[{"data":1,"prerenderedAt":1616},["ShallowReactive",2],{"blog-post-openclaw-secrets-management-stop-plaintext-api-keys":3,"related-posts-openclaw-secrets-management-stop-plaintext-api-keys":386},{"id":4,"title":5,"author":6,"body":10,"category":365,"date":366,"description":367,"extension":368,"featured":369,"image":370,"meta":371,"navigation":372,"path":373,"readingTime":374,"seo":375,"seoTitle":376,"stem":377,"tags":378,"updatedDate":366,"__hash__":385},"blog/blog/openclaw-secrets-management-stop-plaintext-api-keys.md","OpenClaw Secrets Management: How to Stop Storing API Keys in Plaintext",{"name":7,"role":8,"avatar":9},"Shabnam Katoch","Growth Head","/img/avatars/shabnam-profile.jpeg",{"type":11,"value":12,"toc":350},"minimark",[13,20,23,26,29,32,37,40,43,46,49,52,55,59,62,69,84,90,96,102,105,112,116,119,122,125,128,131,135,138,141,144,147,153,157,160,163,166,169,175,179,182,191,194,200,204,207,210,213,216,224,227,231,234,237,240,243,246,250,258,266,269,272,282,286,289,292,295,298,301,305,310,313,318,321,326,329,334,337,342],[14,15,16],"p",{},[17,18,19],"em",{},"Your .env file is not a vault. Here's what to do instead before someone finds out the hard way.",[14,21,22],{},"A founder I know pushed a commit at 11 PM.",[14,24,25],{},"By 11:04 PM, his OpenAI key was sitting in a public GitHub repo. By 2 AM, the key had been scraped, used, and racked up $3,200 in API charges running someone's crypto research project across three continents. By morning, he was on the phone with OpenAI's support begging for a billing adjustment and rotating every credential he owned.",[14,27,28],{},"He'd stored his API key in a .env file. He'd meant to add it to .gitignore. He forgot.",[14,30,31],{},"This is what OpenClaw secrets management is actually about. Not certificates. Not enterprise compliance frameworks. Not some abstract security posture you draft in a Notion doc and never follow. It's about the thousand small places where your API keys accidentally end up in plaintext, and the attackers who are specifically looking for that.",[33,34,36],"h2",{"id":35},"why-openclaw-agents-make-this-harder-than-normal-apps","Why OpenClaw agents make this harder than normal apps",[14,38,39],{},"Most apps have a few credentials. A database URL. A payment provider key. Maybe a third-party API or two.",[14,41,42],{},"OpenClaw agents don't work that way.",[14,44,45],{},"A real production OpenClaw agent is carrying 10 to 20 credentials at any given time. The model provider API key. Slack bot tokens. GitHub personal access tokens. Database connection strings. Webhook signing secrets. Skill-specific keys for every integration you've installed. BYOK credentials for each model you route between.",[14,47,48],{},"Every one of those is a live credential sitting somewhere on your infrastructure. Every one of them is a key an attacker would love to find.",[14,50,51],{},"Here's the weird part. The OpenClaw ecosystem has made this worse, not better, as it's grown. When Censys, Bitsight, and Hunt.io scanned the internet earlier this year, they found 30,000+ OpenClaw instances exposed without authentication. Many of those instances had API keys sitting in config files or environment variables, one reverse-shell away from being harvested.",[14,53,54],{},"Secrets management isn't a nice-to-have in this space. It's the thing standing between your agent and a $3,200 bill you didn't authorize.",[33,56,58],{"id":57},"the-five-places-your-secrets-are-probably-sitting-in-plaintext-right-now","The five places your secrets are probably sitting in plaintext right now",[14,60,61],{},"Quick audit. Open a terminal, go to wherever you run your OpenClaw agent, and check whether any of these are true.",[14,63,64,68],{},[65,66,67],"strong",{},"Your .env file."," The default home for most environment variables. Usually on disk, unencrypted, readable by anyone with shell access to the machine. If the machine is compromised, the keys are gone.",[14,70,71,74,75,79,80,83],{},[65,72,73],{},"Your shell history."," If you ever pasted an API key directly on the command line, it's in ",[76,77,78],"code",{},"~/.bash_history"," or ",[76,81,82],{},"~/.zsh_history",". Most people forget this exists.",[14,85,86,89],{},[65,87,88],{},"Your config files."," Some OpenClaw setups write credentials directly into config files, depending on how the skill was implemented. YAML, JSON, TOML, whatever flavor.",[14,91,92,95],{},[65,93,94],{},"Your Docker images."," If you built credentials into the image at build time, they're in the image layers. Anyone with the image has the keys. Even if you overwrite the variable later, the earlier layer still has it.",[14,97,98,101],{},[65,99,100],{},"Your backups."," Every backup of your VPS, every snapshot, every archive, every rsync copy. All of those have your plaintext secrets if the source did.",[14,103,104],{},"If you checked three or more of those, congratulations, you have a secrets management problem. Most teams do when they first audit.",[14,106,107],{},[108,109],"img",{"alt":110,"src":111},"Diagram showing five common plaintext secret locations on an OpenClaw deployment: .env files, shell history, config files, Docker image layers, and backup archives","/img/blog/openclaw-secrets-management-plaintext-locations.jpg",[33,113,115],{"id":114},"what-stop-storing-api-keys-in-plaintext-actually-means","What \"stop storing API keys in plaintext\" actually means",[14,117,118],{},"This phrase gets thrown around in security posts without anyone defining it. Let me define it specifically for OpenClaw deployments.",[14,120,121],{},"Plaintext storage means: the credential exists somewhere on your infrastructure in a form that can be read directly without a decryption step. Your .env file is plaintext. A YAML config is plaintext. An environment variable inside a running container is plaintext to anything inside that container.",[14,123,124],{},"The fix isn't \"don't store credentials.\" You need them to exist somewhere or your agent can't work. The fix is \"store them encrypted at rest, decrypt them just-in-time when the agent actually needs them, and make sure the decrypted version never lives longer than it has to.\"",[14,126,127],{},"A secret you can read in a text editor is not a secret. It's a liability with a timer on it.",[14,129,130],{},"In practice, this means one of three approaches. Let me walk through each.",[33,132,134],{"id":133},"option-1-secret-manager-service","Option 1: Secret manager service",[14,136,137],{},"The gold standard. Use a dedicated secret management service like AWS Secrets Manager, Google Secret Manager, HashiCorp Vault, Doppler, or 1Password Secrets Automation. Your agent requests the credential at runtime, the service returns it, the credential never lives on disk.",[14,139,140],{},"The benefits are real. Audit logs of every access. Automatic rotation. Fine-grained permissions. Revocation takes seconds.",[14,142,143],{},"The tradeoff: you're now managing another service. Another set of credentials to access that service. Another vendor bill. Another thing to configure correctly.",[14,145,146],{},"For teams already running on AWS or GCP, this is the path of least resistance. Secrets Manager and Secret Manager integrate cleanly and the per-secret cost is negligible.",[14,148,149],{},[108,150],{"alt":151,"src":152},"Runtime flow diagram of an OpenClaw agent requesting a credential from AWS Secrets Manager, receiving the secret just in time, and never persisting it to disk","/img/blog/openclaw-secrets-management-secret-manager-flow.jpg",[33,154,156],{"id":155},"option-2-encrypted-env-var-at-rest-decrypted-at-runtime","Option 2: Encrypted env var at rest, decrypted at runtime",[14,158,159],{},"If a full secret manager is overkill, the next best thing is encrypting your environment files at rest using a key you control separately. SOPS from Mozilla is the usual tool. Age is another. Both work by encrypting your env file with a key that lives in a different location than the file itself.",[14,161,162],{},"Your agent decrypts the env file at startup. The decrypted values live in the process's memory while it runs. The file on disk stays encrypted.",[14,164,165],{},"This is materially better than a plaintext .env. It's not as strong as a secret manager because the decryption key still has to live somewhere your agent can reach it, and \"somewhere\" often ends up being another file on the same machine. You've raised the bar for attackers but you haven't moved the secret off-server.",[14,167,168],{},"For solo operators and small teams, SOPS-encrypted env files are a reasonable middle ground. For anyone running multiple agents or team setups, skip to option 1.",[14,170,171],{},[108,172],{"alt":173,"src":174},"SOPS workflow diagram showing a plaintext env file encrypted with a separately managed key, stored encrypted at rest, and decrypted in memory when the OpenClaw agent starts","/img/blog/openclaw-secrets-management-sops-workflow.jpg",[33,176,178],{"id":177},"option-3-managed-platform-handles-it-for-you","Option 3: Managed platform handles it for you",[14,180,181],{},"The third path is the one most OpenClaw users actually end up taking. Run your agent on a platform that handles secrets management as a built-in feature. You paste your API keys into a UI once. The platform stores them encrypted at rest (AES-256 is table stakes). The platform injects them into your agent's runtime as needed. You never touch a .env file.",[14,183,184,185,190],{},"This is how ",[186,187,189],"a",{"href":188},"/","BetterClaw's managed OpenClaw deployment"," handles it. $29/month per agent includes encrypted credential storage, workspace scoping so one compromised agent can't access another agent's keys, and audit logs of credential access. The keys never sit in plaintext anywhere your ops team has to protect.",[14,192,193],{},"The honest tradeoff: you're trusting the platform's implementation. Ask them