[{"data":1,"prerenderedAt":1684},["ShallowReactive",2],{"blog-post-openclaw-plugin-security-clawhub-sha256-verification":3,"related-posts-openclaw-plugin-security-clawhub-sha256-verification":379},{"id":4,"title":5,"author":6,"body":10,"category":358,"date":359,"description":360,"extension":361,"featured":362,"image":363,"meta":364,"navigation":365,"path":366,"readingTime":367,"seo":368,"seoTitle":369,"stem":370,"tags":371,"updatedDate":359,"__hash__":378},"blog/blog/openclaw-plugin-security-clawhub-sha256-verification.md","OpenClaw Plugin Security: What the ClawHub SHA-256 Verification Means for You",{"name":7,"role":8,"avatar":9},"Shabnam Katoch","Growth Head","/img/avatars/shabnam-profile.jpeg",{"type":11,"value":12,"toc":344},"minimark",[13,20,23,26,29,32,35,40,43,46,49,52,55,58,61,65,68,77,80,83,86,90,93,100,106,112,115,118,126,133,137,140,143,146,149,152,156,159,162,165,168,176,180,188,191,199,202,208,212,215,223,226,229,233,236,239,242,252,255,259,264,267,272,280,285,288,293,296,301,304,308],[14,15,16],"p",{},[17,18,19],"em",{},"A 64-character fingerprint, the ClawHavoc fallout, and why the next skill you install is finally something you can verify.",[14,21,22],{},"A developer I know installed an OpenClaw skill that worked perfectly for three weeks.",[14,24,25],{},"Then it stopped working perfectly.",[14,27,28],{},"It still ran. It still did what its README said it did. But somewhere in a silent update he hadn't approved, it had started doing one extra thing on the side: quietly sending certain payloads to an endpoint that wasn't his.",[14,30,31],{},"He's not alone. Cisco's research team published a case where a third-party skill exfiltrated data without the user's awareness. CrowdStrike put out a security advisory on OpenClaw enterprise risks. And the ClawHavoc campaign turned out to have placed 824+ malicious skills on ClawHub, somewhere around 20% of the registry at the time.",[14,33,34],{},"The thing that breaks this whole class of attack? SHA-256 verification. And ClawHub now has it.",[36,37,39],"h2",{"id":38},"what-sha-256-verification-actually-is-in-plain-english","What SHA-256 verification actually is, in plain English",[14,41,42],{},"You don't need to be a cryptographer for this. The concept is simpler than the name.",[14,44,45],{},"A SHA-256 hash is a 64-character fingerprint of a file. Run any file through the SHA-256 algorithm and you get back a unique string. Change a single byte in that file (a comma, a space, anything) and the entire fingerprint changes completely.",[14,47,48],{},"That's the whole trick.",[14,50,51],{},"When ClawHub publishes a skill archive, it also publishes the hash of that archive. When you download the skill, your client computes the hash on its own. If the two match, you're holding exactly the bytes the skill author intended. If they don't, something changed between the publisher and you.",[14,53,54],{},"It's like buying a sealed package. The shrink wrap doesn't tell you what's inside. It tells you nobody opened the box on the way to your door.",[14,56,57],{},"SHA-256 verification doesn't tell you a skill is good. It tells you the skill is the same one the publisher put up.",[14,59,60],{},"That distinction matters more than people realize.",[36,62,64],{"id":63},"why-this-matters-more-than-any-feature-clawhub-has-shipped","Why this matters more than any feature ClawHub has shipped",[14,66,67],{},"The OpenClaw skill ecosystem has scaled fast. The npm package alone is hitting 1.27M weekly downloads. The skill registry has thousands of contributors. Most of them are good actors.",[14,69,70,71,76],{},"But ",[72,73,75],"a",{"href":74},"/blog/clawhub-skills-directory","the ClawHub skills directory"," has had real, documented compromises. The ClawHavoc campaign is the most visible case. 824+ malicious skills. Real users running them. Real data flowing out.",[14,78,79],{},"Most of those weren't planted by villains writing villainous code from day one. Some of them were legitimate skills whose maintainers got socially engineered, whose accounts got compromised, or who got bought out and started pushing tampered versions to existing users.",[14,81,82],{},"The skill name stayed the same. The README stayed the same. The hash didn't.",[14,84,85],{},"That's the exact gap SHA-256 verification closes.",[36,87,89],{"id":88},"the-three-attacks-it-actually-kills","The three attacks it actually kills",[14,91,92],{},"Let me be specific about what changes when verification is in place. There are three attack scenarios it stops cold.",[14,94,95,99],{},[96,97,98],"strong",{},"Man-in-the-middle tampering."," Someone intercepts your skill download (compromised CDN, hijacked DNS, malicious proxy) and swaps the archive for a tampered version. Without hash verification, you'd never know. With it, the hash mismatch fires immediately and the install fails.",[14,101,102,105],{},[96,103,104],{},"Silent maintainer compromise."," A maintainer's account gets compromised. The attacker pushes a new version of an existing trusted skill with a backdoor added. If you're auto-updating without verification, you ship that backdoor to production. With verification plus pinned hashes, you can require explicit re-verification before any version change.",[14,107,108,111],{},[96,109,110],{},"Registry-level corruption."," Even ClawHub itself, if breached, can't quietly modify an existing archive without changing its hash. The published hash creates a public commitment. Tampering becomes visible.",[14,113,114],{},"What it doesn't protect against is also worth saying out loud.",[14,116,117],{},"It doesn't make a malicious skill safe. If a publisher writes hostile code on day one and publishes it with a valid hash, the hash is still valid. Verification proves origin, not intent.",[14,119,120,121,125],{},"This is why hash verification is one layer, not a full strategy. The other layers (sandboxing, permissions, proper ",[72,122,124],{"href":123},"/skills/security-vetting","skill security vetting",") still have to do their jobs.",[14,127,128],{},[129,130],"img",{"alt":131,"src":132},"Four-layer skill security stack with SHA-256 hash verification on top, then sandboxed execution, permission scoping, and runtime monitoring","/img/blog/openclaw-plugin-security-clawhub-sha256-verification-layers.jpg",[36,134,136],{"id":135},"how-the-actual-install-flow-works","How the actual install flow works",[14,138,139],{},"The mechanics are simple enough that I can walk through them without naming any specific OpenClaw config fields (the implementation details are evolving, so always check current docs for exact syntax).",[14,141,142],{},"Step one: the publisher uploads a skill archive to ClawHub. Step two: the registry computes the SHA-256 hash and publishes it alongside the listing. Step three: your client downloads the archive. Step four: your client recomputes the hash locally. Step five: if the hashes match, install proceeds. If they don't, install aborts with a security warning.",[14,144,145],{},"Five steps. Most of them invisible to you.",[14,147,148],{},"The interesting part is what happens at step five when things don't match. Some clients will warn and continue. Some will block hard. Some will let you set the policy yourself.",[14,150,151],{},"The security default people should be using is \"block, no override without manual approval.\"",[36,153,155],{"id":154},"the-part-that-surprises-people","The part that surprises people",[14,157,158],{},"Here's the weird part. Most teams running OpenClaw skills today don't actually enforce hash verification, even when the system supports it.",[14,160,161],{},"Why? Because the verification step adds friction at install time. You have to handle the failure case. You have to decide what your policy is when a hash mismatch happens at 11 PM the night before a launch. You have to teach your team not to just click through the warning.",[14,163,164],{},"This is the same story we've already lived with TLS certificate warnings. Browsers added them because invalid certs are a real signal of attack. People got annoyed. People started clicking \"Proceed anyway.\" The security primitive got hollowed out by humans wanting to ship.",[14,166,167],{},"SHA-256 verification on plugins is going through the same adoption curve. The teams who use it correctly are the ones who treat a hash mismatch as a stop, not a speed bump.",[14,169,170,171,175],{},"If you don't want to make that policy decision yourself for every skill in your stack, ",[72,172,174],{"href":173},"/","BetterClaw enforces hash verification by default on every managed deployment",". You get the security primitive without having to write the override policy yourself. $29/month per agent, BYOK.",[36,177,179],{"id":178},"why-self-hosted-teams-need-this-even-more","Why self-hosted teams need this even more",[14,181,182,183,187],{},"If you're running ",[72,184,186],{"href":185},"/compare/self-hosted","self-hosted OpenClaw",", hash verification isn't a nice-to-have. It's the thing standing between your VPS and a supply chain attack.",[14,189,190],{},"Self-hosted setups accumulate skills over time. You install one for Slack, one for GitHub, one for some niche workflow your founder asked for at 4 PM on a Friday. Every one of those is an inbound vector. Every update is a chance for something to slip in.",[14,192,193,194,198],{},"The 30,000+ OpenClaw instances Censys, Bitsight, and Hunt.io found exposed on the internet without authentication weren't all running malicious skills. But they were all wide open to whoever wanted to install something on them. The ",[72,195,197],{"href":196},"/blog/secure-openclaw-vps-guide","secure OpenClaw VPS guide"," covers the full hardening sequence for that specific exposure.",[14,200,201],{},"The teams that come out of this era of agent infrastructure intact will be the