Every ClawHub skill now gets a Skill Card that documents what it does and where it came from. OpenClaw says SkillSpector scans skills for hidden instructions and other agentic risks, while ClawScan combines multiple signals before assigning a verdict. The company also released a public dataset of security scan outcomes for the community.
This is important because agent skills can be dangerous without looking like traditional malware. OpenClaw is treating provenance, capability mismatch, and blast radius as first-class security problems. That is the right direction for platforms that let agents install and execute third-party tools.
If you publish skills in ClawHub, the immediate action is to review how your skill is described, what code it ships, and whether those two match. If you consume skills, check the Skill Card and treat advisories as a real part of the decision process. Teams building agent platforms should borrow the same pattern: scan, explain, and score risk before install.
Read Original Post →