specifically how credentials are encrypted, where the decryption keys live, and what their audit story looks like. Any managed platform that can't answer those three questions clearly shouldn't be storing your keys.",[14,195,196],{},[108,197],{"alt":198,"src":199},"Illustration of a managed OpenClaw credential vault UI with AES-256 encrypted storage, workspace-scoped access, and an audit log panel showing recent credential reads","/img/blog/openclaw-secrets-management-managed-vault.jpg",[33,201,203],{"id":202},"the-rotation-problem-nobody-talks-about","The rotation problem nobody talks about",[14,205,206],{},"Here's what nobody tells you about secrets management. Encryption at rest is the easy part. Rotation is the hard part.",[14,208,209],{},"Every credential you store should have a rotation schedule. API keys rotated every 90 days. Webhook secrets rotated whenever someone leaves the team. Service account tokens rotated whenever their scope changes.",[14,211,212],{},"Most teams rotate credentials approximately never.",[14,214,215],{},"The reason is dumb but honest: rotation is annoying. You have to generate the new credential, update it in every place that uses it, verify nothing broke, and revoke the old one. For a production agent with 15 credentials, that's a half day of work every quarter. Nobody schedules it. Nobody does it.",[14,217,218,219,223],{},"This is where managed platforms earn their keep again. The ",[186,220,222],{"href":221},"/blog/openclaw-security-checklist","OpenClaw security checklist"," lists rotation as a top-three priority, and on a managed platform it's usually a two-click operation. On self-hosted, rotation means SSH-ing in, updating multiple files, restarting services, and praying nothing breaks.",[14,225,226],{},"Guess which one actually gets done.",[33,228,230],{"id":229},"the-part-that-catches-everyone-eventually","The part that catches everyone eventually",[14,232,233],{},"Here's the thing about plaintext secrets. You don't notice the problem until the problem notices you.",[14,235,236],{},"The founder at the top of this post didn't have a secrets management strategy because nothing bad had happened yet. The 30,000 exposed OpenClaw instances weren't run by negligent operators. They were run by smart people who figured they'd set up auth later. The Cisco researchers who found a third-party skill exfiltrating data? That skill was running on machines with the owner's API keys in environment variables, sitting there for the taking.",[14,238,239],{},"Every one of those incidents started with someone choosing convenience over security for a credential that seemed \"not that important.\" Until it was.",[14,241,242],{},"Stay with me here. The failure mode isn't malicious. It's inertia. You set up the agent. You get it working. You put the credentials in a .env because that's what the docs showed. You mean to harden it later. Later never comes. Six months in, you've got fifteen credentials in that file and no idea how to untangle them.",[14,244,245],{},"This is why the right time to fix your OpenClaw secrets management is week one, not month six. The setup cost is small when you have two credentials. It's massive when you have twenty.",[33,247,249],{"id":248},"the-self-hosted-reality-check","The self-hosted reality check",[14,251,252,253,257],{},"Running ",[186,254,256],{"href":255},"/compare/self-hosted","self-hosted OpenClaw"," with proper secrets management is doable. I've watched teams do it well. They're the exception.",[14,259,260,261,265],{},"The typical self-hosted OpenClaw setup uses environment variables on a VPS, with the env file sitting right next to the agent process. The ",[186,262,264],{"href":263},"/blog/secure-openclaw-vps-guide","right way to secure that VPS"," requires enabling full disk encryption, restricting SSH access, configuring firewall rules, setting up log monitoring, and ideally moving to a secret manager for the credentials themselves.",[14,267,268],{},"That's a real day of work for one agent. Multiply by the number of agents you run and the ongoing maintenance burden.",[14,270,271],{},"The cost math I've seen play out: teams running three or more self-hosted OpenClaw agents spend more on secrets management infrastructure, rotation work, and incident response than they'd spend on a managed platform at $29/month per agent. The savings from self-hosting get eaten by the security work nobody enjoys doing.",[14,273,274,275,281],{},"If you just want your OpenClaw credentials stored correctly from day one without building your own secrets infrastructure, ",[186,276,280],{"href":277,"rel":278},"https://app.betterclaw.io/sign-in",[279],"nofollow","give Better Claw a try",". $29/month per agent, BYOK, AES-256 encryption of credentials at rest, workspace scoping built in, and your first deploy takes about 60 seconds. We handle the vault. You handle the agent work.",[33,283,285],{"id":284},"one-last-thing","One last thing",[14,287,288],{},"The uncomfortable truth about OpenClaw secrets management is that nobody cares about it until they've had a credential leak, and after that, they care about nothing else for about a month.",[14,290,291],{},"You don't have to learn this lesson the expensive way. The practices in this post (encrypted storage, no secrets in config files, rotation schedules, scoped permissions, audit logs) are all available to anyone running an OpenClaw agent today. The managed path makes them defaults. The self-hosted path makes them homework.",[14,293,294],{},"Either way, pick one. Pick it this week.",[14,296,297],{},"Agents are going to be handling more credentials, more actions, and more sensitive workflows every month. The operators who treat credential hygiene as a first-class concern are going to sleep through the next security news cycle. The operators who didn't are going to be the next news cycle.",[14,299,300],{},"The .env file was never meant to hold the keys to your business. Stop asking it to.",[33,302,304],{"id":303},"frequently-asked-questions","Frequently Asked Questions",[14,306,307],{},[65,308,309],{},"What is OpenClaw secrets management?",[14,311,312],{},"OpenClaw secrets management is the practice of securely storing, accessing, and rotating the API keys and credentials your OpenClaw agent needs to function. This includes model provider keys, chat platform tokens, third-party service credentials, and any other sensitive strings your agent uses. The goal is to ensure those credentials never exist in plaintext on disk or in backups, and that access to them is audited and revocable.",[14,314,315],{},[65,316,317],{},"How does OpenClaw secrets management compare to standard web app secrets?",[14,319,320],{},"Standard web apps usually handle two or three credentials. OpenClaw agents regularly handle 10 to 20, across model providers, chat platforms, and installed skills. The attack surface is larger, the rotation burden is higher, and a single leaked key can expose multiple downstream systems. Best practices are the same (encrypted at rest, scoped permissions, regular rotation), but the volume makes automation much more important.",[14,322,323],{},[65,324,325],{},"How do I stop storing OpenClaw API keys in plaintext?",[14,327,328],{},"Three realistic paths: use a secret manager service (AWS Secrets Manager, Vault, Doppler) and have your agent fetch credentials at runtime, encrypt your env file at rest using SOPS or Age with a separately managed key, or use a managed OpenClaw platform that handles encrypted credential storage as a built-in feature. The right choice depends on how many agents you run and how much infrastructure work you want to own.",[14,330,331],{},[65,332,333],{},"Is a managed secrets solution worth it for a solo OpenClaw operator?",[14,335,336],{},"Yes, usually. A managed platform at $29/month per agent handles credential encryption, rotation support, and audit logs that would take a weekend to set up correctly on your own. For solo operators, the time saved is almost always worth more than the subscription cost. The math changes for teams already running their own security infrastructure.",[14,338,339],{},[65,340,341],{},"Are managed OpenClaw platforms actually more secure than self-hosted with SOPS?",[14,343,344,345,349],{},"A well-configured self-hosted setup with SOPS, disk encryption, restricted SSH, and proper monitoring can be very secure. The catch is \"well-configured.\" Most self-hosted setups don't get there. Managed platforms enforce the defaults by design, including AES-256 encryption, workspace scoping, and signed tool execution. Pair that with proper ",[186,346,348],{"href":347},"/skills/security-vetting","skill security vetting"," and you've covered the main attack vectors most teams miss.",{"title":351,"searchDepth":352,"depth":352,"links":353},"",2,[354,355,356,357,358,359,360,361,362,363,364],{"id":35,"depth":352,"text":36},{"id":57,"depth":352,"text":58},{"id":114,"depth":352,"text":115},{"id":133,"depth":352,"text":134},{"id":155,"depth":352,"text":156},{"id":177,"depth":352,"text":178},{"id":202,"depth":352,"text":203},{"id":229,"depth":352,"text":230},{"id":248,"depth":352,"text":249},{"id":284,"depth":352,"text":285},{"id":303,"depth":352,"text":304},"Security","2026-04-18","OpenClaw secrets management without the guesswork. How to stop storing API keys in plaintext, handle rotation, and avoid the $3,200 key leak.","md",false,"/img/blog/openclaw-secrets-management-stop-plaintext-api-keys.jpg",{},true,"/blog/openclaw-secrets-management-stop-plaintext-api-keys","10 min read",{"title":5,"description":367},"OpenClaw Secrets Management: Stop Plaintext API Keys","blog/openclaw-secrets-management-stop-plaintext-api-keys",[379,380,381,382,383,384],"OpenClaw secrets management","OpenClaw API keys","plaintext API keys","OpenClaw security","AI agent credential storage","OpenClaw key rotation","YQSZI9Myg_VUozkVaKnhldEn1XKK44yjFcSAAZFE_R0",[387,771,1311],{"id":388,"title":389,"author":390,"body":391,"category":365,"date":755,"description":756,"extension":368,"featured":369,"image":757,"meta":758,"navigation":372,"path":759,"readingTime":374,"seo":760,"seoTitle":761,"stem":762,"tags":763,"updatedDate":755,"__hash__":770},"blog/blog/anthropic-ai-bank-cyber-risk.md","Anthropic's Mythos Just Got Bank CEOs Summoned to Washington. Here's What It Means for Your AI Agents.",{"name":7,"role":8,"avatar":9},{"type":11,"value":392,"toc":743},[393,398,401,404,407,410,413,417,420,423,426,429,435,439,442,445,448,451,454,457,461,464,467,475,478,485,488,494,498,501,504,507,510,513,521,533,537,540,543,546,549,557,563,567,570,573,576,579,584,588,591,597,603,614,620,626,630,633,636,639,654,657,659,664,667,672,675,680,686,691,694,699,702,706],[14,394,395],{},[17,396,397],{},"The collision of frontier AI models and financial infrastructure is rewriting the rules of cyber risk. If you're running AI agents, you're already in the blast radius.",[14,399,400],{},"Treasury Secretary Scott Bessent and Fed Chair Jerome Powell pulled bank CEOs into an emergency meeting this week. Not about interest rates. Not about a liquidity crisis.",[14,402,403],{},"About an AI model.",[14,405,406],{},"Anthropic's Claude Mythos, a frontier model so capable at finding software vulnerabilities that the company warned its own government contacts it would make large-scale cyberattacks \"much more likely in 2026.