ones who treat skill installs the way mature teams treat npm dependencies: pinned, hashed, reviewed, and never auto-updated.",[14,203,204],{},[129,205],{"alt":206,"src":207},"Three supply chain attacks blocked by SHA-256 verification: man-in-the-middle tampering, silent maintainer compromise, and registry-level corruption","/img/blog/openclaw-plugin-security-clawhub-sha256-verification-attacks.jpg",[36,209,211],{"id":210},"what-you-still-need-to-do-even-with-verification-on","What you still need to do, even with verification on",[14,213,214],{},"Hash verification gives you integrity. It doesn't give you trust. Building actual trust in your skill stack is a layered job, and verification is layer one of about five.",[14,216,217,218,222],{},"The next four, in rough order: review the skill's source code before installing, scope its permissions narrowly, run it sandboxed, and monitor what it actually does at runtime. The ",[72,219,221],{"href":220},"/blog/openclaw-security-checklist","OpenClaw security checklist"," walks through each of these in detail and is the document I'd send to anyone setting up a new agent in production this week.",[14,224,225],{},"The thing that took me a while to internalize: most security failures in the OpenClaw ecosystem so far haven't been clever cryptographic attacks. They've been people skipping the basics. Installing skills without reading them. Granting full filesystem access by default. Running unsandboxed agents on machines with personal data on them. Meta researcher Summer Yue's agent mass-deleted her emails while ignoring stop commands; that was a permissions failure, not a crypto failure.",[14,227,228],{},"SHA-256 verification handles one specific class of attack really well. It handles zero of the others. Pretending otherwise is how teams end up with \"secure\" agents that quietly burn down their inbox.",[36,230,232],{"id":231},"one-last-thing","One last thing",[14,234,235],{},"The skill verification story is going to get richer over the next year. Sigstore-style signing. Reproducible builds. Maintainer attestations. Provenance metadata that tells you not just that the file is intact but who built it, when, and how.",[14,237,238],{},"SHA-256 verification is the first step of that bigger picture. It's not the whole picture.",[14,240,241],{},"But it's the step that turns \"I trust this skill because it has 5,000 downloads\" into \"I trust this skill because the bytes I'm running are mathematically the same bytes the publisher signed.\"",[14,243,244,245,251],{},"If you've been hand-rolling skill installs without thinking about supply chain risk, ",[72,246,250],{"href":247,"rel":248},"https://app.betterclaw.io/sign-in",[249],"nofollow","give BetterClaw a try",". $29/month per agent, BYOK, hash verification on by default, sandboxed execution, encrypted credentials, and your first deploy takes about 60 seconds. We handle the verification, the sandbox, and the policy enforcement. You handle the part where you decide which skills are actually worth installing.",[14,253,254],{},"Agents are about to get a lot more powerful and a lot more autonomous. The window for getting their supply chain right is now, before half your business runs through them.",[36,256,258],{"id":257},"frequently-asked-questions","Frequently Asked Questions",[14,260,261],{},[96,262,263],{},"What is ClawHub SHA-256 verification?",[14,265,266],{},"ClawHub SHA-256 verification is a security check that uses a 64-character cryptographic fingerprint to confirm a downloaded skill archive is byte-for-byte identical to what the publisher uploaded. The registry publishes the hash, your client recomputes it on download, and the install only proceeds if they match. It's the same primitive package managers like npm and pip have used for years, finally arriving in the OpenClaw skill ecosystem.",[14,268,269],{},[96,270,271],{},"How does SHA-256 verification compare to other OpenClaw plugin security measures?",[14,273,274,275,279],{},"Hash verification protects file integrity. It tells you the skill is the same one the publisher uploaded. Sandboxing protects runtime behavior, permission scoping protects what the skill can touch, and a ",[72,276,278],{"href":277},"/blog/openclaw-skill-audit","skill audit"," checks the actual code logic. You need all four. Verification is the first layer, not the only one.",[14,281,282],{},[96,283,284],{},"How do I check if a skill's SHA-256 hash matches the published one?",[14,286,287],{},"Modern OpenClaw clients do this automatically on install, but you can also run the SHA-256 algorithm on a downloaded file using built-in tools on macOS, Linux, and Windows, then compare the output against the hash published on the skill's ClawHub page. If the two strings match exactly, character for character, the file is intact. If even one character differs, do not install.",[14,289,290],{},[96,291,292],{},"Is SHA-256 verification enough security for production AI agents?",[14,294,295],{},"No, and anyone telling you otherwise is selling something. Verification stops tampering attacks. It doesn't stop a malicious publisher who signs hostile code on day one, an over-permissioned skill, or a runtime compromise. For production agents, treat verification as one of five layers (verification, source review, permission scoping, sandboxing, runtime monitoring) and run all of them.",[14,297,298],{},[96,299,300],{},"Are managed OpenClaw platforms actually safer than self-hosted with verification turned on?",[14,302,303],{},"A well-configured self-hosted setup with hash verification, sandboxing, and proper permission scoping can be very safe. The catch is \"well-configured.\" On managed platforms like BetterClaw, those defaults are enforced for you, including Docker-sandboxed execution and AES-256 encryption of credentials. On self-hosted, every one of those defaults is a decision you have to make and maintain yourself.",[36,305,307],{"id":306},"related-reading","Related Reading",[309,310,311,318,324,330,337],"ul",{},[312,313,314,317],"li",{},[72,315,316],{"href":277},"OpenClaw Skill Audit"," — How to vet a skill before you install it",[312,319,320,323],{},[72,321,322],{"href":220},"OpenClaw Security Checklist"," — The full five-layer skill security approach",[312,325,326,329],{},[72,327,328],{"href":196},"Secure OpenClaw on a VPS"," — Hardening the host your skills run on",[312,331,332,336],{},[72,333,335],{"href":334},"/blog/openclaw-security-risks","OpenClaw Security Risks Explained"," — The broader threat landscape including ClawHavoc",[312,338,339,343],{},[72,340,342],{"href":341},"/blog/openclaw-skills-install-guide","OpenClaw Skills Install Guide"," — The safe install workflow end to end",{"title":345,"searchDepth":346,"depth":346,"links":347},"",2,[348,349,350,351,352,353,354,355,356,357],{"id":38,"depth":346,"text":39},{"id":63,"depth":346,"text":64},{"id":88,"depth":346,"text":89},{"id":135,"depth":346,"text":136},{"id":154,"depth":346,"text":155},{"id":178,"depth":346,"text":179},{"id":210,"depth":346,"text":211},{"id":231,"depth":346,"text":232},{"id":257,"depth":346,"text":258},{"id":306,"depth":346,"text":307},"Security","2026-04-16","How ClawHub SHA-256 verification protects OpenClaw skills from supply chain attacks like ClawHavoc, what it covers, and what you still need.","md",false,"/img/blog/openclaw-plugin-security-clawhub-sha256-verification.jpg",{},true,"/blog/openclaw-plugin-security-clawhub-sha256-verification","10 min read",{"title":5,"description":360},"OpenClaw Plugin Security: ClawHub SHA-256 Verification","blog/openclaw-plugin-security-clawhub-sha256-verification",[372,373,374,375,376,377],"OpenClaw plugin security","ClawHub SHA-256 verification","OpenClaw skill security","ClawHavoc","OpenClaw supply chain attack","AI agent skill verification","km-Kt1Wgs9nK0rSYdNnkW6KJOizR4W0xwV-VCByEndY",[380,756,1293],{"id":381,"title":382,"author":383,"body":384,"category":358,"date":740,"description":741,"extension":361,"featured":362,"image":742,"meta":743,"navigation":365,"path":744,"readingTime":367,"seo":745,"seoTitle":746,"stem":747,"tags":748,"updatedDate":740,"__hash__":755},"blog/blog/anthropic-ai-bank-cyber-risk.md","Anthropic's Mythos Just Got Bank CEOs Summoned to Washington. Here's What It Means for Your AI Agents.",{"name":7,"role":8,"avatar":9},{"type":11,"value":385,"toc":728},[386,391,394,397,400,403,406,410,413,416,419,422,428,432,435,438,441,444,447,450,454,457,460,467,470,478,481,487,491,494,497,500,503,506,514,526,530,533,536,539,542,550,556,560,563,566,569,572,577,581,584,590,596,607,613,619,623,626,629,632,647,650,652,657,660,665,668,673,679,684,687,692,695,697],[14,387,388],{},[17,389,390],{},"The collision of frontier AI models and financial infrastructure is rewriting the rules of cyber risk. If you're running AI agents, you're already in the blast radius.",[14,392,393],{},"Treasury Secretary Scott Bessent and Fed Chair Jerome Powell pulled bank CEOs into an emergency meeting this week. Not about interest rates. Not about a liquidity crisis.",[14,395,396],{},"About an AI model.",[14,398,399],{},"Anthropic's Claude Mythos, a frontier model so capable at finding software vulnerabilities that the company warned its own government contacts it would make large-scale cyberattacks \"much more likely in 2026.