Openclaw Security
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate security orchestrator, but it can bulk install/update other skills and run broad automated countermeasures without clearly documented safeguards.
Before installing, verify the companion tools and ClawHub source, avoid unreviewed latest-version updates in important workspaces, back up the workspace, and do not run the Pro `protect` sweep unless you understand and approve the specific remediation actions it may take.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised, replaced, or unexpectedly changed upstream skill could be installed into the user's workspace and later executed by the orchestrator.
The skill is designed to bulk install and update other agent skills from a remote registry, including mutable latest-version updates, with no visible pinning or review checkpoint in the provided instructions.
Installs all 11 free security skills from ClawHub. ... Updates all installed security skills to latest versions via ClawHub.
Verify the source of each installed tool, prefer pinned versions or hashes where possible, and review updates before applying them to an important workspace.
A false positive or misconfiguration could cause broad changes such as quarantining files, revoking permissions, blocking network access, rotating credentials, or modifying policy across the workspace.
The Pro protection sweep can trigger many high-impact actions across multiple tools from one command, but the artifacts do not describe containment controls, confirmation prompts, or per-tool scoping.
Runs automated countermeasures across all installed Pro tools. ... Restore, rollback, quarantine ... Revoke, enforce ... Block, allowlist ... Fix, rotate ... Contain, remediate
Run protection actions only after reviewing scan results, use backups, and require explicit per-action approval for remediation in production or important workspaces.
The behavior of this skill depends on the behavior and integrity of the other installed security tools.
The orchestrator runs Python scripts belonging to other installed security skills inside the target workspace. This is central to the skill's purpose, but it grants those tools local execution in that workspace.
cmd = [python, str(script)] + args + ws_args ... subprocess.run(cmd, capture_output=capture, text=True, timeout=60, cwd=str(workspace))
Install only trusted companion tools and review their permissions before running full scans or protection workflows.
Workspace secrets or credential references may be scanned, and Pro remediation could affect credential availability if used.
The suite is meant to inspect credential exposure and may orchestrate credential lifecycle actions in Pro tooling. That is purpose-aligned for a security product, but it touches sensitive identity material.
secret detection ... credentials ... credential exposure ... vault | Credential lifecycle | Audit | Fix, rotate
Use it only in workspaces where credential scanning is acceptable, and review any credential-rotation or remediation action before applying it.
Future security results may be less useful if the initial baseline or policy is created from an untrusted state.
The setup step creates persistent trust and audit state that future scans may rely on. If initialized from an already-compromised workspace, that state could normalize bad files or policies.
Initializes all tools that need it: integrity baseline, skill signing, audit ledger, compliance policy.
Run setup only after a manual review or clean checkout, and keep backups of baseline, signing, ledger, and policy files.