\" The model identified thousands of zero-day vulnerabilities in its first weeks of testing, many of them one to two decades old, hiding in the software that runs everything from hospital networks to trading floors.",[14,408,409],{},"If you're building or deploying AI agents right now, this isn't some abstract policy story. This is the environment your agents are operating in.",[14,411,412],{},"And it's about to get a lot more hostile.",[33,414,416],{"id":415},"the-moment-ai-cyber-risk-stopped-being-theoretical","The moment AI cyber risk stopped being theoretical",[14,418,419],{},"Let's rewind to September 2025. Anthropic detected what analysts now call the first fully autonomous AI espionage campaign at scale. A Chinese state-sponsored group used agentic AI capabilities to conduct vulnerability discovery, lateral movement, and payload execution with minimal human oversight.",[14,421,422],{},"Read that again. Minimal human oversight. An AI agent, not a team of hackers, ran the operation.",[14,424,425],{},"Then in January 2026, a Russian-speaking cybercriminal with limited technical skills used Claude and DeepSeek to hack over 600 devices across 55 countries. According to AWS's security research team, the attacker used generative AI to scale well-known attack techniques throughout every phase of their operation. At one point, the attacker asked Claude in Russian to build a web panel for managing hundreds of targets.",[14,427,428],{},"This is the new baseline. Not nation-state hackers with decades of training. Script kiddies with API keys.",[14,430,431],{},[108,432],{"alt":433,"src":434},"Timeline of AI-powered cyber attacks from September 2025 autonomous espionage to January 2026 mass exploitation","/img/blog/anthropic-ai-bank-cyber-risk-timeline.jpg",[33,436,438],{"id":437},"why-mythos-changes-the-math-for-everyone","Why Mythos changes the math for everyone",[14,440,441],{},"Here's the part that should make you uncomfortable.",[14,443,444],{},"Current AI models can identify high-severity vulnerabilities. Mythos can find five separate vulnerabilities in a single piece of software and chain them together into a novel attack that no human security team would have anticipated. Coupled with the ability to work unsupervised for extended periods, Anthropic says we've hit an inflection point.",[14,446,447],{},"Shlomo Kramer, founder and CEO of Cato Networks, put it bluntly: the agentic attackers are coming and this is a watershed event in the history of cybersecurity. Cisco's chief security officer Anthony Grieco said the old ways of hardening systems are no longer sufficient.",[14,449,450],{},"And here's what nobody tells you: the window is narrow. Alex Stamos, chief product officer at cybersecurity firm Corridor, estimates the open-source models will catch up to frontier model bug-finding capabilities within six months.",[14,452,453],{},"The attackers only need to find one way in. Defenders have to cover every surface.",[14,455,456],{},"That asymmetry has always existed in cybersecurity. AI just compressed the timeline from months to minutes.",[33,458,460],{"id":459},"what-this-means-if-youre-running-ai-agents","What this means if you're running AI agents",[14,462,463],{},"Stay with me here, because this is where it gets personal.",[14,465,466],{},"If you're self-hosting an OpenClaw agent on a VPS, a DigitalOcean droplet, or even a Mac Mini under your desk, your attack surface just expanded dramatically. Every exposed port, every unpatched dependency, every misconfigured Docker container is now a target that can be discovered and exploited at machine speed.",[14,468,469,470,474],{},"The ",[186,471,473],{"href":472},"/blog/openclaw-security-risks","OpenClaw security risks"," we've been writing about for months aren't hypothetical anymore. They're the exact kind of vulnerabilities that Mythos-class models will find and chain together.",[14,476,477],{},"Think about what a typical self-hosted agent setup looks like:",[14,479,480,481,484],{},"Docker containers with default configurations. API keys stored in ",[76,482,483],{},".env"," files. Ports exposed to the public internet. No intrusion detection. No automated patching. No audit logging.",[14,486,487],{},"That was \"good enough\" when the threat was a bored teenager with Metasploit. It is not good enough when the threat is an autonomous AI agent running 24/7 vulnerability scans.",[14,489,490],{},[108,491],{"alt":492,"src":493},"Self-hosted AI agent attack surface showing exposed ports, unpatched dependencies, and plaintext credentials","/img/blog/anthropic-ai-bank-cyber-risk-attack-surface.jpg",[33,495,497],{"id":496},"the-infrastructure-gap-most-agent-builders-ignore","The infrastructure gap most agent builders ignore",[14,499,500],{},"Here's where most people get it wrong.",[14,502,503],{},"They think security is something you bolt on after your agent works. First get the YAML right. First get the skills installed. First get the model routing figured out. Security can wait.",[14,505,506],{},"It can't wait anymore.",[14,508,509],{},"Anthropic launched Project Glasswing alongside Mythos, giving 12 partner organizations including Microsoft, Apple, and Cisco early access to find and fix vulnerabilities before they get exploited. That tells you something about the urgency.",[14,511,512],{},"But most teams running AI agents aren't Microsoft. They don't have a dedicated security team scanning their infrastructure. They're a founder, a small dev team, maybe a contractor. They're choosing between building features and patching CVEs.",[14,514,515,516,520],{},"If you've been wrestling with ",[186,517,519],{"href":518},"/blog/openclaw-docker-troubleshooting","OpenClaw Docker troubleshooting"," or spending weekends maintaining your agent infrastructure, this is the moment to ask yourself: is that really how you want to spend your time in a world where AI-powered attacks operate at machine speed?",[14,522,523,524,527,528,532],{},"We built ",[186,525,526],{"href":188},"Better Claw"," because we were tired of infrastructure eating our weekends. But in light of what Anthropic just disclosed, managed hosting isn't just about convenience anymore. It's about not being the low-hanging fruit in an environment where autonomous attackers are scanning for exactly that. ",[186,529,531],{"href":530},"/pricing","$29/month per agent",", and your infrastructure is somebody else's problem.",[33,534,536],{"id":535},"what-the-bessent-powell-meeting-actually-signals","What the Bessent-Powell meeting actually signals",[14,538,539],{},"And that's when we realized this story isn't really about banks.",[14,541,542],{},"Yes, Bessent and Powell summoned Wall Street CEOs to make sure financial institutions are preparing defenses against Mythos-class threats. But the real signal is simpler: the US government now considers AI-generated cyber risk a systemic threat.",[14,544,545],{},"Not a \"keep an eye on it\" threat. A \"clear your calendar and come to Washington\" threat.",[14,547,548],{},"The implications cascade downward. If banks need to harden their systems, every vendor and partner in their supply chain needs to do the same. If you're building an AI agent that touches financial data, customer PII, or payment systems, the security bar just jumped by an order of magnitude.",[14,550,551,552,556],{},"This is especially relevant if you're running agents for ",[186,553,555],{"href":554},"/blog/openclaw-agents-for-ecommerce","ecommerce use cases"," or anything that handles customer data. The regulatory scrutiny that follows a story like this always trickles down.",[14,558,559],{},[108,560],{"alt":561,"src":562},"Cascade of AI cyber risk regulations from government to banks to vendors to AI agent builders","/img/blog/anthropic-ai-bank-cyber-risk-cascade.jpg",[33,564,566],{"id":565},"the-arms-race-youre-already-part-of","The arms race you're already part of",[14,568,569],{},"But that's not even the real problem.",[14,571,572],{},"Every major AI lab's next model will push cyber capabilities further. Behind Mythos is the next OpenAI model, and the next Gemini, and a few months behind them are the open-source Chinese models. As Kramer told CNN, the defenders need to run as fast as they can just to stay in the same place.",[14,574,575],{},"This creates a permanent tax on every team running AI infrastructure. You need automated patching. You need encrypted secrets management. You need isolated execution environments. You need audit logs. You need somebody