



























OpenClaw blog
ClawHub skills are now scanned by VirusTotal's threat intelligence platform—bringing industry-leading security to the AI agent ecosystem.
![]()
![]()
Feb 7, 2026 5 min read
Today we’re announcing a partnership with VirusTotal, the world’s leading threat intelligence platform, to bring security scanning to ClawHub—OpenClaw’s skill marketplace.
TL;DR: All skills published to ClawHub are now scanned using VirusTotal’s threat intelligence, including their new Code Insight capability. This provides an additional layer of security for the OpenClaw community.
For the past 20 years, security models have been built around locking devices and applications down—setting boundaries between inter-process communications, separating internet from local, sandboxing untrusted code. These principles remain important.
But AI agents represent a fundamental shift.
Unlike traditional software that does exactly what code tells it to do, AI agents interpret natural language and make decisions about actions. They blur the boundary between user intent and machine execution. They can be manipulated through language itself.
We understand that with the great utility of a tool like OpenClaw comes great responsibility. Done wrong, an AI agent is a liability. Done right, we can change personal computing for the better.
OpenClaw skills are powerful. They extend what your AI agent can do—from controlling smart home devices to managing finances to automating workflows. But with that power comes risk.
Skills are code that runs in your agent’s context, with access to your tools and your data. A malicious skill could:
As the OpenClaw ecosystem grows, so does the attack surface. We’ve already seen documented cases of malicious actors attempting to exploit AI agent platforms. We’re not waiting for this to become a bigger problem.
When a skill is published to ClawHub:
_meta.json containing publisher info and version historyScan results are displayed on every skill page and in version history, with direct links to the full VirusTotal report.
VirusTotal already protects the Hugging Face ecosystem using hash-based lookups against their threat intelligence database. Our integration goes further—we upload full skill bundles for Code Insight analysis, giving the AI a complete picture of the skill’s behavior rather than just matching known signatures.
Let’s be clear: this is not a silver bullet.
VirusTotal scanning won’t catch everything. A skill that uses natural language to instruct an agent to do something malicious won’t trigger a virus signature. A carefully crafted prompt injection payload won’t show up in a threat database.
What this does provide:
Security is defense in depth. This is one layer. More are coming.
This partnership is part of a broader security initiative at OpenClaw. In the coming days, we’ll be publishing:
Follow progress and read the full security program overview in the security blog archive.
We’ve brought on Jamieson O’Reilly (founder of Dvuln, co-founder of Aether AI, CREST Advisory Council member) as lead security advisor to guide this program.
AI agents that take real-world actions deserve real security processes. We’re building them.
If you publish skills to ClawHub, your code will now be scanned automatically. Here’s how it works:
We expect some false positives initially—security tooling isn’t perfect. If your skill is incorrectly flagged, reach out to us at security@openclaw.ai and we’ll review it.
When browsing ClawHub, you’ll see scan status for each skill. This gives you one more data point when deciding what to trust. But remember:
We’re grateful to Bernardo Quintero and the VirusTotal team for their partnership. Their platform protects millions of users every day, and we’re proud to bring that protection to the OpenClaw community.
This is the beginning, not the end. We’re committed to making OpenClaw the most secure AI agent platform available. Expect more announcements soon.
The lobster grows stronger. 🦞
Questions about security? security@openclaw.ai
Publish skills: clawhub.ai
Join the discussion: Discord
— Peter, Jamieson, and Bernardo
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。