\" The model identified thousands of zero-day vulnerabilities in its first weeks of testing, many of them one to two decades old, hiding in the software that runs everything from hospital networks to trading floors.",[14,401,402],{},"If you're building or deploying AI agents right now, this isn't some abstract policy story. This is the environment your agents are operating in.",[14,404,405],{},"And it's about to get a lot more hostile.",[36,407,409],{"id":408},"the-moment-ai-cyber-risk-stopped-being-theoretical","The moment AI cyber risk stopped being theoretical",[14,411,412],{},"Let's rewind to September 2025. Anthropic detected what analysts now call the first fully autonomous AI espionage campaign at scale. A Chinese state-sponsored group used agentic AI capabilities to conduct vulnerability discovery, lateral movement, and payload execution with minimal human oversight.",[14,414,415],{},"Read that again. Minimal human oversight. An AI agent, not a team of hackers, ran the operation.",[14,417,418],{},"Then in January 2026, a Russian-speaking cybercriminal with limited technical skills used Claude and DeepSeek to hack over 600 devices across 55 countries. According to AWS's security research team, the attacker used generative AI to scale well-known attack techniques throughout every phase of their operation. At one point, the attacker asked Claude in Russian to build a web panel for managing hundreds of targets.",[14,420,421],{},"This is the new baseline. Not nation-state hackers with decades of training. Script kiddies with API keys.",[14,423,424],{},[129,425],{"alt":426,"src":427},"Timeline of AI-powered cyber attacks from September 2025 autonomous espionage to January 2026 mass exploitation","/img/blog/anthropic-ai-bank-cyber-risk-timeline.jpg",[36,429,431],{"id":430},"why-mythos-changes-the-math-for-everyone","Why Mythos changes the math for everyone",[14,433,434],{},"Here's the part that should make you uncomfortable.",[14,436,437],{},"Current AI models can identify high-severity vulnerabilities. Mythos can find five separate vulnerabilities in a single piece of software and chain them together into a novel attack that no human security team would have anticipated. Coupled with the ability to work unsupervised for extended periods, Anthropic says we've hit an inflection point.",[14,439,440],{},"Shlomo Kramer, founder and CEO of Cato Networks, put it bluntly: the agentic attackers are coming and this is a watershed event in the history of cybersecurity. Cisco's chief security officer Anthony Grieco said the old ways of hardening systems are no longer sufficient.",[14,442,443],{},"And here's what nobody tells you: the window is narrow. Alex Stamos, chief product officer at cybersecurity firm Corridor, estimates the open-source models will catch up to frontier model bug-finding capabilities within six months.",[14,445,446],{},"The attackers only need to find one way in. Defenders have to cover every surface.",[14,448,449],{},"That asymmetry has always existed in cybersecurity. AI just compressed the timeline from months to minutes.",[36,451,453],{"id":452},"what-this-means-if-youre-running-ai-agents","What this means if you're running AI agents",[14,455,456],{},"Stay with me here, because this is where it gets personal.",[14,458,459],{},"If you're self-hosting an OpenClaw agent on a VPS, a DigitalOcean droplet, or even a Mac Mini under your desk, your attack surface just expanded dramatically. Every exposed port, every unpatched dependency, every misconfigured Docker container is now a target that can be discovered and exploited at machine speed.",[14,461,462,463,466],{},"The ",[72,464,465],{"href":334},"OpenClaw security risks"," we've been writing about for months aren't hypothetical anymore. They're the exact kind of vulnerabilities that Mythos-class models will find and chain together.",[14,468,469],{},"Think about what a typical self-hosted agent setup looks like:",[14,471,472,473,477],{},"Docker containers with default configurations. API keys stored in ",[474,475,476],"code",{},".env"," files. Ports exposed to the public internet. No intrusion detection. No automated patching. No audit logging.",[14,479,480],{},"That was \"good enough\" when the threat was a bored teenager with Metasploit. It is not good enough when the threat is an autonomous AI agent running 24/7 vulnerability scans.",[14,482,483],{},[129,484],{"alt":485,"src":486},"Self-hosted AI agent attack surface showing exposed ports, unpatched dependencies, and plaintext credentials","/img/blog/anthropic-ai-bank-cyber-risk-attack-surface.jpg",[36,488,490],{"id":489},"the-infrastructure-gap-most-agent-builders-ignore","The infrastructure gap most agent builders ignore",[14,492,493],{},"Here's where most people get it wrong.",[14,495,496],{},"They think security is something you bolt on after your agent works. First get the YAML right. First get the skills installed. First get the model routing figured out. Security can wait.",[14,498,499],{},"It can't wait anymore.",[14,501,502],{},"Anthropic launched Project Glasswing alongside Mythos, giving 12 partner organizations including Microsoft, Apple, and Cisco early access to find and fix vulnerabilities before they get exploited. That tells you something about the urgency.",[14,504,505],{},"But most teams running AI agents aren't Microsoft. They don't have a dedicated security team scanning their infrastructure. They're a founder, a small dev team, maybe a contractor. They're choosing between building features and patching CVEs.",[14,507,508,509,513],{},"If you've been wrestling with ",[72,510,512],{"href":511},"/blog/openclaw-docker-troubleshooting","OpenClaw Docker troubleshooting"," or spending weekends maintaining your agent infrastructure, this is the moment to ask yourself: is that really how you want to spend your time in a world where AI-powered attacks operate at machine speed?",[14,515,516,517,520,521,525],{},"We built ",[72,518,519],{"href":173},"Better Claw"," because we were tired of infrastructure eating our weekends. But in light of what Anthropic just disclosed, managed hosting isn't just about convenience anymore. It's about not being the low-hanging fruit in an environment where autonomous attackers are scanning for exactly that. ",[72,522,524],{"href":523},"/pricing","$29/month per agent",", and your infrastructure is somebody else's problem.",[36,527,529],{"id":528},"what-the-bessent-powell-meeting-actually-signals","What the Bessent-Powell meeting actually signals",[14,531,532],{},"And that's when we realized this story isn't really about banks.",[14,534,535],{},"Yes, Bessent and Powell summoned Wall Street CEOs to make sure financial institutions are preparing defenses against Mythos-class threats. But the real signal is simpler: the US government now considers AI-generated cyber risk a systemic threat.",[14,537,538],{},"Not a \"keep an eye on it\" threat. A \"clear your calendar and come to Washington\" threat.",[14,540,541],{},"The implications cascade downward. If banks need to harden their systems, every vendor and partner in their supply chain needs to do the same. If you're building an AI agent that touches financial data, customer PII, or payment systems, the security bar just jumped by an order of magnitude.",[14,543,544,545,549],{},"This is especially relevant if you're running agents for ",[72,546,548],{"href":547},"/blog/openclaw-agents-for-ecommerce","ecommerce use cases"," or anything that handles customer data. The regulatory scrutiny that follows a story like this always trickles down.",[14,551,552],{},[129,553],{"alt":554,"src":555},"Cascade of AI cyber risk regulations from government to banks to vendors to AI agent builders","/img/blog/anthropic-ai-bank-cyber-risk-cascade.jpg",[36,557,559],{"id":558},"the-arms-race-youre-already-part-of","The arms race you're already part of",[14,561,562],{},"But that's not even the real problem.",[14,564,565],{},"Every major AI lab's next model will push cyber capabilities further. Behind Mythos is the next OpenAI model, and the next Gemini, and a few months behind them are the open-source Chinese models. As Kramer told CNN, the defenders need to run as fast as they can just to stay in the same place.",[14,567,568],{},"This creates a permanent tax on every team running AI infrastructure. You need automated patching. You need encrypted secrets management. You need isolated execution environments. You need audit logs. You need somebody watching the monitors at 3 AM when a Mythos-inspired scanner finds a forgotten port.",[14,570,571],{},"Or you need to outsource that entire burden.",[14,573,462,574,576],{},[72,575,221],{"href":220}," we published is a good starting point if you're committed to self-hosting. But be honest with yourself about whether you can maintain that posture indefinitely against adversaries that don't sleep, don't get bored, and don't make typos.",[36,578,580],{"id":579},"what-to-actually-do-right-now","What to actually do right now",[14,582,583],{},"Let me be practical. Here's what matters this week, not this quarter.",[14,585,586,589],{},[96,587,588],{},"Audit your exposed surfaces."," If your agent is reachable from the public internet, assume it will be scanned by something smarter than you within days. Check every open port. Check your Docker configs. Check where your API keys live.",[14,591,592,595],{},[96,593,594],{},"Update everything."," Mythos found vulnerabilities that were one to two decades old. The boring stuff matters more than ever.",[14,597,598,601,602,606],{},[96,599,600],{},"Evaluate your hosting model."," Self-hosting made sense when the primary risk was downtime. The risk profile has changed. Consider whether ",[72,603,605],{"href":604},"/openclaw-hosting","managed OpenClaw hosting"," is worth the tradeoff.",[14,608,609,612],{},[96,610,611],{},"Watch the regulatory signals."," The Bessent-Powell meeting is the first domino. If you're building agents for regulated industries, expect compliance requirements to tighten fast.",[14,614,615,618],{},[96,616,617],{},"Don't panic, but don't ignore this."," The fact that Anthropic launched Project Glasswing means the industry is taking this seriously. The worst response is to assume you're too small to be a target. Automated attacks don't discriminate by company size.",[36,620,622],{"id":621},"the-honest-takeaway","The