watching the monitors at 3 AM when a Mythos-inspired scanner finds a forgotten port.",[14,577,578],{},"Or you need to outsource that entire burden.",[14,580,469,581,583],{},[186,582,222],{"href":221}," we published is a good starting point if you're committed to self-hosting. But be honest with yourself about whether you can maintain that posture indefinitely against adversaries that don't sleep, don't get bored, and don't make typos.",[33,585,587],{"id":586},"what-to-actually-do-right-now","What to actually do right now",[14,589,590],{},"Let me be practical. Here's what matters this week, not this quarter.",[14,592,593,596],{},[65,594,595],{},"Audit your exposed surfaces."," If your agent is reachable from the public internet, assume it will be scanned by something smarter than you within days. Check every open port. Check your Docker configs. Check where your API keys live.",[14,598,599,602],{},[65,600,601],{},"Update everything."," Mythos found vulnerabilities that were one to two decades old. The boring stuff matters more than ever.",[14,604,605,608,609,613],{},[65,606,607],{},"Evaluate your hosting model."," Self-hosting made sense when the primary risk was downtime. The risk profile has changed. Consider whether ",[186,610,612],{"href":611},"/openclaw-hosting","managed OpenClaw hosting"," is worth the tradeoff.",[14,615,616,619],{},[65,617,618],{},"Watch the regulatory signals."," The Bessent-Powell meeting is the first domino. If you're building agents for regulated industries, expect compliance requirements to tighten fast.",[14,621,622,625],{},[65,623,624],{},"Don't panic, but don't ignore this."," The fact that Anthropic launched Project Glasswing means the industry is taking this seriously. The worst response is to assume you're too small to be a target. Automated attacks don't discriminate by company size.",[33,627,629],{"id":628},"the-honest-takeaway","The honest takeaway",[14,631,632],{},"Here's what I keep coming back to.",[14,634,635],{},"We got into AI agents because the technology is genuinely exciting. Watching an agent autonomously handle tasks that used to take hours of manual work is one of the best feelings in tech right now. That hasn't changed.",[14,637,638],{},"What's changed is the environment. The same agentic capabilities that make our tools powerful also make the threats against our infrastructure more capable. That's not a reason to stop building. It's a reason to build on foundations that can withstand what's coming.",[14,640,641,642,644,645,649,650,653],{},"If any of this hit close to home, if you've been running a self-hosted agent and putting off the security hardening, if you know your ",[76,643,483],{}," file is doing more heavy lifting than it should, ",[186,646,648],{"href":277,"rel":647},[279],"give Better Claw a look",". It's $29/month per agent, BYOK, and you get managed infrastructure with security that doesn't depend on you remembering to run ",[76,651,652],{},"apt update"," at midnight. We handle the infrastructure. You handle the interesting part.",[14,655,656],{},"The agentic attackers are coming. Make sure your agents are ready.",[33,658,304],{"id":303},[14,660,661],{},[65,662,663],{},"What is the Anthropic Mythos AI model and why does it matter for cyber risk?",[14,665,666],{},"Claude Mythos is Anthropic's most powerful AI model to date, sitting above its Opus tier. It matters because it can autonomously discover, chain together, and exploit software vulnerabilities at speeds no human team can match. In its first weeks of testing, it found thousands of zero-day flaws, many hidden for over a decade.",[14,668,669],{},[65,670,671],{},"How does AI-driven cyber risk affect banks and financial services?",[14,673,674],{},"Treasury Secretary Bessent and Fed Chair Powell summoned bank CEOs specifically over Mythos-class threats, signaling the government views AI cyber risk as systemic to financial stability. Banks face pressure to harden systems across their entire supply chain, which cascades to every vendor and partner handling financial data.",[14,676,677],{},[65,678,679],{},"How do I secure my self-hosted AI agent against AI-powered attacks?",[14,681,682,683,685],{},"Start by auditing exposed ports, moving secrets out of ",[76,684,483],{}," files into encrypted vaults, keeping all dependencies patched, and enabling audit logging. If maintaining that security posture continuously isn't realistic for your team, evaluate managed hosting options that handle infrastructure security for you.",[14,687,688],{},[65,689,690],{},"Is managed AI agent hosting worth the cost for security alone?",[14,692,693],{},"At $29/month per agent, managed hosting like BetterClaw costs less than a single hour of incident response consulting. You get isolated environments, automated updates, encrypted secrets management, and monitoring without needing to maintain it yourself. In a world of autonomous AI-powered scanning, the cost of a breach far exceeds the cost of prevention.",[14,695,696],{},[65,697,698],{},"Is my small project really a target for AI-powered cyberattacks?",[14,700,701],{},"Yes. Automated scanning tools, including the techniques Mythos enables, don't discriminate by company size. In January 2026, a single attacker with limited skills used AI to compromise 600+ devices across 55 countries. If your agent is reachable from the internet, it's a target regardless of how small your operation is.",[33,703,705],{"id":704},"related-reading","Related Reading",[707,708,709,716,722,729,736],"ul",{},[710,711,712,715],"li",{},[186,713,714],{"href":472},"OpenClaw Security Risks Explained"," — The specific vulnerabilities AI attackers will target",[710,717,718,721],{},[186,719,720],{"href":221},"OpenClaw Security Checklist"," — Hardening steps if you're committed to self-hosting",[710,723,724,728],{},[186,725,727],{"href":726},"/blog/openclaw-gateway-guide","OpenClaw Gateway Guide"," — The single setting that exposed 30,000+ instances",[710,730,731,735],{},[186,732,734],{"href":733},"/blog/openclaw-skill-audit","OpenClaw Skill Audit"," — How to check for compromised skills in your setup",[710,737,738,742],{},[186,739,741],{"href":740},"/compare/openclaw","BetterClaw vs Self-Hosted OpenClaw"," — Managed security vs DIY in the new threat landscape",{"title":351,"searchDepth":352,"depth":352,"links":744},[745,746,747,748,749,750,751,752,753,754],{"id":415,"depth":352,"text":416},{"id":437,"depth":352,"text":438},{"id":459,"depth":352,"text":460},{"id":496,"depth":352,"text":497},{"id":535,"depth":352,"text":536},{"id":565,"depth":352,"text":566},{"id":586,"depth":352,"text":587},{"id":628,"depth":352,"text":629},{"id":303,"depth":352,"text":304},{"id":704,"depth":352,"text":705},"2026-04-10","Anthropic's Mythos model triggered an emergency bank CEO meeting. Learn what AI-driven cyber risk means for your AI agents and how to protect them.","/img/blog/anthropic-ai-bank-cyber-risk.jpg",{},"/blog/anthropic-ai-bank-cyber-risk",{"title":389,"description":756},"Anthropic AI Cyber Risk: What Bank CEO Warnings Mean for Agents","blog/anthropic-ai-bank-cyber-risk",[764,765,766,767,768,769],"anthropic ai cyber risk","mythos ai model security","ai agent security","openclaw security","ai cybersecurity threats","managed ai agent hosting","il9GGyLnz0RS4zVpAM04SNYKd_augmL7GgyvZjt89Ug",{"id":772,"title":773,"author":774,"body":775,"category":365,"date":1292,"description":1293,"extension":368,"featured":369,"image":1294,"meta":1295,"navigation":372,"path":1296,"readingTime":1297,"seo":1298,"seoTitle":1299,"stem":1300,"tags":1301,"updatedDate":1292,"__hash__":1310},"blog/blog/clawhub-skills-directory.md","ClawHub Skills Directory - The Complete 2026 Guide to Finding, Vetting, and Using OpenClaw Skills",{"name":7,"role":8,"avatar":9},{"type":11,"value":776,"toc":1264},[777,782,785,788,795,798,802,805,808,811,817,823,830,834,837,842,845,851,855,858,864,868,871,877,881,884,890,896,900,903,907,910,913,919,923,926,932,936,939,945,951,963,967,970,976,982,988,994,1000,1006,1009,1013,1016,1020,1026,1032,1038,1042,1048,1054,1060,1066,1073,1077,1080,1084,1087,1091,1094,1097,1105,1111,1115,1118,1124,1130,1136,1146,1152,1158,1162,1165,1171,1177,1183,1189,1195,1201,1205,1208,1211,1214,1222,1224,1229,1232,1237,1240,1245,1248,1253,1256,1261],[14,778,779],{},[65,780,781],{},"13,700+ skills. 824 were malicious. Here's how to navigate the marketplace without becoming a statistic.",[14,783,784],{},"I found the perfect Notion integration skill on ClawHub last month. Clean description. Recent updates. 