OASB
v1.0
Originally published on opena2a.org
#openclaw#security#open-source

OpenClaw Merges Built-In Skill Security Scanner

OpenA2A Team||5 min read

TL;DR: OpenClaw now has built-in skill security scanning. PR #9806 merged 1,721 lines of code that detect malicious patterns in skills before they can execute. The scanner runs automatically on skill install and update.

What Happened

PR #9806 added a code safety scanner to OpenClaw's skill/plugin system. The change spans 16 files with 1,721 additions and 94 deletions. OpenClaw has 169K stars on GitHub, making this one of the most widely deployed agent security features to date.

The scanner integrates directly into the skill lifecycle. It runs automatically when a skill is installed or updated, blocking execution of any skill that matches known malicious patterns. No manual configuration required.

What It Detects

The built-in scanner implements 6 checks targeting the most common skill-based attack patterns:

SKILL-001

Unsigned Skills

Flags skills that lack cryptographic signatures, preventing execution of unverified code from unknown sources.

SKILL-002

Remote URL Fetching

Detects skills that fetch and execute remote code at runtime, a common pattern in supply chain attacks and payload staging.

SKILL-003

Heartbeat Installation

Identifies skills that install persistent scheduled tasks or background processes, used for maintaining backdoor access.

SKILL-004

Filesystem Writes Outside Sandbox

Catches skills attempting to write files outside their designated sandbox directory, preventing unauthorized system modification.

SKILL-005

Credential Access

Detects patterns that read SSH keys, AWS credentials, environment variables, or other sensitive credential stores.

SKILL-006

Data Exfiltration

Flags skills that send collected data to external endpoints via webhooks, DNS tunneling, or encoded HTTP requests.

Why This Matters

The OpenClaw skill ecosystem has been a target for coordinated attacks. The data that motivated this PR:

341Malicious skills identified in ClawHavoc campaign
GHSA-g8p21-click RCE via WebSocket hijacking
97,013Internet-facing hosts scanned
1,594Confirmed vulnerable installations
1,190Exposed CLAUDE.md configuration files
645Exposed MCP tool endpoints

Built-in scanning addresses the most immediate attack vector -- malicious skills -- directly at the point of installation, before any code runs.

Full Security Scanning

The built-in scanner covers skill-level checks. For a complete security assessment of your OpenClaw installation -- including gateway configuration, supply chain integrity, heartbeat abuse, and attack simulation -- use HackMyAgent:

# Full OpenClaw security scan (34 checks)
npx hackmyagent secure-openclaw

# Active attack simulation
npx hackmyagent attack <endpoint>

# Benchmark against OASB-1 standard
npx hackmyagent secure --benchmark oasb-1

HackMyAgent's secure-openclaw command runs 34 checks across 5 categories (SKILL, HEARTBEAT, GATEWAY, CONFIG, SUPPLY), compared to the 6 skill-focused checks in the built-in scanner. The two are complementary: built-in scanning catches known bad patterns at install time, while HackMyAgent provides depth and breadth for ongoing security posture assessment.

What's Next

This PR establishes the foundation for skill security in OpenClaw. The roadmap includes:

  • OASB-2 and OASB-3 specifications -- Expanding the benchmark to cover runtime monitoring and inter-agent trust
  • Custom payload definitions -- Allowing organizations to define their own detection rules
  • CI/CD gate integration -- Blocking deployment of agents that fail security checks

Scan Your OpenClaw Installation

34 security checks beyond the built-in scanner. One command. Free and open source.

npx hackmyagent secure-openclawView on GitHub