honest takeaway",[14,624,625],{},"Here's what I keep coming back to.",[14,627,628],{},"We got into AI agents because the technology is genuinely exciting. Watching an agent autonomously handle tasks that used to take hours of manual work is one of the best feelings in tech right now. That hasn't changed.",[14,630,631],{},"What's changed is the environment. The same agentic capabilities that make our tools powerful also make the threats against our infrastructure more capable. That's not a reason to stop building. It's a reason to build on foundations that can withstand what's coming.",[14,633,634,635,637,638,642,643,646],{},"If any of this hit close to home, if you've been running a self-hosted agent and putting off the security hardening, if you know your ",[474,636,476],{}," file is doing more heavy lifting than it should, ",[72,639,641],{"href":247,"rel":640},[249],"give Better Claw a look",". It's $29/month per agent, BYOK, and you get managed infrastructure with security that doesn't depend on you remembering to run ",[474,644,645],{},"apt update"," at midnight. We handle the infrastructure. You handle the interesting part.",[14,648,649],{},"The agentic attackers are coming. Make sure your agents are ready.",[36,651,258],{"id":257},[14,653,654],{},[96,655,656],{},"What is the Anthropic Mythos AI model and why does it matter for cyber risk?",[14,658,659],{},"Claude Mythos is Anthropic's most powerful AI model to date, sitting above its Opus tier. It matters because it can autonomously discover, chain together, and exploit software vulnerabilities at speeds no human team can match. In its first weeks of testing, it found thousands of zero-day flaws, many hidden for over a decade.",[14,661,662],{},[96,663,664],{},"How does AI-driven cyber risk affect banks and financial services?",[14,666,667],{},"Treasury Secretary Bessent and Fed Chair Powell summoned bank CEOs specifically over Mythos-class threats, signaling the government views AI cyber risk as systemic to financial stability. Banks face pressure to harden systems across their entire supply chain, which cascades to every vendor and partner handling financial data.",[14,669,670],{},[96,671,672],{},"How do I secure my self-hosted AI agent against AI-powered attacks?",[14,674,675,676,678],{},"Start by auditing exposed ports, moving secrets out of ",[474,677,476],{}," files into encrypted vaults, keeping all dependencies patched, and enabling audit logging. If maintaining that security posture continuously isn't realistic for your team, evaluate managed hosting options that handle infrastructure security for you.",[14,680,681],{},[96,682,683],{},"Is managed AI agent hosting worth the cost for security alone?",[14,685,686],{},"At $29/month per agent, managed hosting like BetterClaw costs less than a single hour of incident response consulting. You get isolated environments, automated updates, encrypted secrets management, and monitoring without needing to maintain it yourself. In a world of autonomous AI-powered scanning, the cost of a breach far exceeds the cost of prevention.",[14,688,689],{},[96,690,691],{},"Is my small project really a target for AI-powered cyberattacks?",[14,693,694],{},"Yes. Automated scanning tools, including the techniques Mythos enables, don't discriminate by company size. In January 2026, a single attacker with limited skills used AI to compromise 600+ devices across 55 countries. If your agent is reachable from the internet, it's a target regardless of how small your operation is.",[36,696,307],{"id":306},[309,698,699,704,709,716,721],{},[312,700,701,703],{},[72,702,335],{"href":334}," — The specific vulnerabilities AI attackers will target",[312,705,706,708],{},[72,707,322],{"href":220}," — Hardening steps if you're committed to self-hosting",[312,710,711,715],{},[72,712,714],{"href":713},"/blog/openclaw-gateway-guide","OpenClaw Gateway Guide"," — The single setting that exposed 30,000+ instances",[312,717,718,720],{},[72,719,316],{"href":277}," — How to check for compromised skills in your setup",[312,722,723,727],{},[72,724,726],{"href":725},"/compare/openclaw","BetterClaw vs Self-Hosted OpenClaw"," — Managed security vs DIY in the new threat landscape",{"title":345,"searchDepth":346,"depth":346,"links":729},[730,731,732,733,734,735,736,737,738,739],{"id":408,"depth":346,"text":409},{"id":430,"depth":346,"text":431},{"id":452,"depth":346,"text":453},{"id":489,"depth":346,"text":490},{"id":528,"depth":346,"text":529},{"id":558,"depth":346,"text":559},{"id":579,"depth":346,"text":580},{"id":621,"depth":346,"text":622},{"id":257,"depth":346,"text":258},{"id":306,"depth":346,"text":307},"2026-04-10","Anthropic's Mythos model triggered an emergency bank CEO meeting. Learn what AI-driven cyber risk means for your AI agents and how to protect them.","/img/blog/anthropic-ai-bank-cyber-risk.jpg",{},"/blog/anthropic-ai-bank-cyber-risk",{"title":382,"description":741},"Anthropic AI Cyber Risk: What Bank CEO Warnings Mean for Agents","blog/anthropic-ai-bank-cyber-risk",[749,750,751,752,753,754],"anthropic ai cyber risk","mythos ai model security","ai agent security","openclaw security","ai cybersecurity threats","managed ai agent hosting","il9GGyLnz0RS4zVpAM04SNYKd_augmL7GgyvZjt89Ug",{"id":757,"title":758,"author":759,"body":760,"category":358,"date":1276,"description":1277,"extension":361,"featured":362,"image":1278,"meta":1279,"navigation":365,"path":74,"readingTime":1280,"seo":1281,"seoTitle":1282,"stem":1283,"tags":1284,"updatedDate":1276,"__hash__":1292},"blog/blog/clawhub-skills-directory.md","ClawHub Skills Directory - The Complete 2026 Guide to Finding, Vetting, and Using OpenClaw Skills",{"name":7,"role":8,"avatar":9},{"type":11,"value":761,"toc":1248},[762,767,770,773,780,783,787,790,793,796,802,808,815,819,822,827,830,836,840,843,849,853,856,862,866,869,875,881,885,888,892,895,898,904,908,911,917,921,924,930,936,948,952,955,961,967,973,979,985,991,994,998,1001,1005,1011,1017,1023,1027,1033,1039,1045,1051,1058,1062,1065,1069,1072,1076,1079,1082,1090,1096,1100,1103,1109,1115,1121,1131,1137,1143,1147,1150,1156,1162,1168,1174,1180,1186,1190,1193,1196,1199,1206,1208,1213,1216,1221,1224,1229,1232,1237,1240,1245],[14,763,764],{},[96,765,766],{},"13,700+ skills. 824 were malicious. Here's how to navigate the marketplace without becoming a statistic.",[14,768,769],{},"I found the perfect Notion integration skill on ClawHub last month. Clean description. Recent updates. 3,200+ downloads. I installed it, connected my workspace, and watched my OpenClaw agent sync tasks from Telegram directly into Notion boards.",[14,771,772],{},"Two days later, I noticed API requests on my Anthropic dashboard that I hadn't made. Someone was using my key. The skill had been reading my config file and sending credentials to an external server while functioning exactly as advertised.",[14,774,775,776,779],{},"That skill was part of the ClawHavoc campaign. ",[96,777,778],{},"824 malicious skills discovered on ClawHub, roughly 20% of the entire registry."," One compromised package had 14,285 downloads before it was pulled. ClawHub responded by purging 2,419 suspicious packages and partnering with VirusTotal for automated scanning.",[14,781,782],{},"This guide covers everything you need to know about the ClawHub skills directory in 2026: what's available, what's dangerous, how to find good skills, and how to protect yourself from bad ones.",[36,784,786],{"id":785},"what-clawhub-actually-is-and-isnt","What ClawHub actually is (and isn't)",[14,788,789],{},"ClawHub is the official skill registry for OpenClaw. Think of it like npm for Node.js packages or PyPI for Python libraries, except the packages add capabilities to your AI agent instead of your codebase.",[14,791,792],{},"Skills are what turn OpenClaw from a chatbot into an agent. Without skills, your agent can only have conversations. With skills, it can search the web, manage your calendar, read and write files, automate browser tasks, send emails, interact with APIs, and execute shell commands.",[14,794,795],{},"As of March 2026, ClawHub hosts over 13,700 skills. A separate community-curated registry (awesome-openclaw-skills on GitHub) tracks another 5,400+ skills that have been independently reviewed. The ecosystem is massive and growing fast, driven by OpenClaw's 1.27 million weekly npm downloads.",[14,797,798,801],{},[96,799,800],{},"What ClawHub is:"," An open registry where anyone can publish a skill package. Think app store with minimal review.",[14,803,804,807],{},[96,805,806],{},"What ClawHub isn't:"," A curated, security-reviewed marketplace. Until the VirusTotal partnership, there was effectively no automated security scanning. Publishers could upload anything. And 20% of them uploaded something malicious.",[14,809,810,811,814],{},"For the full timeline of ",[72,812,813],{"href":334},"documented OpenClaw security incidents"," including the ClawHavoc campaign, CrowdStrike advisory, and Cisco's data exfiltration discovery, our security guide covers each event.",[36,816,818],{"id":817},"the-clawhub-skills-categories-worth-knowing","The ClawHub skills categories worth knowing",[14,820,821],{},"The directory organizes skills into categories, though the boundaries are loose and many skills span multiple categories. Here's what's available and what's genuinely useful.",[823,824,826],"h3",{"id":825},"communication-skills","Communication skills",[14,828,829],{},"These connect your agent to external messaging and communication tools. Email reading and drafting (Gmail, Outlook), calendar management (Google Calendar, CalDAV), messaging integrations beyond the platforms OpenClaw already supports natively, and notification routing.",[14,831,832,835],{},[96,833,834],{},"The risk level is high."," Communication skills need access to your email, calendar, or messaging