3,200+ downloads. I installed it, connected my workspace, and watched my OpenClaw agent sync tasks from Telegram directly into Notion boards.",[14,786,787],{},"Two days later, I noticed API requests on my Anthropic dashboard that I hadn't made. Someone was using my key. The skill had been reading my config file and sending credentials to an external server while functioning exactly as advertised.",[14,789,790,791,794],{},"That skill was part of the ClawHavoc campaign. ",[65,792,793],{},"824 malicious skills discovered on ClawHub, roughly 20% of the entire registry."," One compromised package had 14,285 downloads before it was pulled. ClawHub responded by purging 2,419 suspicious packages and partnering with VirusTotal for automated scanning.",[14,796,797],{},"This guide covers everything you need to know about the ClawHub skills directory in 2026: what's available, what's dangerous, how to find good skills, and how to protect yourself from bad ones.",[33,799,801],{"id":800},"what-clawhub-actually-is-and-isnt","What ClawHub actually is (and isn't)",[14,803,804],{},"ClawHub is the official skill registry for OpenClaw. Think of it like npm for Node.js packages or PyPI for Python libraries, except the packages add capabilities to your AI agent instead of your codebase.",[14,806,807],{},"Skills are what turn OpenClaw from a chatbot into an agent. Without skills, your agent can only have conversations. With skills, it can search the web, manage your calendar, read and write files, automate browser tasks, send emails, interact with APIs, and execute shell commands.",[14,809,810],{},"As of March 2026, ClawHub hosts over 13,700 skills. A separate community-curated registry (awesome-openclaw-skills on GitHub) tracks another 5,400+ skills that have been independently reviewed. The ecosystem is massive and growing fast, driven by OpenClaw's 1.27 million weekly npm downloads.",[14,812,813,816],{},[65,814,815],{},"What ClawHub is:"," An open registry where anyone can publish a skill package. Think app store with minimal review.",[14,818,819,822],{},[65,820,821],{},"What ClawHub isn't:"," A curated, security-reviewed marketplace. Until the VirusTotal partnership, there was effectively no automated security scanning. Publishers could upload anything. And 20% of them uploaded something malicious.",[14,824,825,826,829],{},"For the full timeline of ",[186,827,828],{"href":472},"documented OpenClaw security incidents"," including the ClawHavoc campaign, CrowdStrike advisory, and Cisco's data exfiltration discovery, our security guide covers each event.",[33,831,833],{"id":832},"the-clawhub-skills-categories-worth-knowing","The ClawHub skills categories worth knowing",[14,835,836],{},"The directory organizes skills into categories, though the boundaries are loose and many skills span multiple categories. Here's what's available and what's genuinely useful.",[838,839,841],"h3",{"id":840},"communication-skills","Communication skills",[14,843,844],{},"These connect your agent to external messaging and communication tools. Email reading and drafting (Gmail, Outlook), calendar management (Google Calendar, CalDAV), messaging integrations beyond the platforms OpenClaw already supports natively, and notification routing.",[14,846,847,850],{},[65,848,849],{},"The risk level is high."," Communication skills need access to your email, calendar, or messaging accounts. A compromised email skill can read every message in your inbox and forward copies to an external server. The Meta researcher Summer Yue incident is the cautionary tale here: her agent mass-deleted emails while ignoring stop commands. Even legitimate email skills need strict permission boundaries.",[838,852,854],{"id":853},"search-and-research-skills","Search and research skills",[14,856,857],{},"Web search (Brave API, Google Custom Search, Tavily), academic paper search, news aggregation, and data retrieval from specific sources. These are among the most commonly installed skills because they give your agent access to real-time information.",[14,859,860,863],{},[65,861,862],{},"The risk level is moderate."," Search skills make outbound API calls to retrieve information. The main concern is whether they're sending your query data (which might contain sensitive context from your conversations) to unexpected destinations alongside the legitimate search requests.",[838,865,867],{"id":866},"productivity-skills","Productivity skills",[14,869,870],{},"File management, note-taking integrations (Notion, Obsidian), project management connections (Linear, Asana, Jira), and document processing. These skills let your agent interact with your work tools.",[14,872,873,876],{},[65,874,875],{},"The risk level is moderate to high."," Productivity skills typically need OAuth tokens or API keys for external services. A compromised productivity skill has access to whatever tools it connects to.",[838,878,880],{"id":879},"developer-tools","Developer tools",[14,882,883],{},"Code execution, Git operations, CI/CD integrations, database queries, and API testing. These are popular among developers who use OpenClaw as a coding assistant.",[14,885,886,889],{},[65,887,888],{},"The risk level is very high."," Developer tool skills often have shell access or can execute arbitrary code. A malicious developer skill with shell access can do anything on your machine. Cisco's discovery of a skill performing data exfiltration was in this category.",[14,891,892],{},[108,893],{"alt":894,"src":895},"ClawHub skills categories organized by risk level","/img/blog/clawhub-skills-directory-categories.jpg",[33,897,899],{"id":898},"how-to-find-good-skills-on-clawhub","How to find good skills on ClawHub",[14,901,902],{},"The ClawHub interface shows skill name, description, publisher, download count, last update date, and version history. Here's how to use that information to filter for quality.",[838,904,906],{"id":905},"publisher-reputation-matters-most","Publisher reputation matters most",[14,908,909],{},"The OpenClaw core team maintains a set of official skills. These are the safest options because they're maintained by the same developers who build the framework. Look for the official organization badge.",[14,911,912],{},"After official skills, established community developers with multiple published packages, active GitHub profiles, and real identities are the next safest tier. A publisher who has maintained three skills for six months with regular updates is very different from an account created last week with one package.",[14,914,915,918],{},[65,916,917],{},"Red flags on publishers:"," Account created recently with only one skill. Username that mimics official accounts (like \"opencIaw\" with a capital I instead of lowercase L). No GitHub profile linked. Generic or AI-generated skill descriptions.",[838,920,922],{"id":921},"download-count-needs-context","Download count needs context",[14,924,925],{},"High download count alone doesn't mean safe. The most-downloaded malicious skill in the ClawHavoc campaign had 14,285 downloads before removal. Download count tells you popularity, not quality.",[14,927,928,931],{},[65,929,930],{},"What matters more:"," the ratio of downloads to the skill's age. A skill published last week with 5,000 downloads either went viral organically (rare) or had its count artificially boosted (more common). A skill published six months ago with 5,000 downloads grew naturally through genuine adoption.",[838,933,935],{"id":934},"last-update-date-signals-maintenance","Last update date signals maintenance",[14,937,938],{},"Skills that haven't been updated in more than three months are concerning. OpenClaw releases multiple updates per week. Skills that don't keep up with the framework eventually break or develop compatibility issues.",[14,940,941,944],{},[65,942,943],{},"The sweet spot:"," skills updated within the last 30-60 days with a consistent version history showing incremental improvements rather than a single large dump of code.",[14,946,947],{},[108,948],{"alt":949,"src":950},"How to evaluate ClawHub skill listings","/img/blog/clawhub-skills-directory-evaluation.jpg",[14,952,953,954,958,959,962],{},"For our curated list of ",[186,955,957],{"href":956},"/blog/best-openclaw-skills","the best community-vetted OpenClaw skills"," that have passed security review, our ",[186,960,961],{"href":956},"skills guide"," ranks options by reliability, safety, and usefulness.",[33,964,966],{"id":965},"the-5-step-vetting-process-before-you-install-anything","The 5-step vetting process before you install anything",[14,968,969],{},"Finding a skill on ClawHub is step one. Vetting it before installation is what separates safe users from compromised ones.",[14,971,972,975],{},[65,973,974],{},"Step 1: Check the publisher."," Verify their identity, account age, and other published packages. Official skills from the core team are safest.",[14,977,978,981],{},[65,979,980],{},"Step 2: Read the source code."," Every ClawHub skill is JavaScript or TypeScript. You're looking for network calls to unexpected domains, file reads outside the skill's workspace (especially reads of your config file where API keys live), obfuscated or minified code (legitimate skills are readable), and environment variable access beyond what's needed.",[14,983,984,987],{},[65,985,986],{},"Step 3: Search community reports."," Check GitHub issues and the OpenClaw Discord for the skill name. If others have reported problems, you'll find them.",[14,989,990,993],{},[65,991,992],{},"Step 4: Test in a sandboxed workspace."," Never install a new skill directly into your production agent. Create a test workspace, install the skill there, run it for 24-48 hours, and monitor your API usage dashboards for unexpected activity.",[14,995,996,999],{},[65,997,998],{},"Step 5: Set limits."," After installation, configure iteration limits and context token caps to contain the blast radius if a skill misbehaves.",[14,1001,1002],{},[108,1003],{"alt":1004,"src":1005},"5-step skill vetting process","/img/blog/clawhub-skills-directory-vetting.jpg",[14,1007,1008],{},"The vetting process takes 5-10 minutes per skill plus a 24-hour monitoring window. That's 5-10 minutes compared to hours of damage control if something goes wrong. The math is obvious.",[33,1010,1012],{"id":1011},"what-changed-after-clawhavoc","What changed after ClawHavoc",[14,1014,1015],{},"The ClawHavoc campaign was a wake-up call for the entire ecosystem. Here's what ClawHub has done since, and what's still missing.",[838,1017,1019],{"id":1018},"what-improved","What improved",[14,1021,1022,1025],{},[65,1023,1024],{},"VirusTotal partnership."," ClawHub now runs automated security scans on all new skill submissions. Known malware signatures and suspicious patterns trigger review before publication. This catches known attack patterns but not novel ones.",[14,1027,1028,1031],{},[65,1029,1030],{},"Mass purge."," 2,419 suspicious packages were removed from the registry. This cleaned up the worst offenders but happened after the damage was done. The most-downloaded malicious package had already been installed by thousands of users.",[14,1033,1034,1037],{},[65,1035,1036],{},"Publisher verification."," ClawHub introduced optional publisher verification. Verified publishers have confirmed identities. The problem: verification is