OpenClaw partnered with Google-owned VirusTotal to scan skills uploaded to ClawHub using VirusTotal threat intelligence and Code Insight. Each skill receives a unique SHA-256 hash that is checked against VirusTotal's database; unknown bundles are uploaded for Code Insight analysis. Skills judged benign are auto-approved, suspicious skills receive warnings, and malicious skills are blocked from download. All active skills are re-scanned daily to detect changes. Maintainors warned that VirusTotal is not a foolproof solution. The platform plans to publish a threat model, security roadmap, reporting process, and codebase audit details.
"The process essentially entails creating a unique SHA-256 hash for every skill and cross checking it against VirusTotal's database for a match. If it's not found, the skill bundle is uploaded to the malware scanning tool for further analysis using VirusTotal Code Insight. Skills that have a "benign" Code Insight verdict are automatically approved by ClawHub, while those marked suspicious are flagged with a warning."
"OpenClaw maintainers also cautioned that VirusTotal scanning is "not a silver bullet" and that there is a possibility that some malicious skills that use a cleverly concealed prompt injection payload may slip through the cracks. In addition to the VirusTotal partnership, the platform is expected to publish a comprehensive threat model, public security roadmap, formal security reporting process, as well as details about the security audit of its entire codebase."
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]