accounts. A compromised email skill can read every message in your inbox and forward copies to an external server. The Meta researcher Summer Yue incident is the cautionary tale here: her agent mass-deleted emails while ignoring stop commands. Even legitimate email skills need strict permission boundaries.",[823,837,839],{"id":838},"search-and-research-skills","Search and research skills",[14,841,842],{},"Web search (Brave API, Google Custom Search, Tavily), academic paper search, news aggregation, and data retrieval from specific sources. These are among the most commonly installed skills because they give your agent access to real-time information.",[14,844,845,848],{},[96,846,847],{},"The risk level is moderate."," Search skills make outbound API calls to retrieve information. The main concern is whether they're sending your query data (which might contain sensitive context from your conversations) to unexpected destinations alongside the legitimate search requests.",[823,850,852],{"id":851},"productivity-skills","Productivity skills",[14,854,855],{},"File management, note-taking integrations (Notion, Obsidian), project management connections (Linear, Asana, Jira), and document processing. These skills let your agent interact with your work tools.",[14,857,858,861],{},[96,859,860],{},"The risk level is moderate to high."," Productivity skills typically need OAuth tokens or API keys for external services. A compromised productivity skill has access to whatever tools it connects to.",[823,863,865],{"id":864},"developer-tools","Developer tools",[14,867,868],{},"Code execution, Git operations, CI/CD integrations, database queries, and API testing. These are popular among developers who use OpenClaw as a coding assistant.",[14,870,871,874],{},[96,872,873],{},"The risk level is very high."," Developer tool skills often have shell access or can execute arbitrary code. A malicious developer skill with shell access can do anything on your machine. Cisco's discovery of a skill performing data exfiltration was in this category.",[14,876,877],{},[129,878],{"alt":879,"src":880},"ClawHub skills categories organized by risk level","/img/blog/clawhub-skills-directory-categories.jpg",[36,882,884],{"id":883},"how-to-find-good-skills-on-clawhub","How to find good skills on ClawHub",[14,886,887],{},"The ClawHub interface shows skill name, description, publisher, download count, last update date, and version history. Here's how to use that information to filter for quality.",[823,889,891],{"id":890},"publisher-reputation-matters-most","Publisher reputation matters most",[14,893,894],{},"The OpenClaw core team maintains a set of official skills. These are the safest options because they're maintained by the same developers who build the framework. Look for the official organization badge.",[14,896,897],{},"After official skills, established community developers with multiple published packages, active GitHub profiles, and real identities are the next safest tier. A publisher who has maintained three skills for six months with regular updates is very different from an account created last week with one package.",[14,899,900,903],{},[96,901,902],{},"Red flags on publishers:"," Account created recently with only one skill. Username that mimics official accounts (like \"opencIaw\" with a capital I instead of lowercase L). No GitHub profile linked. Generic or AI-generated skill descriptions.",[823,905,907],{"id":906},"download-count-needs-context","Download count needs context",[14,909,910],{},"High download count alone doesn't mean safe. The most-downloaded malicious skill in the ClawHavoc campaign had 14,285 downloads before removal. Download count tells you popularity, not quality.",[14,912,913,916],{},[96,914,915],{},"What matters more:"," the ratio of downloads to the skill's age. A skill published last week with 5,000 downloads either went viral organically (rare) or had its count artificially boosted (more common). A skill published six months ago with 5,000 downloads grew naturally through genuine adoption.",[823,918,920],{"id":919},"last-update-date-signals-maintenance","Last update date signals maintenance",[14,922,923],{},"Skills that haven't been updated in more than three months are concerning. OpenClaw releases multiple updates per week. Skills that don't keep up with the framework eventually break or develop compatibility issues.",[14,925,926,929],{},[96,927,928],{},"The sweet spot:"," skills updated within the last 30-60 days with a consistent version history showing incremental improvements rather than a single large dump of code.",[14,931,932],{},[129,933],{"alt":934,"src":935},"How to evaluate ClawHub skill listings","/img/blog/clawhub-skills-directory-evaluation.jpg",[14,937,938,939,943,944,947],{},"For our curated list of ",[72,940,942],{"href":941},"/blog/best-openclaw-skills","the best community-vetted OpenClaw skills"," that have passed security review, our ",[72,945,946],{"href":941},"skills guide"," ranks options by reliability, safety, and usefulness.",[36,949,951],{"id":950},"the-5-step-vetting-process-before-you-install-anything","The 5-step vetting process before you install anything",[14,953,954],{},"Finding a skill on ClawHub is step one. Vetting it before installation is what separates safe users from compromised ones.",[14,956,957,960],{},[96,958,959],{},"Step 1: Check the publisher."," Verify their identity, account age, and other published packages. Official skills from the core team are safest.",[14,962,963,966],{},[96,964,965],{},"Step 2: Read the source code."," Every ClawHub skill is JavaScript or TypeScript. You're looking for network calls to unexpected domains, file reads outside the skill's workspace (especially reads of your config file where API keys live), obfuscated or minified code (legitimate skills are readable), and environment variable access beyond what's needed.",[14,968,969,972],{},[96,970,971],{},"Step 3: Search community reports."," Check GitHub issues and the OpenClaw Discord for the skill name. If others have reported problems, you'll find them.",[14,974,975,978],{},[96,976,977],{},"Step 4: Test in a sandboxed workspace."," Never install a new skill directly into your production agent. Create a test workspace, install the skill there, run it for 24-48 hours, and monitor your API usage dashboards for unexpected activity.",[14,980,981,984],{},[96,982,983],{},"Step 5: Set limits."," After installation, configure iteration limits and context token caps to contain the blast radius if a skill misbehaves.",[14,986,987],{},[129,988],{"alt":989,"src":990},"5-step skill vetting process","/img/blog/clawhub-skills-directory-vetting.jpg",[14,992,993],{},"The vetting process takes 5-10 minutes per skill plus a 24-hour monitoring window. That's 5-10 minutes compared to hours of damage control if something goes wrong. The math is obvious.",[36,995,997],{"id":996},"what-changed-after-clawhavoc","What changed after ClawHavoc",[14,999,1000],{},"The ClawHavoc campaign was a wake-up call for the entire ecosystem. Here's what ClawHub has done since, and what's still missing.",[823,1002,1004],{"id":1003},"what-improved","What improved",[14,1006,1007,1010],{},[96,1008,1009],{},"VirusTotal partnership."," ClawHub now runs automated security scans on all new skill submissions. Known malware signatures and suspicious patterns trigger review before publication. This catches known attack patterns but not novel ones.",[14,1012,1013,1016],{},[96,1014,1015],{},"Mass purge."," 2,419 suspicious packages were removed from the registry. This cleaned up the worst offenders but happened after the damage was done. The most-downloaded malicious package had already been installed by thousands of users.",[14,1018,1019,1022],{},[96,1020,1021],{},"Publisher verification."," ClawHub introduced optional publisher verification. Verified publishers have confirmed identities. The problem: verification is optional, and most publishers haven't bothered.",[823,1024,1026],{"id":1025},"whats-still-missing","What's still missing",[14,1028,1029,1032],{},[96,1030,1031],{},"Mandatory code review."," There's no human review of skill code before publication. VirusTotal catches known malware patterns, but sophisticated exfiltration techniques (like the Cisco-discovered skill that looked perfectly legitimate) can slip through automated detection.",[14,1034,1035,1038],{},[96,1036,1037],{},"Permission scoping."," Skills currently have access to whatever OpenClaw has access to. There's no granular permission system where a calendar skill can only access calendar APIs, not your file system. This means every skill is either trusted with everything or not installed at all.",[14,1040,1041,1044],{},[96,1042,1043],{},"Dependency auditing."," Skills can include npm dependencies. Those dependencies can include their own dependencies. The supply chain attack surface extends well beyond the skill code itself.",[14,1046,1047],{},[129,1048],{"alt":1049,"src":1050},"ClawHub security improvements timeline","/img/blog/clawhub-skills-directory-security.jpg",[14,1052,1053,1054,1057],{},"If managing skill security, vetting, and permission boundaries sounds like more work than you want, ",[72,1055,1056],{"href":173},"BetterClaw's curated skill marketplace"," audits every skill before publication. Docker-sandboxed execution means even a compromised skill can't access your host system or credentials. $29/month per agent, BYOK. Zero unvetted code running on your infrastructure.",[36,1059,1061],{"id":1060},"the-alternative-registries-worth-knowing","The alternative registries worth knowing",[14,1063,1064],{},"ClawHub isn't the only place to find OpenClaw skills. Two alternatives are worth mentioning.",[823,1066,1068],{"id":1067},"awesome-openclaw-skills-github","awesome-openclaw-skills (GitHub)",[14,1070,1071],{},"A