optional, and most publishers haven't bothered.",[838,1039,1041],{"id":1040},"whats-still-missing","What's still missing",[14,1043,1044,1047],{},[65,1045,1046],{},"Mandatory code review."," There's no human review of skill code before publication. VirusTotal catches known malware patterns, but sophisticated exfiltration techniques (like the Cisco-discovered skill that looked perfectly legitimate) can slip through automated detection.",[14,1049,1050,1053],{},[65,1051,1052],{},"Permission scoping."," Skills currently have access to whatever OpenClaw has access to. There's no granular permission system where a calendar skill can only access calendar APIs, not your file system. This means every skill is either trusted with everything or not installed at all.",[14,1055,1056,1059],{},[65,1057,1058],{},"Dependency auditing."," Skills can include npm dependencies. Those dependencies can include their own dependencies. The supply chain attack surface extends well beyond the skill code itself.",[14,1061,1062],{},[108,1063],{"alt":1064,"src":1065},"ClawHub security improvements timeline","/img/blog/clawhub-skills-directory-security.jpg",[14,1067,1068,1069,1072],{},"If managing skill security, vetting, and permission boundaries sounds like more work than you want, ",[186,1070,1071],{"href":188},"BetterClaw's curated skill marketplace"," audits every skill before publication. Docker-sandboxed execution means even a compromised skill can't access your host system or credentials. $29/month per agent, BYOK. Zero unvetted code running on your infrastructure.",[33,1074,1076],{"id":1075},"the-alternative-registries-worth-knowing","The alternative registries worth knowing",[14,1078,1079],{},"ClawHub isn't the only place to find OpenClaw skills. Two alternatives are worth mentioning.",[838,1081,1083],{"id":1082},"awesome-openclaw-skills-github","awesome-openclaw-skills (GitHub)",[14,1085,1086],{},"A community-curated list tracking 5,400+ skills with basic quality annotations. It's not a registry (you still install skills from ClawHub or GitHub). It's a curation layer that filters the noise. The maintainers remove skills that are reported as malicious or abandoned. It's not a security guarantee, but it's a better starting point than browsing ClawHub's unfiltered listing.",[838,1088,1090],{"id":1089},"direct-github-installation","Direct GitHub installation",[14,1092,1093],{},"You can install skills directly from GitHub repositories without going through ClawHub at all. Clone the repo, review the code, and copy it into your OpenClaw skills directory. This bypasses ClawHub entirely and gives you complete visibility into what you're installing.",[14,1095,1096],{},"The trade-off: no auto-updates. When the skill author pushes a new version, you need to manually pull the changes. ClawHub-installed skills update automatically, which is both convenient and risky (an update could introduce new malicious code that wasn't in the version you vetted).",[14,1098,1099,1100,1104],{},"For guidance on ",[186,1101,1103],{"href":1102},"/blog/openclaw-setup-guide-complete","the full OpenClaw installation and skill configuration process",", our setup guide covers where skills fit into the deployment sequence.",[14,1106,1107],{},[108,1108],{"alt":1109,"src":1110},"Alternative OpenClaw skill registries comparison","/img/blog/clawhub-skills-directory-alternatives.jpg",[33,1112,1114],{"id":1113},"the-skills-most-people-should-start-with","The skills most people should start with",[14,1116,1117],{},"After reviewing the ecosystem extensively, here are the skill categories that provide the most value with the least risk for new OpenClaw users.",[14,1119,1120,1123],{},[65,1121,1122],{},"Web search."," The official web search skill or Brave Search API integration. Essential for any agent that needs to look up information. Maintained by the core team. Low risk because it only makes outbound search queries.",[14,1125,1126,1129],{},[65,1127,1128],{},"File operations."," OpenClaw's built-in file read/write capabilities handle most basic file tasks without requiring an external skill. Start with the native tools before adding third-party file management skills.",[14,1131,1132,1135],{},[65,1133,1134],{},"Calendar."," Google Calendar or CalDAV integrations from verified publishers with established track records. These need OAuth access to your calendar, so choose carefully. Only install from publishers with real identities.",[14,1137,1138,1141,1142,1145],{},[65,1139,1140],{},"Custom internal skills."," If you need your agent to interact with a proprietary API (your Shopify store, your CRM, your internal tools), building a custom skill is safer than finding a generic one on ClawHub. You control every line of code. For ecommerce-specific agent configurations, our ",[186,1143,1144],{"href":554},"ecommerce guide"," covers the most common integrations.",[14,1147,1148,1151],{},[65,1149,1150],{},"Email (with extreme caution)."," Email skills are the highest-risk category. Start with read-only access. Only enable send with explicit confirmation requirements. Never give an agent unsupervised email send permissions. The Summer Yue incident is the permanent reminder of why.",[14,1153,1154],{},[108,1155],{"alt":1156,"src":1157},"Recommended starter skills for OpenClaw","/img/blog/clawhub-skills-directory-starter.jpg",[33,1159,1161],{"id":1160},"what-to-do-if-youve-already-installed-unvetted-skills","What to do if you've already installed unvetted skills",[14,1163,1164],{},"If you've been installing ClawHub skills without vetting them (most people have in the beginning), here's the damage control sequence.",[14,1166,1167,1170],{},[65,1168,1169],{},"First: rotate all API keys immediately."," Every key in your OpenClaw config. Anthropic, OpenAI, Telegram bot tokens, OAuth credentials. All of them. If any skill has exfiltrated your keys, rotating them invalidates the stolen copies.",[14,1172,1173,1176],{},[65,1174,1175],{},"Second: review your API usage dashboards."," Check the last 30 days for requests you didn't make. Unusual patterns (requests at odd hours, high-volume calls you don't recognize) indicate compromise.",[14,1178,1179,1182],{},[65,1180,1181],{},"Third: audit every installed skill."," List everything your agent currently has installed. For each skill, run through the 5-step vetting process. Remove anything that doesn't pass.",[14,1184,1185,1188],{},[65,1186,1187],{},"Fourth: set up monitoring going forward."," Check API usage weekly. Review logs after installing any new skill. Set spending caps on all provider accounts.",[14,1190,1191],{},[108,1192],{"alt":1193,"src":1194},"Damage control steps for unvetted skills","/img/blog/clawhub-skills-directory-damage-control.jpg",[14,1196,469,1197,1200],{},[186,1198,1199],{"href":472},"managed vs self-hosted security comparison"," covers how platforms like BetterClaw handle skill security versus what you're responsible for when self-hosting.",[33,1202,1204],{"id":1203},"the-bigger-picture-where-the-clawhub-ecosystem-is-heading","The bigger picture: where the ClawHub ecosystem is heading",[14,1206,1207],{},"The skills ecosystem is at an inflection point. The ClawHavoc campaign forced the community to take supply chain security seriously. VirusTotal scanning and the publisher verification system are steps in the right direction. But the fundamental challenge remains: an open registry with minimal review will always have a security tail risk.",[14,1209,1210],{},"The likely evolution is a tiered system. A \"verified\" tier with mandatory code review and publisher identity verification. An \"unverified\" tier with automated scanning only. And eventually, permission scoping that limits what each skill can access regardless of trust level.",[14,1212,1213],{},"Until that happens, the responsibility is on you. Every skill you install is executable code running with your agent's permissions and access to your API keys. Treat ClawHub like you'd treat any package registry: with appreciation for the ecosystem and suspicion toward anything you haven't personally reviewed.",[14,1215,1216,1217,1221],{},"If you want a deployment where skills are security-audited before they reach your agent, where Docker sandboxing prevents compromised code from accessing your host system, and where you don't carry the vetting burden yourself, ",[186,1218,1220],{"href":277,"rel":1219},[279],"give BetterClaw a try",". $29/month per agent, BYOK. Every skill in our marketplace is reviewed. Sandboxed execution means even a problematic skill can't reach beyond its container. You build workflows. We handle the security.",[33,1223,304],{"id":303},[14,1225,1226],{},[65,1227,1228],{},"What is ClawHub?",[14,1230,1231],{},"ClawHub is the official skill registry for OpenClaw, hosting over 13,700 installable skill packages as of March 2026. Skills add capabilities to your OpenClaw agent: web search, calendar management, email, file operations, browser automation, and API integrations. ClawHub functions like npm or PyPI but for AI agent capabilities. Anyone can publish skills, and since the ClawHavoc cleanup, all submissions go through VirusTotal automated scanning.",[14,1233,1234],{},[65,1235,1236],{},"How does ClawHub compare to awesome-openclaw-skills?",[14,1238,1239],{},"ClawHub is the official registry with the largest collection (13,700+ skills) and auto-update support, but it's an open marketplace with minimal human review. awesome-openclaw-skills is a community-curated GitHub list tracking 5,400+ skills with basic quality filtering and maintainer oversight. Neither is a security guarantee. ClawHub has more skills and convenience. awesome-openclaw-skills has better curation. Use both as discovery tools, but always vet skills yourself before installation.",[14,1241,1242],{},[65,1243,1244],{},"How do I install skills from ClawHub safely?",[14,1246,1247],{},"Follow a 5-step process: check the publisher's identity and