Open Source

Contributions

Published packages, upstream patches, and security tooling contributed to the open-source ecosystem.

npm Packages

Open-source security packages published under @opena2a and standalone names.

hackmyagent

Security scanner and red team toolkit for AI agents. 147+ checks, attack mode, auto-fix with rollback.

README|GitHub
hackmyagent-core

Core security scanning library. Reusable engine for building custom security checks and integrations.

README|GitHub
secretless-ai

Keeps secrets out of AI context windows. PreToolUse hooks block credential access across Claude Code, Cursor, Copilot, and Windsurf.

README|GitHub
@opena2a/plugin-core

Shared plugin interface and registry for OpenA2A security plugins. Defines the contract all plugins implement.

README|GitHub
@opena2a/signcrypt-openclaw

Configuration integrity for OpenClaw bots. Ed25519 signing, DNS publisher verification, heartbeat expiry enforcement.

README|GitHub
@opena2a/aim-core

Lightweight agent identity library. Ed25519 identity, local audit log, capability policy, and trust scoring. No server required.

README|GitHub
@opena2a/skillguard-openclaw

Skill integrity for OpenClaw bots. Hash pinning, filesystem watcher, sandbox enforcement, tamper detection.

README|GitHub
@opena2a/credvault-openclaw

Credential protection for OpenClaw bots. Encrypted local store, environment variable resolution, per-skill isolation.

README|GitHub
@opena2a/semantic-engine

Semantic analysis engine for AI agent security scanning. Powers the detection logic behind HackMyAgent checks.

README|GitHub

Upstream Contributions

Patches and tooling merged into external open-source projects.

OpenClaw169K starsFeatureMerged

Built-in Skill Security Scanner

February 6, 2026PR #980616 files · +1721 -94

Integrated a skill security scanner directly into OpenClaw’s skill lifecycle. Runs automatically when skills are installed or updated, blocking malicious patterns before execution.

ID
Check
SKILL-001
Unsigned SkillsDetects skills without cryptographic signatures
SKILL-002
Remote URL FetchingFlags code downloads at runtime
SKILL-003
Heartbeat InstallationIdentifies persistent background processes
SKILL-004
Filesystem Writes Outside SandboxCatches sandbox escape attempts
SKILL-005
Credential AccessDetects API key and token harvesting
SKILL-006
Data ExfiltrationFlags unauthorized external data transmission
Read the full write-up
HackMyAgentSecurity ScannerReleased in v0.4.0

CVE-2026-25253 Automated Detection

February 5, 2026

First automated scanner to detect CVE-2026-25253 (CVSS 8.8), the OpenClaw WebSocket hijacking vulnerability exploited in the ClawHavoc campaign. Added 13 new checks bringing the total to 147+.

ID
Check
CVE-001
Vulnerable OpenClaw VersionDetects unpatched OpenClaw installations
CVE-002
Control UI Origin RestrictionsChecks WebSocket origin validation
SUPPLY-005
C2 InfrastructureDetects known command-and-control endpoints
SUPPLY-006
Malware Payload FilenamesIdentifies known malicious file patterns
Read the full write-up