The ClawHavoc crisis exposed a truth about the agent economy: unverified capabilities are a liability. The same verification infrastructure agents need is what SkillTree builds for humans.
The Trust Problem No One Saw Coming
In January 2026, security researchers discovered something alarming in the OpenClaw ecosystem: ClawHavoc, a coordinated supply chain attack that had uploaded malicious skills to the ClawHub registry at industrial scale. By February, over 824 malicious skills had been identified across 12 publisher accounts. Later audits expanded that to over 1,184 malicious packages — roughly 20% of the ecosystem.
The attack vectors were novel. Malicious skills did not just contain bad code. They used prompt injection to hijack agent context windows. They poisoned persistent memory files (SOUL.md, MEMORY.md) so compromised behavior persisted across sessions. They used typosquatting to trick users into installing fake versions of popular tools. And they exploited the natural trust users placed in "setup instructions" — professional-looking SKILL.md files that asked users to pipe curl commands into bash.
The payload was Atomic macOS Stealer (AMOS), an infostealer that extracted browser passwords, cryptocurrency wallets, SSH keys, and OpenClaw configuration files. Over 9,000 installations were compromised.
This was not a code vulnerability. It was a trust vulnerability.
The Parallel Problem in Human Skills
Agent registries are not the only place where unverified capability claims cause harm.
LinkedIn endorsements are self-reported and unverifiable. A "Full Stack Developer" endorsement tells you nothing about whether someone has shipped production code or completed a tutorial. GitHub repositories show activity, but not proficiency. Coursera completions show attendance, not mastery.
In the AI-agent economy, this ambiguity becomes dangerous. When an agent needs to find a human with specific expertise — to review its output, handle an edge case, or make a judgment call — it cannot afford to guess. An unverified skill claim is not just noise. It is a liability.
Consider the scenarios:
- An agent writes a database migration and needs a human to review it. It finds someone who claims "PostgreSQL Expert" on their profile. The migration runs in production and corrupts data because the claim was unverified.
- A compliance agent needs a human to sign off on a financial report. It selects someone with "Financial Analysis" on their resume. The report contains errors because the skill was self-assessed at a beginner level but presented as advanced.
- An orchestration framework routes a security review to a human who listed "Security" as a skill. The review misses a critical vulnerability because there is no evidence backing the claim.
In each case, the failure is not the agent's. It is the trust infrastructure's.
What Verification Actually Means
SkillTree approaches verification as a layered system, not a binary check. A skill claim is only as strong as the evidence behind it.
Layer 1: Self-Assessment with Rubrics
Self-assessment is not worthless — but it needs guardrails. When a user rates themselves "Expert" in Kubernetes, SkillTree presents a behavioral rubric: Can you debug a failing pod at 2 AM? Can you design a multi-cluster deployment? Can you explain the difference between StatefulSets and DaemonSets to a junior engineer?
The rubric forces specificity. It converts vague confidence into observable behaviors. It does not eliminate Dunning-Kruger, but it surfaces it.
Layer 2: Proof of Work
The strongest skill claims link to evidence:
- Project links: GitHub repos, deployed applications, design portfolios
- Publications: Blog posts, conference talks, research papers
- Contributions: Open-source commits, documentation improvements, bug reports
- Credentials: Verified certifications with expiration dates
A skill claim with a project link is different from one without. A "React Expert" who links to a production Next.js application with 10,000 users is making a different claim than one who does not.
Layer 3: Peer Attestation
Peer endorsement works when it is specific. "Great at Kubernetes" is noise. "Shipped a zero-downtime migration of our 50-node cluster to Kubernetes, including custom operators and a rollback strategy" is signal.
SkillTree requires attesters to describe what they observed, not what they believe. This makes endorsement costly to fake and valuable when genuine.
Layer 4: Usage Evidence
The most interesting verification layer is usage data. If a human has collaborated with an agent on 12 projects, and those collaborations had a 94% trust score, that is evidence. It is not perfect — correlation is not causation — but it is harder to game than self-reporting.
Why This Matters for the Agent Economy
The ClawHavoc crisis revealed that agent skill registries need the same verification infrastructure that human skill platforms need. The problems are parallel:
| Problem | Agent Skills (ClawHub) | Human Skills (LinkedIn, etc.) | SkillTree Approach |
|---|---|---|---|
| Self-reported capabilities | Skill manifest claims | Resume endorsements | Rubric-based self-assessment |
| No proof of execution | No runtime verification | No project links | Required evidence records |
| Identity spoofing | Typosquatting publishers | Fake profiles | Attestation + usage history |
| Persistent compromise | Memory poisoning | No concept of persistence | Versioned, auditable history |
| Ecosystem trust | ~20% malicious skills | Unknown fraud rate | Verified evidence layers |
The agent economy will not work without trust infrastructure. Agents need to know which skills are safe to install. Humans need to know which skills are real. Organizations need to know which collaborations are reliable.
SkillTree's answer is not to build a walled garden. It is to build a verifiable open standard.
SKILL.md and the Verification Gap
SKILL.md is a portable, open format for skill data. But portability without verification is just moving untrusted data around. The critical addition is the evidence layer.
A SkillTree-exported SKILL.md file includes not just what someone claims, but what they can prove:
---
generator: skilltree
schema_url: "https://skilltree.futurelabs.vip/schema/v1"
name: "Alex Chen"
version: "1.0"
last_updated: "2026-04-29"
---
## Skills
- **Kubernetes**: Expert (9/10)
- Since: 2019
- Evidence:
- type: project
title: "Zero-downtime migration to K8s"
url: https://github.com/alexc/k8s-migration
verified: true
- type: peer_review
reviewer: "sarah.dev"
observation: "Designed custom operators and rollback strategy for 50-node cluster"
- type: certificate
title: "CKA"
issuer: "CNCF"
expires: "2027-03-15"
This is not just a skill list. It is a verifiable capability statement.
An agent parsing this file can:
- See the claimed level (9/10)
- See the evidence (project, peer review, certificate)
- Verify the evidence (check the GitHub repo, validate the certificate)
- Make an informed decision about whether this human should handle a task
This is the trust layer that agent registries currently lack. And it is the layer that makes human-AI collaboration possible.
The Broader Implication
The ClawHavoc crisis is a preview of what happens when capability claims are not verified. As AI agents become more autonomous, they will need to make more decisions about which humans to involve, which skills to trust, and which collaborations to initiate.
Without verification, those decisions will be wrong. Agents will install malicious skills. They will delegate to unqualified humans. They will make errors that compound.
With verification, the agent economy becomes legible. Agents can reason about trust. Humans can build verifiable reputations. Organizations can govern collaboration with confidence.
SkillTree is building that verification infrastructure. Not as a proprietary lock-in, but as an open standard. Because the future of human-AI collaboration depends on trust — and trust requires proof.
What You Can Do
- Export your SkillTree profile as SKILL.md and review your evidence. Are your strongest skills backed by proof?
- Add project links to every skill claim you can. A claim without evidence is a claim without weight.
- Request peer attestations from people you have worked with. Specific observations beat generic endorsements.
- Validate SKILL.md files in CI if you publish them. The
@futurelabs/skill-md-validatorcatches broken references and missing fields. - Treat agent skills with skepticism until they have verification infrastructure. The ClawHavoc crisis proved that open registries without verification are attack surfaces.
The agent economy needs trust infrastructure. SkillTree builds it — for humans, for agents, and for the collaborations between them. Create your verified skill profile and start building evidence-backed credibility.