account history, read the source code for suspicious network calls and file access patterns, search community reports on GitHub and Discord, test in a sandboxed workspace for 24-48 hours while monitoring API usage, and set iteration limits and context caps after installation. The active vetting takes 5-10 minutes per skill plus a 24-hour monitoring window.",[14,1249,1250],{},[65,1251,1252],{},"How much do ClawHub skills cost to use?",[14,1254,1255],{},"Skills themselves are free to install from ClawHub. The cost comes from the API tokens they consume when your agent uses them. A web search skill adds roughly 1,000-3,000 tokens per search call. Browser automation can use 500-2,000 tokens per step. On Claude Sonnet ($3/$15 per million tokens), typical skill usage adds $5-20/month to your API bill depending on frequency. Set iteration limits to prevent runaway costs from skills that loop.",[14,1257,1258],{},[65,1259,1260],{},"Are ClawHub skills secure enough for business use?",[14,1262,1263],{},"Not without vetting. The ClawHavoc campaign found 824 malicious skills (roughly 20% of the registry). ClawHub has since purged 2,419 suspicious packages and added VirusTotal scanning, but automated detection doesn't catch everything. Cisco independently found a legitimate-looking skill performing data exfiltration. For business use, either vet every skill manually using the 5-step process, use a managed platform with a curated skill marketplace (like BetterClaw), or build custom skills for sensitive integrations.",{"title":351,"searchDepth":352,"depth":352,"links":1265},[1266,1267,1274,1279,1280,1284,1288,1289,1290,1291],{"id":800,"depth":352,"text":801},{"id":832,"depth":352,"text":833,"children":1268},[1269,1271,1272,1273],{"id":840,"depth":1270,"text":841},3,{"id":853,"depth":1270,"text":854},{"id":866,"depth":1270,"text":867},{"id":879,"depth":1270,"text":880},{"id":898,"depth":352,"text":899,"children":1275},[1276,1277,1278],{"id":905,"depth":1270,"text":906},{"id":921,"depth":1270,"text":922},{"id":934,"depth":1270,"text":935},{"id":965,"depth":352,"text":966},{"id":1011,"depth":352,"text":1012,"children":1281},[1282,1283],{"id":1018,"depth":1270,"text":1019},{"id":1040,"depth":1270,"text":1041},{"id":1075,"depth":352,"text":1076,"children":1285},[1286,1287],{"id":1082,"depth":1270,"text":1083},{"id":1089,"depth":1270,"text":1090},{"id":1113,"depth":352,"text":1114},{"id":1160,"depth":352,"text":1161},{"id":1203,"depth":352,"text":1204},{"id":303,"depth":352,"text":304},"2026-03-25","13,700+ OpenClaw skills on ClawHub. 824 were malicious. Here's how to find, vet, and safely install skills without exposing your API keys.","/img/blog/clawhub-skills-directory.jpg",{},"/blog/clawhub-skills-directory","16 min read",{"title":773,"description":1293},"ClawHub Skills Directory: Complete 2026 Guide","blog/clawhub-skills-directory",[1302,1303,1304,1305,1306,1307,1308,1309],"ClawHub skills","OpenClaw skills directory","ClawHub guide","OpenClaw skills marketplace","safe OpenClaw skills","ClawHub security","ClawHavoc","OpenClaw skill vetting","eYe9rNhfWKDi2Ce0JP9DFpMNFvf08qyPreEcDpUe8YM",{"id":1312,"title":1313,"author":1314,"body":1315,"category":365,"date":1599,"description":1600,"extension":368,"featured":369,"image":1601,"meta":1602,"navigation":372,"path":1603,"readingTime":1604,"seo":1605,"seoTitle":1606,"stem":1607,"tags":1608,"updatedDate":1599,"__hash__":1615},"blog/blog/openclaw-exec-approvals-mobile-matrix.md","OpenClaw Exec Approvals Explained: Mobile, Matrix, and Beyond",{"name":7,"role":8,"avatar":9},{"type":11,"value":1316,"toc":1588},[1317,1322,1325,1328,1331,1334,1338,1341,1344,1347,1350,1353,1356,1359,1363,1366,1369,1372,1375,1378,1384,1388,1391,1397,1403,1409,1412,1415,1421,1425,1428,1431,1434,1437,1444,1448,1450,1453,1456,1459,1462,1469,1473,1476,1479,1482,1488,1491,1497,1501,1504,1507,1510,1513,1516,1524,1526,1529,1532,1539,1542,1544,1549,1552,1557,1560,1565,1568,1573,1576,1581],[14,1318,1319],{},[17,1320,1321],{},"Your agent just asked if it can send a $4,000 wire. You have ten seconds. Where does that notification actually go?",[14,1323,1324],{},"Summer Yue opened her inbox and thousands of emails were gone.",[14,1326,1327],{},"Her agent had deleted them. She'd told it to stop. It ignored her.",[14,1329,1330],{},"That's the Meta researcher incident everyone keeps citing, and it's the single clearest argument for why OpenClaw exec approvals stopped being optional sometime last year. Autonomous agents with real-world permissions need a circuit breaker. A human in the loop. A way to say \"wait, actually, no\" before the irreversible thing happens.",[14,1332,1333],{},"The thing nobody was quite sure about until recently was: where does that approval prompt go?",[33,1335,1337],{"id":1336},"what-exec-approvals-actually-means-without-the-marketing-varnish","What \"exec approvals\" actually means, without the marketing varnish",[14,1339,1340],{},"Exec approvals are the moments where your agent stops and asks you a question before doing something it considers consequential.",[14,1342,1343],{},"\"Do I send this $4,000 wire?\" \"Do I delete these 112 files?\" \"Do I run this shell command with sudo?\" \"Do I ship the Stripe refund?\"",[14,1345,1346],{},"The agent pauses. It sends you a prompt. You approve, you deny, or you time out. Only then does the action execute.",[14,1348,1349],{},"This is the simplest pattern in agent safety. It also used to have a huge hole in it. Where exactly did that prompt go?",[14,1351,1352],{},"For a long time, the answer was \"your terminal.\" Which is fine, if you happen to be staring at your terminal the moment the agent needs an answer. Which you usually aren't.",[14,1354,1355],{},"Then it was Slack or a chat platform. Better. You probably have Slack on your phone. But Slack isn't end-to-end encrypted, your employer can read your messages, and push notifications through Slack are flaky on iOS when the app is in the background.",[14,1357,1358],{},"Now it's APNs and Matrix. And that's a bigger shift than it looks.",[33,1360,1362],{"id":1361},"why-mobile-approvals-change-the-shape-of-agent-ownership","Why mobile approvals change the shape of agent ownership",[14,1364,1365],{},"Here's the weird part about running an autonomous agent. You're never really off.",[14,1367,1368],{},"Before mobile approvals landed, running an OpenClaw agent in production meant one of two things. Either you were at your desk the whole time, or you gave the agent permission to do whatever it wanted and hoped it made good choices. Neither is a real way to live.",[14,1370,1371],{},"What iOS APNs approvals change: the agent can reach you anywhere, with a proper push notification, in under a second. You can approve a wire from the grocery store. Deny a deploy from the Uber. The agent waits for you instead of the other way around.",[14,1373,1374],{},"Mobile approvals are what turn an agent from \"a thing I have to babysit\" into \"a thing that works for me.\"",[14,1376,1377],{},"That's the whole shift. It sounds small. It isn't.",[14,1379,1380],{},[108,1381],{"alt":1382,"src":1383},"iOS push notification showing an OpenClaw agent asking for approval on a $4,000 wire transfer with approve and deny buttons","/img/blog/openclaw-exec-approvals-mobile-matrix-ios-push.jpg",[33,1385,1387],{"id":1386},"the-three-approval-channels-and-when-to-use-which","The three approval channels and when to use which",[14,1389,1390],{},"OpenClaw now supports multiple approval channels, each with its own tradeoffs. Picking the right one per use case matters more than picking one and forcing everything through it.",[14,1392,1393,1396],{},[65,1394,1395],{},"iOS APNs push."," Fastest and most personal. Great for solo operators and founders. The approval lands on your phone as a push, you tap approve or deny, done. The tradeoff: it's per-person. Only you get the notification. No team visibility.",[14,1398,1399,1402],{},[65,1400,1401],{},"Matrix rooms."," End-to-end encrypted, federated, self-hostable. This is the channel I'd pick for any team that cares about approvals being auditable and not readable by Slack's servers. You set up an approval room, the agent posts prompts there, anyone with permission in the room can approve. Works for both solo and team setups.",[14,1404,1405,1408],{},[65,1406,1407],{},"Chat platforms (Slack, Discord, Telegram)."," Convenient if your team already lives in them. Lower security bar than Matrix. Fine for low-stakes approvals. Not fine for approvals that touch money, infrastructure, or customer data.",[14,1410,1411],{},"Most real teams end up using more than one. Financial approvals through Matrix. Content approvals through Slack. Personal admin approvals through iOS push.",[14,1413,1414],{},"The routing rule is simple. Match the sensitivity of the action to the security properties of the channel.",[14,1416,1417],{},[108,1418],{"alt":1419,"src":1420},"Side-by-side comparison of iOS APNs push, Matrix room, and Slack chat approval channels with security and visibility tradeoffs","/img/blog/openclaw-exec-approvals-mobile-matrix-channels.jpg",[33,1422,1424],{"id":1423},"why-matrix-specifically-matters-for-team-approvals","Why Matrix specifically matters for team approvals",[14,1426,1427],{},"Matrix is having a moment in the agent infrastructure world, and it's not an accident.",[14,1429,1430],{},"The protocol is end-to-end encrypted. It's federated, which means you can run your own homeserver and keep approval traffic entirely on your infrastructure. It's open, which means the agent ecosystem isn't locked into whatever policies a specific chat platform decides to enforce next quarter.",[14,1432,1433],{},"Compare that to running approvals through, say, a public Discord or an employer-controlled Slack. In both cases, a third party sees the content of every approval prompt, including the details of the action being approved. For a personal agent handling personal