OpenSource OpenClaw Security
SECURECLAW
SECURITY Plugin for OpenCLAW v2.0
Hardening for OpenClaw agents — covering every OWASP ASI Top 10 threat and every known OpenClaw incident. A code-level plugin that can’t be talked out of protecting you, plus an ultra-lean skill that makes your agent security-aware without eating your context window.
openclaw plugins install secureclawCLAWHAVOC 341 Malicious Skills — COVERED
MOLTBOOK 1.5M API Keys Exposed — COVERED
INFOSTEALERS Redline / Lumma / Vidar — COVERED
PROMPT INJECTION Email / Web / Moltbook — HARDENED
EXPOSED 21,639+ Instances — COVERED
CONFESSION BOOTH PII Leakage — COVERED
MEMORY POISONING Time-Shifted Injection — COVERED
CVE-2026-25253 1-Click RCE — COVERED
CLAWHAVOC 341 Malicious Skills — COVERED
MOLTBOOK 1.5M API Keys Exposed — COVERED
INFOSTEALERS Redline / Lumma / Vidar — COVERED
PROMPT INJECTION Email / Web / Moltbook — HARDENED
EXPOSED 21,639+ Instances — COVERED
CONFESSION BOOTH PII Leakage — COVERED
MEMORY POISONING Time-Shifted Injection — COVERED
Full OWASP ASI Top 10.
Static + Runtime.
The first and only OpenClaw security product to formally map every control to the OWASP Agentic Security Initiative. From prompt injection (ASI01) through rogue agents (ASI10) — 51 attack vectors, 10 threat categories, all mapped to specific countermeasures. The plugin provides code-level hardening. The skill provides LLM-level awareness and automated checks.
10/10 ASI CATEGORIES
Every Known Incident.
Every Known CVE.
Built on the OpenClaw Security 101 research — CVE-2026-25253 (1-click RCE), ClawHavoc (341 malicious skills), Moltbook breach (1.5M exposed tokens), 21,639 exposed instances, Redline/Lumma/Vidar infostealer targeting, API cost runaways, browser relay session theft, and the Confession Booth PII leakage attack. Every documented threat has a specific countermeasure.
8 THREAT CLASSES COVERED
Plugin + Skill.
Layered Defense.
Two tiers working together. The plugin runs as code — gateway hardening, permission lockdown, credential scanning, audit logging. Can’t be prompt-injected. The skill runs as LLM directives — injection awareness, privacy scanning, integrity monitoring, emergency response. Use either alone or both together for defense in depth.
2-TIER ARCHITECTURE
~1,150 Token Skill.
Maximum Performance.
Most security skills dump thousands of tokens into context — competing with conversations and degrading quality. Our advisor skill is 12 rules and 8 script triggers in ~1,150 tokens. All detection logic runs as bash — zero LLM tokens. Your agent stays fast, stays focused, stays protected.
