Clawned - Protect your OpenClaw Instance and Scan Skills

Security agent that inventories installed OpenClaw skills, analyzes them for threats, and syncs results to your Clawned dashboard.

Audits

Suspicious

ClawScanSuspicious

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install clawned

Clawned — Security Agent for OpenClaw

Automatically discovers all installed skills, analyzes them for security threats, and syncs results to your Clawned dashboard.

Setup

Configure your API key in openclaw.json:

{
  "skills": {
    "entries": {
      "clawned": {
        "enabled": true,
        "env": {
          "CLAWNED_API_KEY": "cg_your_api_key_here",
          "CLAWNED_SERVER": "https://api.clawned.io"
        }
      }
    }
  }
}

Commands

Sync all installed skills to dashboard

python3 {baseDir}/scripts/agent.py sync

Scan a single skill locally

python3 {baseDir}/scripts/agent.py scan --path <skill-directory>

List all discovered skills

python3 {baseDir}/scripts/agent.py inventory

Check agent status

python3 {baseDir}/scripts/agent.py status

Data & Privacy

During sync (default operation):

Sends only skill metadata: name, owner, slug, version
No file contents are uploaded
No .env files or secrets are ever read

During scan --path (explicit user action only):

Reads source files (.md, .py, .js, etc.) from the specified skill directory for analysis
.env files are excluded from scanning
File contents are sent to the Clawned server for security analysis

Local config access:

Reads ~/.openclaw/openclaw.json only to locate skill directories (extraDirs paths)
No credentials or secrets are read from config files

Automatic Sync

Schedule every 6 hours via OpenClaw cron:

{
  "jobs": [
    {
      "schedule": "0 */6 * * *",
      "command": "Run clawned sync to check all installed skills",
      "description": "Security scan every 6 hours"
    }
  ]
}