finances, or a team agent handling sensitive business operations, that's a meaningful problem.",[14,1435,1436],{},"A Matrix room is a private channel that you control. Approval prompts stay between the agent and the humans authorized to approve. The audit log is yours.",[14,1438,1439,1440,1443],{},"For teams that have worked through ",[186,1441,1442],{"href":221},"OpenClaw's security checklist"," and taken the other layers seriously, Matrix approvals are the natural next step. Encrypted channels for consequential decisions.",[33,1445,1447],{"id":1446},"the-part-that-trips-people-up","The part that trips people up",[14,1449,500],{},[14,1451,1452],{},"They set up approvals for the obvious high-stakes actions. Wires, deploys, file deletions. They forget the sneaky ones. API calls with side effects. Agent-to-agent messages in multi-agent setups. Scheduled actions that fire overnight. Memory writes that alter the agent's future behavior.",[14,1454,1455],{},"The Summer Yue incident wasn't an approval failure in the narrow sense. It was a scope failure. The agent had permission to do something destructive and the stop command didn't have authority over it. Approvals fix that, but only if you wire them to every category of consequential action, not just the flashy ones.",[14,1457,1458],{},"A good approval policy asks: what can this agent do that I'd regret? Then it puts approvals on every one of those actions. Not just the ones with dollar signs.",[14,1460,1461],{},"If you're running an agent that touches email, calendars, code repos, customer data, or any outbound communication, approvals should cover all of it. Not a selection.",[14,1463,1464,1465,1468],{},"If you want approvals wired up correctly from day one without having to build the APNs certificates, the Matrix bot, and the signature verification yourself, ",[186,1466,1467],{"href":188},"Better Claw handles all three channels with cryptographically signed approval responses",". $29/month per agent, BYOK, mobile and Matrix approvals configured in minutes.",[33,1470,1472],{"id":1471},"why-self-hosted-approvals-are-harder-than-they-look","Why self-hosted approvals are harder than they look",[14,1474,1475],{},"I'm not going to tell you self-hosting approvals is impossible. Plenty of teams do it. But the gap between \"I set up push approvals on my laptop\" and \"I have production approval routing that works reliably across three channels\" is weeks of work most people aren't expecting.",[14,1477,1478],{},"APNs alone requires an Apple Developer account, certificate generation, certificate rotation, a push server, retry logic for failed deliveries, and a way to handle the case where your user replaces their phone and their device token silently changes.",[14,1480,1481],{},"Matrix requires a homeserver (or a trusted hosted one), bot account provisioning, room management, message signing, and verification that the person approving is actually the person authorized to approve, not someone who joined the room yesterday.",[14,1483,1484,1485,1487],{},"Running this on top of ",[186,1486,256],{"href":255}," means you're maintaining all of the above plus the agent infrastructure. Plus the chat platform integrations. Plus the security patches. Plus the skill updates.",[14,1489,1490],{},"Approvals are one of those features where managed infrastructure pays for itself in about three weeks.",[14,1492,1493],{},[108,1494],{"alt":1495,"src":1496},"Diagram illustrating the weeks of work gap between setting up approvals on a laptop and running production-ready approval routing with APNs certificates, Matrix homeservers, and signature verification","/img/blog/openclaw-exec-approvals-mobile-matrix-policy-tiers.jpg",[33,1498,1500],{"id":1499},"what-to-build-first","What to build first",[14,1502,1503],{},"If you're adding approvals to an agent that's already running without them, don't try to wire every action at once.",[14,1505,1506],{},"Start with the nuclear set. Money movement. File deletions. Outbound communication to customers. Code deploys. Anything irreversible. Put approvals on those first.",[14,1508,1509],{},"Next, the amber set. Internal communications. Calendar changes. Memory writes. Scheduled tasks. Approvals here, too, but with longer timeouts and maybe auto-approve during business hours.",[14,1511,1512],{},"Leave the green set alone. Read-only actions. Searches. Summaries. Reports. Approvals on these just create noise and teach your team to click through without reading, which destroys the entire value of having approvals.",[14,1514,1515],{},"Three tiers. Five minutes of policy design. Massive difference in actual safety posture.",[14,1517,1518,1519,1523],{},"For teams running agents on ops workflows in particular, pairing approvals with the broader ",[186,1520,1522],{"href":1521},"/use-cases/operations","OpenClaw for operations use case"," framework is the cleanest way to think about what belongs at each tier.",[33,1525,285],{"id":284},[14,1527,1528],{},"The phrase people keep using for where this is all going is \"trust as UX.\" For years, agent safety was a theoretical conversation. Alignment. Red teaming. Policy papers. Useful work. Hard to apply at 3 PM on a Tuesday when your agent wants to know if it should really send that email.",[14,1530,1531],{},"Approvals are the first piece of agent safety that's fully concrete. A notification on your phone. A button labeled approve. A button labeled deny. The theory becomes a tap.",[14,1533,1534,1535,1538],{},"If you want that tap to live on your phone or in an encrypted Matrix room instead of buried in a terminal you forgot to leave open, ",[186,1536,1220],{"href":277,"rel":1537},[279],". $29/month per agent, BYOK, iOS and Matrix approvals built in, your first deploy takes about 60 seconds. We handle the certificates, the bots, the signing, the retries. You handle the decision of whether to approve or deny.",[14,1540,1541],{},"The next year of agent infrastructure is going to be defined by how well we close the loop between \"agent wants to do a thing\" and \"human actually decides whether to let it.\" Everyone building agents is going to figure this out. The teams that figure it out first are going to be the ones whose agents people actually trust with real decisions.",[33,1543,304],{"id":303},[14,1545,1546],{},[65,1547,1548],{},"What are OpenClaw exec approvals?",[14,1550,1551],{},"OpenClaw exec approvals are a safety feature where an autonomous agent pauses before taking consequential actions (like sending money, deleting files, or running privileged commands) and waits for a human to approve or deny. The approval prompt can be delivered through iOS push notifications, Matrix rooms, or chat platforms like Slack. It's the core mechanism that keeps autonomous agents from causing irreversible damage on bad judgment.",[14,1553,1554],{},[65,1555,1556],{},"How do OpenClaw iOS approvals compare to Matrix approvals?",[14,1558,1559],{},"iOS approvals are personal and fast. Push notification lands on your phone, you tap, done. Matrix approvals are team-oriented and end-to-end encrypted, which makes them better for consequential actions that need auditability and where Slack or Discord would leak sensitive context. Most real teams use both, routing personal actions to iOS and team actions to Matrix.",[14,1561,1562],{},[65,1563,1564],{},"How do I set up iOS push notifications for OpenClaw agent approvals?",[14,1566,1567],{},"On managed platforms like BetterClaw, you install the mobile app, pair it to your agent, and approvals start flowing. On self-hosted OpenClaw, you need an Apple Developer account, APNs certificates, a push server, and signature verification for the approval responses. Check the current OpenClaw docs for the exact configuration fields since this system is new and still evolving.",[14,1569,1570],{},[65,1571,1572],{},"Are OpenClaw exec approvals worth the added friction?",[14,1574,1575],{},"For any agent with real permissions, absolutely yes. The Meta researcher whose agent mass-deleted her emails is the textbook example of what happens without approvals. The friction is low (one tap) and the downside protection is massive. At $29/month per agent on a managed platform, the cost of running approvals is less than the cost of one bad autonomous decision.",[14,1577,1578],{},[65,1579,1580],{},"Is Matrix secure enough for approving sensitive business actions?",[14,1582,1583,1584,1587],{},"Yes. Matrix is end-to-end encrypted by default, federated, and can be self-hosted on infrastructure you control, which puts it in a stronger security position than most chat platforms for approval traffic. The bigger risk is usually not Matrix itself but whether the humans in the approval room are the right humans and whether you've combined it with the other pieces of a proper ",[186,1585,1586],{"href":726},"OpenClaw gateway setup",".",{"title":351,"searchDepth":352,"depth":352,"links":1589},[1590,1591,1592,1593,1594,1595,1596,1597,1598],{"id":1336,"depth":352,"text":1337},{"id":1361,"depth":352,"text":1362},{"id":1386,"depth":352,"text":1387},{"id":1423,"depth":352,"text":1424},{"id":1446,"depth":352,"text":1447},{"id":1471,"depth":352,"text":1472},{"id":1499,"depth":352,"text":1500},{"id":284,"depth":352,"text":285},{"id":303,"depth":352,"text":304},"2026-04-17","How OpenClaw exec approvals work on iOS APNs, Matrix, and chat platforms. Which channel to use, what to approve, and why it matters.","/img/blog/openclaw-exec-approvals-mobile-matrix.jpg",{},"/blog/openclaw-exec-approvals-mobile-matrix","9 min read",{"title":1313,"description":1600},"OpenClaw Exec Approvals Explained: Mobile and Matrix","blog/openclaw-exec-approvals-mobile-matrix",[1609,1610,1611,1612,1613,1614],"OpenClaw exec approvals","OpenClaw iOS approvals","OpenClaw Matrix approvals","AI agent approval system","human in the loop AI","agent safety approvals","BrUU_W1wjSx_IvR1nvepin2r5Vt8Q1-V5wqHorGRZJM",1776512557633]