75% SMALLER THAN ALTERNATIVES
Prompt Injection
PLUGIN + SKILL
Exploitation
PLUGIN + SKILL
Privilege Abuse
PLUGIN + SKILL
Attacks
PLUGIN + SKILL
Execution
PLUGIN + SKILL
Context Poison
PLUGIN + SKILL
Communication
PLUGIN + SKILL
Failures
PLUGIN + SKILL
Exploitation
PLUGIN + SKILL
Agents
PLUGIN + SKILL
┌──────────────────────────────────────────────────────────────────────┐ │ EXTERNAL THREATS │ │ ▼ prompt injection ▼ malicious skills ▼ data exfiltration │ ├──────────────────────────────────────────────────────────────────────┤ │ │ │ █ TIER 1: PLUGIN (code-level — immune to prompt injection) │ │ │ │ │ ├─ Gateway hardening bind lockdown, auth enforcement │ │ ├─ Permission lockdown .env 600, directory 700, config 600 │ │ ├─ Credential scanning detect plaintext API keys outside .env │ │ ├─ Config monitoring detect unauthorized config changes │ │ ├─ Audit logging all actions logged, timestamped │ │ └─ CLI interface audit, harden, status commands │ │ │ │ █ TIER 2: SKILL (~1,150 tokens — LLM awareness + bash scripts) │ │ │ │ │ ├─ 12 core rules always in agent memory │ │ ├─ check-privacy.sh PII scanner for public posts │ │ ├─ quick-audit.sh security audit (all 10 ASI categories) │ │ ├─ scan-skills.sh supply chain scanner + ClawHavoc IoCs │ │ ├─ check-integrity.sh SHA256 cognitive file tamper detection │ │ ├─ quick-harden.sh one-shot fix for critical issues │ │ └─ emergency-response.sh automated incident response │ │ │ │ Plugin hardens the system. Skill hardens the agent. Together: │ │ defense in depth where each layer catches failures of the other. │ └──────────────────────────────────────────────────────────────────────┘
Privacy Guard
Scans outbound Moltbook posts for 14 categories of PII — your name, location, devices, employer, routines, credentials, family, religion. The only defense against the Confession Booth attack. Pipe any draft through check-privacy.sh.
Supply Chain Scanner
Scans installed skills for remote code execution, dynamic eval, obfuscated code, credential access, and config modification. Includes ClawHavoc campaign IoCs — known C2 IPs, malicious skill name patterns, Atomic Stealer signatures.
Cognitive File Guard
SHA256 baseline monitoring of SOUL.md, IDENTITY.md, TOOLS.md, SECURITY.md, and AGENTS.md. Detects unauthorized changes. Runs every 12 hours. If your identity files have been tampered with, you know within minutes.
Gateway Hardening
Detects and fixes the #1 cause of exposed OpenClaw instances — bind address exposure, missing auth tokens, reverse proxy bypass, loose file permissions. One command: quick-harden.sh. Automatic backup before every change.
Emergency Response
Automated incident response when the agent suspects compromise. Checks integrity, open ports, suspicious processes, recent changes, runs full audit. Outputs a clear human action list. One script, zero panic.
Full Security Audit
25+ checks across all 10 OWASP ASI categories — version/CVE, gateway, auth, permissions, sandbox, approval mode, browser relay, skill safety, cognitive integrity, DM policy, privacy directives, cost limits. 0-100 score.
On prompt injection: No product can fully solve prompt injection — it’s an unsolved problem across the entire AI industry. SecureClaw makes it significantly harder through multi-layer defense: the plugin’s code-level controls can’t be overridden by injected prompts, the skill teaches the agent to recognize and refuse injection patterns, and the audit scripts detect compromise after the fact. We harden against injection. We don’t claim to eliminate it. If someone tells you they’ve solved prompt injection, they’re selling you something.
| Capability | OpenClaw Built-in | ClawSec | SecureClaw v1.1 |
|---|---|---|---|
| OWASP ASI Top 10 mapping | None | None | ✓ 10/10 categories |
| Known incident coverage | CVE patch only | ~3/8 threats | ✓ 8/8 threat classes |
| Code-level hardening | ✗ | ✗ (skill only) | ✓ Plugin tier |
| PII / privacy scanning | ✗ | ✗ | ✓ 14 PII categories |
| Supply chain scanning | ✗ | Basic | ✓ + ClawHavoc IoCs |
| Cognitive file integrity | ✗ | ✗ | ✓ SHA256 monitoring |
| Automated incident response | ✗ | ✗ | ✓ emergency-response.sh |
| Prompt injection defense | Basic sandbox | Skill awareness | Multi-layer hardening (industry unsolved) |
| Context window cost | 0 tokens | ~4,500 tokens | ~1,150 tokens |
One command installs the plugin. The advisor skill ships with it. Both activate automatically.
Don’t want the plugin? Install just the skill:
(c) Adversa AI, 2026. Continuous red teaming of AI systems, trustworthy AI research & advisory
