GitOpenClaw
Sign inSign up free

gitopenclaw / security-layer / v1.0

Security scanning and runtime
monitoring for OpenClaw.

Static analysis for ClawHub skills and repositories before installation. Runtime event monitoring for active agent sessions. Immutable audit trails for incident investigation and compliance reporting.

Examples:

1,467

malicious skills in ClawHub

60+

CVEs catalogued, Q1 2026

Free

static analysis, no account required

Architecture

Three independent security layers.

Each layer operates independently. Shield runs without an account. Watch and Trace require a connected instance.

Shield

Free

Static Analysis

View docs →

Performs pattern-based static analysis on ClawHub skill URLs, GitHub repositories, and install commands. Detects malware signatures, credential file access, prompt injection patterns, hidden payloads, and unauthorized network call destinations. Returns a cryptographically signed verdict.

  • ClawHub skill URL analysis
  • GitHub repository scan
  • Install command inspection
  • Signed verdict output

Watch

Teams — $99/mo

Runtime Monitoring

View docs →

Connects to a running OpenClaw instance via the connector package. Streams tool calls, file reads, environment variable access, network requests, and process executions in real time. Issues alerts on critical events. Includes session kill switch.

  • Live agent event stream
  • Credential access alerts
  • Anomalous network detection
  • Session termination control

Trace

Business — $499/mo

Audit Trail & Forensics

View docs →

Maintains an immutable, append-only log of all monitored agent session events. Provides plain-English incident reconstruction, session replay, cross-session correlation, and SOC2-compliant export formats for compliance and legal review.

  • Append-only event log
  • Incident reconstruction
  • Cross-session correlation
  • SOC2 export format

Detection coverage

Static analysis patterns.

Shield evaluates inputs against a continuously maintained ruleset derived from active ClawHub threat intelligence, CVE disclosures, and community-reported malicious skill patterns.

View full threat database →

60+ CVEs · 1,467 malicious skills catalogued

Malicious install scripts

Shell commands piped from remote URLs execute arbitrary code without user inspection.

Credential file access

Skills that read ~/.ssh, ~/.aws/credentials, .env files, or macOS keychain entries.

Persistent background processes

Crontab entries, launchd plists, or systemd units installed by the skill without disclosure.

Obfuscated payloads

Base64-encoded strings decoded at runtime, eval() chains, and dynamically constructed commands.

Prompt injection

Hidden Unicode characters, zero-width sequences, and instruction-override patterns embedded in skill metadata.

Undisclosed network egress

Outbound requests to domains not referenced in the skill's documentation or declared dependencies.

Threat landscape · Q1 2026 · Sources: Koi Security, Cisco Talos, Bitdefender, ARMO, Conscia

1,467

Malicious skills identified in ClawHub

60+

CVEs disclosed affecting OpenClaw

135,000+

Exposed instances indexed publicly

340,000

Installs recorded before detection