Today we’re announcing a partnership with VirusTotal, the world’s leading threat intelligence platform, to bring security scanning to ClawHub—OpenClaw’s skill marketplace.
TL;DR: All skills published to ClawHub are now scanned using VirusTotal’s threat intelligence, including their new Code Insight capability. This provides an additional layer of security for the OpenClaw community.
Why This Matters
For the past 20 years, security models have been built around locking devices and applications down—setting boundaries between inter-process communications, separating internet from local, sandboxing untrusted code. These principles remain important.
But AI agents represent a fundamental shift.
Unlike traditional software that does exactly what code tells it to do, AI agents interpret natural language and make decisions about actions. They blur the boundary between user intent and machine execution. They can be manipulated through language itself.
We understand that with the great utility of a tool like OpenClaw comes great responsibility. Done wrong, an AI agent is a liability. Done right, we can change personal computing for the better.
OpenClaw skills are powerful. They extend what your AI agent can do—from controlling smart home devices to managing finances to automating workflows. But with that power comes risk.
Skills are code that runs in your agent’s context, with access to your tools and your data. A malicious skill could:
- Exfiltrate sensitive information
- Execute unauthorized commands
- Send messages on your behalf
- Download and run external payloads
As the OpenClaw ecosystem grows, so does the attack surface. We’ve already seen documented cases of malicious actors attempting to exploit AI agent platforms. We’re not waiting for this to become a bigger problem.