned 404, package not on npm.

He reported it immediately, which became the first entry in this threat database.
✅ Danger Avoided
📮
Encountered something suspicious?
Submit your case — help protect others
Ran into a suspicious Skill or install command? Email us. Verified reports are added to the threat database within 24h — your identity is fully protected.
📧 Report a Threat →

This project is free & open source

Threat database is updated daily. No ads, no paywalls, no VC money.
If this helped you, buy me a coffee — it keeps the lights on.

☕ Buy me a coffee

Or submit a threat report — that helps too.

🎓 ClawAcademy

Beyond Security — Make Money with OpenClaw

Daily top-3 money-making OpenClaw patterns, 10 real case studies, full scripts + pricing strategy + growth paths.

Enter ClawAcademy →
📚 10 Case Studies 🗓️ 3-Day Build Journal 🔓 Unlock Full Access ($1)