"The process essentially entails creating a unique SHA-256 hash for every skill and cross checking it against VirusTotal's database for a match. If it's not found, the skill bundle is uploaded to the malware scanning tool for further analysis using VirusTotal Code Insight. Skills that have a "benign" Code Insight verdict are automatically approved by ClawHub, while those marked suspicious are flagged with a warning."
"OpenClaw maintainers also cautioned that VirusTotal scanning is "not a silver bullet" and that there is a possibility that some malicious skills that use a cleverly concealed prompt injection payload may slip through the cracks. In addition to the VirusTotal partnership, the platform is expected to publish a comprehensive threat model, public security roadmap, formal security reporting process, as well as details about the security audit of its entire codebase."
OpenClaw partnered with Google-owned VirusTotal to scan skills uploaded to ClawHub using VirusTotal threat intelligence and Code Insight. Each skill receives a unique SHA-256 hash that is checked against VirusTotal's database; unknown bundles are uploaded for Code Insight analysis. Skills judged benign are auto-approved, suspicious skills receive warnings, and malicious skills are blocked from download. All active skills are re-scanned daily to detect changes. Maintainors warned that VirusTotal is not a foolproof solution. The platform plans to publish a threat model, security roadmap, reporting process, and codebase audit details.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]