community-curated list tracking 5,400+ skills with basic quality annotations. It's not a registry (you still install skills from ClawHub or GitHub). It's a curation layer that filters the noise. The maintainers remove skills that are reported as malicious or abandoned. It's not a security guarantee, but it's a better starting point than browsing ClawHub's unfiltered listing.",[823,1073,1075],{"id":1074},"direct-github-installation","Direct GitHub installation",[14,1077,1078],{},"You can install skills directly from GitHub repositories without going through ClawHub at all. Clone the repo, review the code, and copy it into your OpenClaw skills directory. This bypasses ClawHub entirely and gives you complete visibility into what you're installing.",[14,1080,1081],{},"The trade-off: no auto-updates. When the skill author pushes a new version, you need to manually pull the changes. ClawHub-installed skills update automatically, which is both convenient and risky (an update could introduce new malicious code that wasn't in the version you vetted).",[14,1083,1084,1085,1089],{},"For guidance on ",[72,1086,1088],{"href":1087},"/blog/openclaw-setup-guide-complete","the full OpenClaw installation and skill configuration process",", our setup guide covers where skills fit into the deployment sequence.",[14,1091,1092],{},[129,1093],{"alt":1094,"src":1095},"Alternative OpenClaw skill registries comparison","/img/blog/clawhub-skills-directory-alternatives.jpg",[36,1097,1099],{"id":1098},"the-skills-most-people-should-start-with","The skills most people should start with",[14,1101,1102],{},"After reviewing the ecosystem extensively, here are the skill categories that provide the most value with the least risk for new OpenClaw users.",[14,1104,1105,1108],{},[96,1106,1107],{},"Web search."," The official web search skill or Brave Search API integration. Essential for any agent that needs to look up information. Maintained by the core team. Low risk because it only makes outbound search queries.",[14,1110,1111,1114],{},[96,1112,1113],{},"File operations."," OpenClaw's built-in file read/write capabilities handle most basic file tasks without requiring an external skill. Start with the native tools before adding third-party file management skills.",[14,1116,1117,1120],{},[96,1118,1119],{},"Calendar."," Google Calendar or CalDAV integrations from verified publishers with established track records. These need OAuth access to your calendar, so choose carefully. Only install from publishers with real identities.",[14,1122,1123,1126,1127,1130],{},[96,1124,1125],{},"Custom internal skills."," If you need your agent to interact with a proprietary API (your Shopify store, your CRM, your internal tools), building a custom skill is safer than finding a generic one on ClawHub. You control every line of code. For ecommerce-specific agent configurations, our ",[72,1128,1129],{"href":547},"ecommerce guide"," covers the most common integrations.",[14,1132,1133,1136],{},[96,1134,1135],{},"Email (with extreme caution)."," Email skills are the highest-risk category. Start with read-only access. Only enable send with explicit confirmation requirements. Never give an agent unsupervised email send permissions. The Summer Yue incident is the permanent reminder of why.",[14,1138,1139],{},[129,1140],{"alt":1141,"src":1142},"Recommended starter skills for OpenClaw","/img/blog/clawhub-skills-directory-starter.jpg",[36,1144,1146],{"id":1145},"what-to-do-if-youve-already-installed-unvetted-skills","What to do if you've already installed unvetted skills",[14,1148,1149],{},"If you've been installing ClawHub skills without vetting them (most people have in the beginning), here's the damage control sequence.",[14,1151,1152,1155],{},[96,1153,1154],{},"First: rotate all API keys immediately."," Every key in your OpenClaw config. Anthropic, OpenAI, Telegram bot tokens, OAuth credentials. All of them. If any skill has exfiltrated your keys, rotating them invalidates the stolen copies.",[14,1157,1158,1161],{},[96,1159,1160],{},"Second: review your API usage dashboards."," Check the last 30 days for requests you didn't make. Unusual patterns (requests at odd hours, high-volume calls you don't recognize) indicate compromise.",[14,1163,1164,1167],{},[96,1165,1166],{},"Third: audit every installed skill."," List everything your agent currently has installed. For each skill, run through the 5-step vetting process. Remove anything that doesn't pass.",[14,1169,1170,1173],{},[96,1171,1172],{},"Fourth: set up monitoring going forward."," Check API usage weekly. Review logs after installing any new skill. Set spending caps on all provider accounts.",[14,1175,1176],{},[129,1177],{"alt":1178,"src":1179},"Damage control steps for unvetted skills","/img/blog/clawhub-skills-directory-damage-control.jpg",[14,1181,462,1182,1185],{},[72,1183,1184],{"href":334},"managed vs self-hosted security comparison"," covers how platforms like BetterClaw handle skill security versus what you're responsible for when self-hosting.",[36,1187,1189],{"id":1188},"the-bigger-picture-where-the-clawhub-ecosystem-is-heading","The bigger picture: where the ClawHub ecosystem is heading",[14,1191,1192],{},"The skills ecosystem is at an inflection point. The ClawHavoc campaign forced the community to take supply chain security seriously. VirusTotal scanning and the publisher verification system are steps in the right direction. But the fundamental challenge remains: an open registry with minimal review will always have a security tail risk.",[14,1194,1195],{},"The likely evolution is a tiered system. A \"verified\" tier with mandatory code review and publisher identity verification. An \"unverified\" tier with automated scanning only. And eventually, permission scoping that limits what each skill can access regardless of trust level.",[14,1197,1198],{},"Until that happens, the responsibility is on you. Every skill you install is executable code running with your agent's permissions and access to your API keys. Treat ClawHub like you'd treat any package registry: with appreciation for the ecosystem and suspicion toward anything you haven't personally reviewed.",[14,1200,1201,1202,1205],{},"If you want a deployment where skills are security-audited before they reach your agent, where Docker sandboxing prevents compromised code from accessing your host system, and where you don't carry the vetting burden yourself, ",[72,1203,250],{"href":247,"rel":1204},[249],". $29/month per agent, BYOK. Every skill in our marketplace is reviewed. Sandboxed execution means even a problematic skill can't reach beyond its container. You build workflows. We handle the security.",[36,1207,258],{"id":257},[14,1209,1210],{},[96,1211,1212],{},"What is ClawHub?",[14,1214,1215],{},"ClawHub is the official skill registry for OpenClaw, hosting over 13,700 installable skill packages as of March 2026. Skills add capabilities to your OpenClaw agent: web search, calendar management, email, file operations, browser automation, and API integrations. ClawHub functions like npm or PyPI but for AI agent capabilities. Anyone can publish skills, and since the ClawHavoc cleanup, all submissions go through VirusTotal automated scanning.",[14,1217,1218],{},[96,1219,1220],{},"How does ClawHub compare to awesome-openclaw-skills?",[14,1222,1223],{},"ClawHub is the official registry with the largest collection (13,700+ skills) and auto-update support, but it's an open marketplace with minimal human review. awesome-openclaw-skills is a community-curated GitHub list tracking 5,400+ skills with basic quality filtering and maintainer oversight. Neither is a security guarantee. ClawHub has more skills and convenience. awesome-openclaw-skills has better curation. Use both as discovery tools, but always vet skills yourself before installation.",[14,1225,1226],{},[96,1227,1228],{},"How do I install skills from ClawHub safely?",[14,1230,1231],{},"Follow a 5-step process: check the publisher's identity and account history, read the source code for suspicious network calls and file access patterns, search community reports on GitHub and Discord, test in a sandboxed workspace for 24-48 hours while monitoring API usage, and set iteration limits and context caps after installation. The active vetting takes 5-10 minutes per skill plus a 24-hour monitoring window.",[14,1233,1234],{},[96,1235,1236],{},"How much do ClawHub skills cost to use?",[14,1238,1239],{},"Skills themselves are free to install from ClawHub. The cost comes from the API tokens they consume when your agent uses them. A web search skill adds roughly 1,000-3,000 tokens per search call. Browser automation can use 500-2,000 tokens per step. On Claude Sonnet ($3/$15 per million tokens), typical skill usage adds $5-20/month to your API bill depending on frequency. Set iteration limits to prevent runaway costs from skills that loop.",[14,1241,1242],{},[96,1243,1244],{},"Are ClawHub skills secure enough for business use?",[14,1246,1247],{},"Not without vetting. The ClawHavoc campaign found 824 malicious skills (roughly 20% of the registry). ClawHub has since purged 2,419 suspicious packages and added VirusTotal scanning, but automated detection doesn't catch everything. Cisco independently found a legitimate-looking skill performing data exfiltration. For business use, either vet every skill manually using the 5-step process, use a managed platform with a curated skill marketplace (like BetterClaw), or build custom skills for sensitive integrations.",{"title":345,"searchDepth":346,"depth":346,"links":1249},[1250,1251,1258,1263,1264,1268,1272,1273,1274,1275],{"id":785,"depth":346,"text":786},{"id":817,"depth":346,"text":818,"children":1252},[1253,1255,1256,1257],{"id":825,"depth":1254,"text":826},3,{"id":838,"depth":1254,"text":839},{"id":851,"depth":1254,"text":852},{"id":864,"depth":1254,"text":865},{"id":883,"depth":346,"text":884,"children":1259},[1260,1261,1262],{"id":890,"depth":1254,"text":891},{"id":906,"depth":1254,"text":907},{"id":919,"depth":1254,"text":920},{"id":950,"depth":346,"text":951},{"id":996,"depth":346,"text":997,"children":1265},[1266,1267],{"id":1003,"depth":1254,"text":1004},{"id":1025,"depth":1254,"text":1026},{"id":1060,"depth":346,"text":1061,"children":1269},[1270,1271],{"id":1067,"depth":1254,"text":1068},{"id":1074,"depth":1254,"text":1075},{"id":1098,"depth":346,"text":1099},{"id":1145,"depth":346,"text":1146},{"id":1188,"depth":346,"text":1189},{"id":257,"depth":346,"text":258},"2026-03-25","13,700+ OpenClaw skills on ClawHub. 