Open Source

Contributions

We build security tools for the AI agent ecosystem and contribute them upstream. 7 PRs merged into OpenClaw (205K+ stars), 8 open-source tools published, 2,500+ lines of security code merged into projects used by millions.

7PRs merged upstream

8open-source tools

...all-time installs

205K+stars on projects we secure

npm Packages

Open-source security packages for the AI agent ecosystem.

hackmyagent

Security scanner, red team toolkit, runtime protection, and benchmarks for AI agents. 204 security checks, 115 attack payloads, auto-fix, ARP monitoring, and OASB compliance scoring.

GitHub

secretless-ai

Keeps secrets out of AI context windows. PreToolUse hooks block credential access across Claude Code, Cursor, Copilot, and Windsurf.

GitHub

@opena2a/aim-core

Lightweight agent identity library. Ed25519 identity, local audit log, capability policy, and trust scoring. No server required.

GitHub

opena2a-cli

Unified entry point for the OpenA2A security platform. Routes to HackMyAgent, Secretless, AIM, and all other tools through adapters.

GitHub

Upstream Contributions

Security vulnerabilities we found, reported, and fixed in major open-source projects. All 7 PRs accepted by OpenClaw maintainers — 5 merged directly, 2 adopted into shared upstream modules.

OpenClaw205K+ starsFeatureMerged

Built-in Skill Security Scanner

February 6, 2026PR #980616 files · +1721 -94

Integrated a skill security scanner directly into OpenClaw’s skill lifecycle. Runs automatically when skills are installed or updated, blocking malicious patterns before execution.

Check

SKILL-001

Unsigned Skills— Detects skills without cryptographic signatures

SKILL-002

Remote URL Fetching— Flags code downloads at runtime

SKILL-003

Heartbeat Installation— Identifies persistent background processes

SKILL-004

Filesystem Writes Outside Sandbox— Catches sandbox escape attempts

SKILL-005

Credential Access— Detects API key and token harvesting

SKILL-006

Data Exfiltration— Flags unauthorized external data transmission

Read the full write-up

OpenClaw205K+ starsSecurity FixMerged

Credential Redaction in config.get Gateway Responses

February 2026PR #98587 files · +669 -12

The config.get WebSocket method was returning all channel credentials in plaintext to any connected client. Built a redaction layer that masks sensitive fields across all supported channels.

Check

CRED-001

Telegram Bot Token— Redacts bot tokens from config responses

CRED-002

Discord API Token— Redacts Discord bot credentials

CRED-003

Slack OAuth Token— Redacts Slack workspace tokens

CRED-004

WhatsApp Auth Creds— Redacts WhatsApp authentication credentials

Read the full write-up

OpenClaw205K+ starsSecurity FixMerged

TOCTOU Path Traversal Fix in A2UI File Serving

February 2026PR #105253 files · +126 -36

The A2UI file serving endpoint used a two-step lstat + realpath check vulnerable to time-of-check/time-of-use (TOCTOU) race conditions. An attacker could swap a symlink between the check and the read to traverse outside the served directory. Replaced with atomic openFileWithinRoot.

Check

PATH-001

Symlink Race Condition— Eliminates TOCTOU window between check and read

PATH-002

Directory Traversal— Prevents filesystem escape via symlink swap

Read the full write-up

OpenClaw205K+ starsSecurity FixMerged

World-Readable WhatsApp Credentials

February 2026PR #105293 files · +16 -0

The WhatsApp channel adapter was writing creds.json with default 0644 permissions, making credentials readable by any user on the system. Added chmodSync 0o600 to all 3 write paths to restrict access to the file owner only.

Check

PERM-001

File Permission Enforcement— Restricts credential files to owner-only (0600)

PERM-002

Write Path Coverage— Applied to all 3 credential write locations

Read the full write-up

OpenClaw205K+ starsSecurity FixAdopted by Upstream

Timing Side-Channel in Hook Token Authentication

February 2026PR #10527

Hook token authentication used standard string comparison (===), which leaks token length and character values through timing differences. Proposed replacing with crypto.timingSafeEqual. The maintainers adopted the fix into a shared safeEqualSecret utility applied across all authentication paths.

Check

TIME-001

Constant-Time Comparison— Replaces === with crypto.timingSafeEqual

TIME-002

Project-Wide Adoption— Upstream generalized fix into shared utility module

Read the full write-up

OpenClaw205K+ starsSecurity FixAdopted by Upstream

npm Lifecycle Script Attacks During Plugin Installation

February 2026PR #10528

Plugin and hook installation ran npm install without the --ignore-scripts flag, allowing malicious packages to execute arbitrary code during install via preinstall/postinstall lifecycle scripts. The maintainers adopted this fix into a shared installPackageDir utility, ensuring all npm install invocations now use --ignore-scripts by default.

Check

NPM-001

Lifecycle Script Blocking— Adds --ignore-scripts to all npm install calls

NPM-002

Centralized Install Utility— Upstream consolidated all install paths through one safe function

Read the full write-up

HackMyAgentSecurity ScannerReleased in v0.4.0

CVE-2026-25253 Automated Detection

February 5, 2026

First automated scanner to detect CVE-2026-25253 (CVSS 8.8), the OpenClaw WebSocket hijacking vulnerability exploited in the ClawHavoc campaign. Added 13 new checks bringing the total to 187.

Check

CVE-001

Vulnerable OpenClaw Version— Detects unpatched OpenClaw installations

CVE-002

Control UI Origin Restrictions— Checks WebSocket origin validation

SUPPLY-005

C2 Infrastructure— Detects known command-and-control endpoints

SUPPLY-006

Malware Payload Filenames— Identifies known malicious file patterns

Read the full write-up