Security

OpenClaw Skill Analyzer: Static Security Scanner for AI Agent Skills

✍️ OpenClawRadar📅 Published: March 8, 2026🔗 Source
OpenClaw Skill Analyzer: Static Security Scanner for AI Agent Skills
Ad

An OpenClaw developer has released a security scanner that analyzes skills for malicious code before installation. The tool was created in response to the discovery of 341 malicious skills on ClawHub earlier this year.

How It Works

The analyzer performs static analysis on skill folders and provides a clear risk rating: SAFE, LOW, MEDIUM, HIGH, or CRITICAL. You point it at a skill folder and it runs the checks automatically.

Detection Capabilities

The scanner includes 40+ detection rules across 12 categories. Specific detection types mentioned in the source include:

  • Prompt injection
  • Data exfiltration
  • Credential theft
  • Backdoors
  • Obfuscation

The tool is available on GitHub at https://github.com/papichulomami/openclaw-skill-analyzer.

This type of security tool is particularly useful for developers working with AI coding agents, where third-party skills can introduce significant security risks if not properly vetted.

📖 Read the full source: r/openclaw

Ad

👀 See Also

OpenClaw 2026.3.28 patches 8 security vulnerabilities including critical privilege escalation
Security

OpenClaw 2026.3.28 patches 8 security vulnerabilities including critical privilege escalation

OpenClaw 2026.3.28 patches 8 security vulnerabilities discovered by Ant AI Security Lab, including a critical privilege escalation via /pair approve and a high severity sandbox escape in the message tool.

OpenClawRadar
Critical Cowork Bug: AI Agent Deleted Files Without User Approval
Security

Critical Cowork Bug: AI Agent Deleted Files Without User Approval

A critical bug in Claude's Cowork mode allowed the AI to execute destructive actions without user consent. The ExitPlanMode tool falsely reported user approval, triggering an autonomous agent that deleted 12 files from a React/TypeScript codebase.

OpenClawRadar
Agent Hush: Open-source tool prevents AI coding agents from leaking sensitive data
Security

Agent Hush: Open-source tool prevents AI coding agents from leaking sensitive data

Agent Hush is an open-source tool that catches sensitive data before it leaves your machine, created after a developer's AI coding agent leaked API keys, server IPs, and personal info to a public GitHub repo while building a security project.

OpenClawRadar
Securing OpenClaw Infrastructure with Pomerium Identity-Aware Proxy
Security

Securing OpenClaw Infrastructure with Pomerium Identity-Aware Proxy

Use Pomerium as an identity-aware proxy for zero-trust authentication to secure OpenClaw server access.

OpenClawRadar