824 were malicious. Here's how to find, vet, and safely install skills without exposing your API keys.","/img/blog/clawhub-skills-directory.jpg",{},"16 min read",{"title":758,"description":1277},"ClawHub Skills Directory: Complete 2026 Guide","blog/clawhub-skills-directory",[1285,1286,1287,1288,1289,1290,375,1291],"ClawHub skills","OpenClaw skills directory","ClawHub guide","OpenClaw skills marketplace","safe OpenClaw skills","ClawHub security","OpenClaw skill vetting","eYe9rNhfWKDi2Ce0JP9DFpMNFvf08qyPreEcDpUe8YM",{"id":1294,"title":1295,"author":1296,"body":1297,"category":358,"date":1667,"description":1668,"extension":361,"featured":362,"image":1669,"meta":1670,"navigation":365,"path":713,"readingTime":1671,"seo":1672,"seoTitle":1673,"stem":1674,"tags":1675,"updatedDate":1667,"__hash__":1683},"blog/blog/openclaw-gateway-guide.md","OpenClaw Gateway Explained: Setup, Security, and Common Mistakes",{"name":7,"role":8,"avatar":9},{"type":11,"value":1298,"toc":1652},[1299,1312,1317,1320,1323,1326,1330,1333,1336,1339,1342,1349,1353,1356,1364,1372,1378,1381,1390,1396,1400,1419,1422,1427,1430,1433,1440,1444,1447,1450,1453,1459,1466,1470,1474,1477,1480,1484,1487,1490,1494,1497,1500,1512,1518,1522,1525,1528,1531,1537,1540,1546,1548,1551,1554,1557,1565,1567,1572,1575,1580,1594,1599,1602,1607,1610,1615,1621,1623],[14,1300,1301],{},[96,1302,1303,1304,1307,1308,1311],{},"The OpenClaw gateway is the HTTP server that handles every connection to your agent. The single most important setting is the bind address: on a server, set it to ",[474,1305,1306],{},"127.0.0.1"," (loopback) so only the local machine can reach it, and use SSH tunneling for remote access. The default ",[474,1309,1310],{},"0.0.0.0"," binding is what exposed 30,000+ OpenClaw instances to the public internet.",[14,1313,1314],{},[17,1315,1316],{},"The gateway is how your agent talks to the world. If it's misconfigured, anyone on the internet can talk to your agent too. Here's what you need to know.",[14,1318,1319],{},"Thirty thousand OpenClaw instances were found exposed on the internet without authentication. Thirty thousand. Censys, Bitsight, and Hunt.io all independently confirmed the number. Every one of those instances had a misconfigured gateway.",[14,1321,1322],{},"The OpenClaw gateway is the single most important security setting in your entire setup, and it's the one most people never think about. If you get this wrong, anyone on the internet can send messages to your agent, read your conversations, and potentially access whatever your agent has access to (your files, your API keys, your connected platforms).",[14,1324,1325],{},"Here's what the gateway actually is, why the default configuration is dangerous on a server, and the one change that fixes it.",[36,1327,1329],{"id":1328},"what-the-openclaw-gateway-actually-is","What the OpenClaw gateway actually is",[14,1331,1332],{},"Think of the OpenClaw gateway as the front door to your agent. It's the HTTP server that accepts incoming connections and routes them to the agent. When you open the OpenClaw web interface in your browser, you're connecting through the gateway. When Telegram delivers a message to your agent, it arrives through the gateway. When a cron job fires, the gateway processes it.",[14,1334,1335],{},"Every interaction with your agent flows through the gateway. It handles authentication (or doesn't, depending on your configuration), manages WebSocket connections for real-time chat, processes incoming messages from connected platforms, and serves the web-based TUI interface.",[14,1337,1338],{},"On your local machine, this is straightforward. The gateway runs on your computer. Only you can access it. The front door is inside your house.",[14,1340,1341],{},"On a VPS or remote server, the situation changes entirely. The gateway runs on a server connected to the public internet. If the front door is open and facing the street, anyone can walk in.",[14,1343,1344,1345,1348],{},"For the ",[72,1346,1347],{"href":334},"complete OpenClaw security checklist",", our security guide covers the gateway alongside nine other security measures.",[36,1350,1352],{"id":1351},"the-127001-vs-0000-problem-this-is-the-dangerous-part","The 127.0.0.1 vs 0.0.0.0 problem (this is the dangerous part)",[14,1354,1355],{},"This is where most people get it wrong. Stay with me here because this single setting is responsible for the majority of exposed OpenClaw instances.",[14,1357,1358,1363],{},[96,1359,1360,1362],{},[474,1361,1306],{}," (loopback)"," means the gateway only accepts connections from the same machine it's running on. If someone on the internet tries to connect, they can't. The door only opens from inside the house. This is what you want on a server.",[14,1365,1366,1371],{},[96,1367,1368,1370],{},[474,1369,1310],{}," (all interfaces)"," means the gateway accepts connections from anywhere. Your machine, your local network, and the entire internet. The door is open to the street. This is the default for some OpenClaw configurations, and it's the default that GitHub Issue #5263 flagged (closed by a maintainer as \"not planned\" to change).",[14,1373,1374,1375,1377],{},"Here's the problem: if your gateway binds to ",[474,1376,1310],{}," on a VPS without a firewall blocking the gateway port, your agent is publicly accessible. No password. No authentication. Anyone who finds your IP address and port can interact with your agent, read your conversation history, and potentially trigger actions through your connected platforms.",[14,1379,1380],{},"The CVE-2026-25253 vulnerability (CVSS 8.8, one-click remote code execution) was especially dangerous for instances with exposed gateways. An attacker could exploit the WebSocket vulnerability to execute arbitrary code on the host machine. The vulnerability was patched, but instances with publicly exposed gateways were the easiest targets.",[14,1382,1383,1384,1386,1387,1389],{},"If your OpenClaw gateway binds to ",[474,1385,1310],{}," on a server, your agent is public. Change it to ",[474,1388,1306],{},". This is the single most important security setting in your configuration.",[14,1391,1392],{},[129,1393],{"alt":1394,"src":1395},"OpenClaw gateway loopback vs all-interfaces binding diagram showing 127.0.0.1 keeping the agent private and 0.0.0.0 exposing it to the internet","/img/blog/openclaw-gateway-guide-bind-address.jpg",[36,1397,1399],{"id":1398},"the-one-change-you-must-make-before-exposing-your-gateway","The one change you must make before exposing your gateway",[14,1401,1402,1403,1406,1407,1410,1411,1414,1415,1418],{},"Set the gateway bind address to loopback in your OpenClaw config. In your ",[474,1404,1405],{},"openclaw.json"," (or equivalent config file), the gateway section should have its ",[474,1408,1409],{},"bind"," setting set to ",[474,1412,1413],{},"\"loopback\""," or the bind address set to ",[474,1416,1417],{},"\"127.0.0.1\"",".",[14,1420,1421],{},"This single change means the gateway only listens for connections from the local machine. External traffic can't reach it directly. Your agent is invisible to the internet.",[14,1423,1424],{},[96,1425,1426],{},"But wait, how do I access my agent remotely if it only listens locally?",[14,1428,1429],{},"SSH tunneling. You create an encrypted tunnel from your personal machine to the server. The tunnel forwards the gateway port from the remote server to your local machine. You open your browser, connect to localhost on the forwarded port, and the traffic travels through the encrypted SSH connection to the server.",[14,1431,1432],{},"This gives you remote access to the gateway without exposing it to the internet. Only someone with SSH credentials can create the tunnel. Everyone else sees nothing.",[14,1434,1435,1436,1439],{},"On ",[72,1437,1438],{"href":173},"BetterClaw, gateway binding is handled and locked down by default",". This isn't something you configure or can accidentally misconfigure. The gateway is never publicly exposed. $29/month per agent, BYOK. The security configuration is part of the platform.",[36,1441,1443],{"id":1442},"how-to-set-up-secure-remote-access","How to set up secure remote access",[14,1445,1446],{},"The SSH tunnel approach is the standard way to access a loopback-bound gateway remotely.",[14,1448,1449],{},"From your personal machine, open a terminal and create an SSH connection to your server with port forwarding. You specify which local port on your machine should map to which port on the remote server. The gateway's default port (varies by configuration, commonly 3000 or 4000) gets forwarded to a local port on your machine.",[14,1451,1452],{},"Once the tunnel is open, you access the OpenClaw web interface by opening your browser and going to localhost on the forwarded port. The traffic travels through the encrypted SSH tunnel to the server, reaches the loopback-bound gateway, and works exactly as if you were sitting at the server.",[14,1454,1455,1458],{},[96,1456,1457],{},"Why not just open the port publicly and add a password?"," Because OpenClaw's built-in authentication is minimal. The gateway wasn't designed as a public-facing web service. It was designed as a local interface. Adding a reverse proxy with authentication (nginx with HTTP basic auth, for example) is possible but adds complexity. SSH tunneling gives you encrypted, authenticated access with zero additional software.",[14,1460,1344,1461,1465],{},[72,1462,1464],{"href":1463},"/blog/openclaw-vps-setup","complete VPS setup walkthrough"," including firewall configuration and SSH hardening, our self-hosting guide covers the full server security stack.",[36,1467,1469],{"id":1468},"common-gateway-errors-and-what-they-mean","Common gateway errors and what they mean",[823,1471,1473],{"id":1472},"connection-refused","Connection refused",[14,1475,1476],{},"You're trying to connect to the gateway and getting \"connection refused.