#openclaw#security#supply-chain#hackmyagent#open-source

OpenClaw Merges Built-In Skill Security Scanner

OpenA2A Team
5 min read

TL;DR: OpenClaw now has built-in skill security scanning. PR #9806 merged 1,721 lines of code that detect malicious patterns in skills before they can compromise your system. The scanner runs automatically when skills are installed or updated.

What Happened

We submitted a pull request to the OpenClaw repository (169K GitHub stars) adding a code safety scanner to its skill/plugin system. The PR was reviewed and merged by George Pickett (grp06) on February 6, 2026.

PR #9806 — Merged

openclaw/openclaw

16
files changed
+1,721
additions
-94
deletions

The scanner integrates directly into OpenClaw's skill lifecycle. It runs automatically when skills are installed or updated, blocking anything that matches known malicious patterns before the skill can execute.

What It Detects

The scanner implements 6 check categories, each targeting a specific class of malicious behavior observed in the wild:

SKILL-001: Unsigned Skills

Detects skills without a cryptographic signature. Unsigned skills have no verified provenance, making it impossible to confirm who authored them or whether they have been tampered with after publication.

SKILL-002: Remote URL Fetching

Flags skills that download and execute external code at runtime. This pattern allows attackers to serve benign code during review and swap in malicious payloads post-approval.

SKILL-003: Heartbeat Installation

Identifies skills that install persistent background processes. These heartbeats run on intervals and can maintain backdoor access, exfiltrate data over time, or re-infect after cleanup.

SKILL-004: Filesystem Writes Outside Sandbox

Catches skills attempting to write files outside their designated sandbox directory. Sandbox escapes enable persistence mechanisms, configuration tampering, and arbitrary file creation.

SKILL-005: Credential Access

Detects skills that read API keys, authentication tokens, SSH keys, or other credential material. This was the primary objective of the ClawHavoc campaign — 341 malicious skills harvesting credentials from compromised hosts.

SKILL-006: Data Exfiltration

Flags skills that transmit data to external services via HTTP requests, webhooks, or DNS tunneling. Exfiltration is the final stage of most supply chain attacks — this check catches the data leaving the system.

Why This Matters

The skill supply chain is the largest attack surface in the AI agent ecosystem. The data supports this:

341
Malicious skills planted on ClawHub during the ClawHavoc campaign over a 6-month period
GHSA-g8p2
A 1-click RCE vulnerability via WebSocket hijacking that required no user interaction beyond a page load
97,013
Internet-facing hosts found in our scan, with 1,594 confirmed vulnerable
1,190
Hosts with exposed CLAUDE.md files readable by anyone, 645 with MCP tools exposed

Until now, OpenClaw had no built-in mechanism to inspect skill code before execution. Users installed skills from ClawHub on trust alone. This PR changes that — every skill is now scanned against known malicious patterns before it can run.

For a project with 169K GitHub stars, this is a meaningful security improvement that protects a large portion of the AI agent user base.

For Comprehensive Scanning

The built-in scanner covers skill-level checks. For full security assessment including network exposure, credential detection, OASB-1 benchmark compliance, and attack simulation, use HackMyAgent:

# OpenClaw-specific security scan (34 checks)
npx hackmyagent secure-openclaw

# Attack simulation with 55 payloads
npx hackmyagent attack <endpoint>

# OASB-1 benchmark compliance check
npx hackmyagent secure --benchmark oasb-1

The built-in scanner and HackMyAgent are complementary. The built-in scanner prevents malicious skills from being installed. HackMyAgent scans your entire installation for gateway misconfigurations, credential exposure, network attack surface, and compliance against the OASB benchmark.

Built-In Scanner (PR #9806)

  • Runs at skill install/update time
  • 6 check categories
  • Blocks malicious skills before execution
  • Zero configuration required

HackMyAgent

  • 34 OpenClaw-specific checks
  • Gateway, config, supply chain scanning
  • Auto-remediation with rollback
  • OASB-1 benchmark compliance

What's Next

The skill scanner is one component of a broader effort to establish security standards for AI agents. Here is what we are working on next:

OASB-2: MCP Server Hardening

Security benchmark specification for MCP server configurations. Covers authentication, transport security, input validation, and capability restrictions.

OASB-3: OpenClaw Security

Dedicated benchmark specification for OpenClaw deployments. Includes skill vetting, gateway hardening, heartbeat security, and supply chain integrity checks.

Custom Payload Support

Allow security teams to define their own detection rules and attack payloads for organization-specific threat models.

CI/CD Integration

First-class support for --fail-on-vulnerable exit codes, SARIF output, and GitHub Actions integration for automated security gates in deployment pipelines.

Scan Your OpenClaw Installation

34 security checks. Auto-remediation. Open source.

npx hackmyagent secure-openclawView on GitHub

Related Reading

341 Malicious Skills and a 1-Click RCE
Scanning OpenClaw installations for ClawHavoc
The State of AI Agent Security
97,000 hosts scanned, 1,190 exposed configs
Introducing OASB
The security benchmark for AI agents
HackMyAgent.com
Security toolkit for AI agents and MCP servers