\"",[14,1478,1479],{},"This means nothing is listening on the port you're trying to reach. Either the gateway isn't running (start it), you're using the wrong port (check your config), or the gateway is bound to loopback and you're trying to connect from outside the machine without an SSH tunnel (set up the tunnel).",[823,1481,1483],{"id":1482},"gateway-already-in-use-eaddrinuse","Gateway already in use (EADDRINUSE)",[14,1485,1486],{},"The port the gateway wants to use is already occupied by another process.",[14,1488,1489],{},"Something else is running on that port. Check what's using it and either stop that process or change the gateway port in your OpenClaw config. Common culprits: a previous OpenClaw instance that didn't shut down cleanly, another Node.js application, or a system service.",[823,1491,1493],{"id":1492},"timeout-on-remote-connection","Timeout on remote connection",[14,1495,1496],{},"You can reach the server but the gateway connection times out.",[14,1498,1499],{},"This usually means a firewall is blocking the port. If you're using SSH tunneling (as you should be), the firewall should block the gateway port from external access. The tunnel bypasses the firewall through the SSH connection. If you're getting timeouts through an SSH tunnel, the gateway isn't running or is bound to a different port than the one you're forwarding.",[14,1501,1502,1503,1507,1508,1511],{},"For the broader ",[72,1504,1506],{"href":1505},"/blog/openclaw-not-working","OpenClaw troubleshooting guide covering all first-hour errors",", our ",[72,1509,1510],{"href":1505},"error guide"," covers the six most common problems new users hit.",[14,1513,1514],{},[129,1515],{"alt":1516,"src":1517},"OpenClaw gateway error decision flow showing connection refused, EADDRINUSE, and timeout fixes","/img/blog/openclaw-gateway-guide-errors.jpg",[36,1519,1521],{"id":1520},"how-to-know-if-your-gateway-is-exposed-right-now","How to know if your gateway is exposed right now",[14,1523,1524],{},"If you're running OpenClaw on a server and you're not sure whether your gateway is exposed, check immediately.",[14,1526,1527],{},"From a different machine (not the server), try to access your server's IP address on the gateway port through a web browser. If you see the OpenClaw web interface or get any response other than a timeout or connection refused, your gateway is publicly exposed.",[14,1529,1530],{},"If you get a connection timeout or connection refused, the gateway is either not exposed or a firewall is blocking external access. Both are acceptable states.",[14,1532,1533,1536],{},[96,1534,1535],{},"If your gateway is exposed:"," change the bind setting to loopback immediately. Restart the gateway. Verify the external access no longer works. Then rotate all API keys stored in your configuration, because if the gateway was exposed, someone may have already accessed your setup.",[14,1538,1539],{},"Check your OpenClaw logs for unfamiliar conversations or requests. If you see messages you didn't send, someone else was using your agent.",[14,1541,462,1542,1545],{},[72,1543,1544],{"href":725},"managed vs self-hosted comparison"," covers how different deployment approaches handle gateway security, including which platforms prevent exposure by default.",[36,1547,622],{"id":621},[14,1549,1550],{},"The OpenClaw gateway is simple in concept (it's the HTTP server your agent uses to communicate) and dangerous in default configuration (it can expose your agent to the entire internet with one wrong setting).",[14,1552,1553],{},"Bind to loopback. Use SSH tunnels. Block the port in your firewall. These three actions take 10 minutes and prevent the exact exposure that affected 30,000+ instances.",[14,1555,1556],{},"The OpenClaw maintainer Shadow warned that \"if you can't understand how to run a command line, this is far too dangerous of a project for you to use safely.\" The gateway is the specific thing he's talking about. It's the difference between a private assistant and a public service that anyone can abuse.",[14,1558,1559,1560,1564],{},"If gateway security, firewall configuration, and SSH tunnel management isn't something you want to handle, ",[72,1561,1563],{"href":247,"rel":1562},[249],"give Better Claw a try",". $29/month per agent, BYOK with 28+ providers. Gateway security is locked down by default. AES-256 encrypted credentials. Docker-sandboxed execution. The infrastructure security is handled so you focus on what your agent does, not on whether someone else is using it.",[36,1566,258],{"id":257},[14,1568,1569],{},[96,1570,1571],{},"What is the OpenClaw gateway?",[14,1573,1574],{},"The OpenClaw gateway is the HTTP server component that handles all communication between your agent and the outside world. It processes incoming messages from connected platforms (Telegram, WhatsApp, Slack), serves the web-based chat interface, manages WebSocket connections, and routes requests to the agent. Every interaction with your OpenClaw agent flows through the gateway.",[14,1576,1577],{},[96,1578,1579],{},"What's the difference between 127.0.0.1 and 0.0.0.0 in OpenClaw gateway settings?",[14,1581,1582,1584,1585,1587,1588,1590,1591,1593],{},[474,1583,1306],{}," (loopback) means the gateway only accepts connections from the local machine. ",[474,1586,1310],{}," (all interfaces) means it accepts connections from anywhere, including the public internet. On a server, binding to ",[474,1589,1310],{}," without a firewall makes your agent publicly accessible to anyone who finds your IP. Always bind to ",[474,1592,1306],{}," on servers and use SSH tunnels for remote access.",[14,1595,1596],{},[96,1597,1598],{},"How do I securely access my OpenClaw gateway remotely?",[14,1600,1601],{},"Use SSH tunneling. Create an SSH connection from your personal machine to the server with port forwarding. This forwards the gateway's local port through the encrypted SSH connection to your machine. You access the gateway through localhost on your personal machine, and the traffic travels securely through the tunnel. This gives you remote access without exposing the gateway to the internet.",[14,1603,1604],{},[96,1605,1606],{},"How do I check if my OpenClaw gateway is exposed?",[14,1608,1609],{},"From a different machine (not the server), try to access your server's IP address and gateway port in a web browser. If you see the OpenClaw interface or get any response other than a timeout, your gateway is publicly accessible. Fix immediately: change the bind setting to loopback, restart the gateway, and rotate all API keys. 30,000+ OpenClaw instances were found exposed this way.",[14,1611,1612],{},[96,1613,1614],{},"Is the default OpenClaw gateway configuration secure?",[14,1616,1617,1618,1620],{},"On a local machine (your laptop or desktop), the default is generally safe because the machine isn't directly exposed to the internet. On a server or VPS, the default bind to ",[474,1619,1310],{}," is dangerous. GitHub Issue #5263 requested changing this default, but it was closed as \"not planned.\" You must manually change the bind to loopback on any server deployment. Managed platforms like BetterClaw handle this automatically.",[36,1622,307],{"id":306},[309,1624,1625,1630,1635,1641,1647],{},[312,1626,1627,1629],{},[72,1628,322],{"href":220}," — Nine more security measures alongside gateway binding",[312,1631,1632,1634],{},[72,1633,335],{"href":334}," — Why 30,000+ instances were exposed and what attackers do with them",[312,1636,1637,1640],{},[72,1638,1639],{"href":1463},"OpenClaw VPS Setup: The Real Cost of $8/Month Hosting"," — Full server security stack including firewall and SSH hardening",[312,1642,1643,1646],{},[72,1644,1645],{"href":1505},"OpenClaw Not Working: Every Fix in One Guide"," — Connection errors and other first-hour issues",[312,1648,1649,1651],{},[72,1650,726],{"href":725}," — How managed deployment handles gateway security automatically",{"title":345,"searchDepth":346,"depth":346,"links":1653},[1654,1655,1656,1657,1658,1663,1664,1665,1666],{"id":1328,"depth":346,"text":1329},{"id":1351,"depth":346,"text":1352},{"id":1398,"depth":346,"text":1399},{"id":1442,"depth":346,"text":1443},{"id":1468,"depth":346,"text":1469,"children":1659},[1660,1661,1662],{"id":1472,"depth":1254,"text":1473},{"id":1482,"depth":1254,"text":1483},{"id":1492,"depth":1254,"text":1493},{"id":1520,"depth":346,"text":1521},{"id":621,"depth":346,"text":622},{"id":257,"depth":346,"text":258},{"id":306,"depth":346,"text":307},"2026-04-08","30,000+ OpenClaw instances were found exposed because of one gateway setting. Here's what the gateway does and how to secure it properly.","/img/blog/openclaw-gateway-guide.jpg",{},"11 min read",{"title":1295,"description":1668},"OpenClaw Gateway: Setup, Security, Common Mistakes","blog/openclaw-gateway-guide",[1676,1677,1678,1679,1680,1681,1682],"OpenClaw gateway","OpenClaw gateway security","OpenClaw gateway setup","OpenClaw 127.0.0.1","OpenClaw 0.0.0.0","OpenClaw gateway exposed","OpenClaw remote access","K_bOzwW0f0YQkEJO4Q4Z2_H4syBNwerAut8LQ_OEi8E",1776341557665]