OpenClaw Skills Vetting: How KiwiClaw Blocks Malicious Packages Before They Reach You
In January 2026, security researchers disclosed ClawHavoc — a coordinated supply chain attack that planted 1,184 malicious skills on ClawHub, the primary package registry for OpenClaw. The attack went undetected for weeks. During that window, thousands of OpenClaw instances installed skills that quietly exfiltrated API keys, session tokens, and local files to attacker-controlled servers. Some skills deployed cryptominers. Others opened persistent backdoor connections.
The fallout was severe. But the underlying vulnerability was not new. OpenClaw skills have always executed arbitrary code with the full permissions of the host agent. A skill that promises to “summarize your email” has the same system access as a skill that exfiltrates your credentials. This is a core challenge of the skills marketplace model. There is no permission boundary, no capability model, no sandbox. A malicious skill can do anything your OpenClaw instance can do.
That is the problem KiwiClaw was built to solve.
Why ClawHub's Review Process Falls Short
ClawHub relies on a community-driven review model. Volunteers flag suspicious packages, and maintainers investigate when they have bandwidth. There is no automated scanning pipeline. There is no sandboxed execution environment. There is no continuous monitoring after a skill is published.
This model works reasonably well for traditional package registries where malicious intent is rare and the blast radius is limited. It does not work for OpenClaw skills, where every package runs with unrestricted code execution privileges on an autonomous agent that may have access to databases, APIs, cloud credentials, and messaging platforms.
The ClawHavoc attack demonstrated exactly this gap. Attackers published skills with legitimate-sounding names, minimal obfuscation, and real functionality bundled alongside malicious payloads. Community reviewers saw working code and approved it. The malicious behavior only manifested at runtime, under specific conditions, after a delay — patterns that a human glancing at source code would never catch.
If you are self-hosting OpenClaw, you inherit all of this risk. Every skill you install is a trust decision with no safety net.
KiwiClaw's Skills Vetting Pipeline
KiwiClaw interposes a multi-layer vetting pipeline between ClawHub and your running OpenClaw instance. No skill reaches your agent without passing through every stage. Here is how the pipeline works, step by step.
Stage 1: Automated Static Analysis
Every skill submitted to the KiwiClaw registry is first unpacked and scanned using a suite of static analysis tools purpose-built for OpenClaw skill packages. The scanner examines the full source tree and flags:
- Outbound network calls to unknown or suspicious endpoints — any HTTP, WebSocket, or raw socket connection that does not match the skill's declared integrations
- Credential access patterns — reads from environment variables, filesystem paths associated with SSH keys, cloud provider credential files, or browser storage
- Obfuscated code — base64-encoded payloads, eval/exec constructs, dynamically generated function calls, and encoded strings that resolve to known malicious signatures
- Privilege escalation — attempts to modify system files, spawn child processes, install additional packages, or alter the OpenClaw agent configuration at runtime
- Known malware signatures — pattern matching against a continuously updated database of indicators from documented ClawHub attacks, including the full ClawHavoc indicator set
Static analysis catches the obvious cases quickly. A skill that imports subprocess and calls curl to post your .env file to a Pastebin URL will not make it past this stage. But static analysis alone is not enough — the ClawHavoc attackers proved that sufficiently motivated adversaries can evade source-level scanning.
Stage 2: Sandboxed Execution Testing
Skills that pass static analysis move to sandboxed execution. KiwiClaw spins up an isolated environment — a locked-down container with no access to production data, restricted network egress, and full system call monitoring — and runs the skill through a battery of behavioral tests.
During execution, the sandbox monitors:
- Network behavior — every DNS query, every outbound connection attempt, logged and compared against the skill's declared scope
- Filesystem access — what files the skill reads, writes, or attempts to access outside its designated working directory
- Process activity — any child processes spawned, any attempts to execute system binaries
- Resource consumption — CPU and memory usage patterns that indicate cryptomining or denial-of-service behavior
- Timing-based triggers — the sandbox runs skills under varied conditions and with simulated delays to catch payloads that activate only after a waiting period or on a specific date
This stage is where the ClawHavoc-style attacks would have been caught. Those skills behaved normally during initial execution and only triggered their malicious payloads after a delay. KiwiClaw's sandbox specifically tests for deferred execution patterns by running skills across simulated time windows and with varied environmental signals.
Stage 3: Human Review for Flagged Packages
If either the static analysis or sandbox stage produces a flag — even a low-confidence one — the skill is routed to KiwiClaw's security team for manual review. Human reviewers examine the flagged code paths, assess intent, and make a final determination.
Not every flag indicates malice. Legitimate skills sometimes need network access or file I/O. The human review stage exists to distinguish between a skill that fetches data from an API it legitimately integrates with and a skill that posts your data to an unauthorized endpoint. Context matters, and automated tools cannot always provide it.
Skills that are cleared by human review are annotated with the specific permissions they require, so users can make informed installation decisions.
Stage 4: Continuous Monitoring
Vetting does not end at approval. KiwiClaw continuously monitors every skill in its registry. When a skill is updated, it goes through the full pipeline again. When new threat intelligence emerges — a new malware signature, a newly compromised domain, a vulnerability in a dependency — every approved skill is re-evaluated against the updated threat model.
If a previously approved skill is found to be compromised, KiwiClaw can revoke it immediately. Revocation removes the skill from all instances that have it installed, with an audit log entry explaining the action. There is no window where a known-bad skill continues to run while you wait for a community maintainer to respond to a GitHub issue.
Stage 5: Org-Level Skill Governance
For Enterprise teams, KiwiClaw provides organizational controls over which skills are permitted. Administrators can:
- Whitelist specific skills that have been internally evaluated and approved for use
- Blocklist categories or individual skills that fall outside the organization's risk tolerance
- Require admin approval before any team member can install a new skill
- Audit skill usage across all team members' OpenClaw instances with a centralized dashboard
This is particularly important for organizations operating under compliance frameworks like SOC 2, HIPAA, or GDPR, where the ability to demonstrate control over third-party code execution is not optional.
What the Pipeline Blocks
To be concrete about what KiwiClaw catches, here are the categories of malicious behavior the vetting pipeline is designed to detect and block:
| Threat Category | Example Behavior | Detection Stage |
|---|---|---|
| Data exfiltration | Posting environment variables or files to external servers | Static + Sandbox |
| Credential theft | Reading SSH keys, AWS credentials, or browser cookies | Static |
| Cryptomining | Sustained high CPU usage with outbound pool connections | Sandbox |
| Backdoor installation | Opening reverse shells or persistent C2 connections | Static + Sandbox |
| Supply chain injection | Modifying other installed skills or the agent itself | Sandbox |
| Delayed payloads | Time-bomb logic that activates after installation | Sandbox |
Custom and Private Skills
KiwiClaw's vetted registry does not prevent you from running your own code. Users on all plans can install custom skills that they have written themselves. These skills bypass the public vetting pipeline because you are the author and you accept responsibility for their behavior.
On Enterprise plans, custom skill installation can be gated behind org admin approval. This gives security teams visibility and control without blocking developers from extending their agents. Private skills are still subject to the sandbox runtime protections — they run in the same isolated environment as vetted skills, so even a buggy internal skill cannot compromise the underlying infrastructure.
OpenClaw Skills Security Requires More Than Trust
The OpenClaw ecosystem is powerful precisely because skills can do almost anything. That same power makes the ecosystem dangerous when the only thing standing between your agent and a malicious package is a volunteer reviewer on ClawHub who may or may not get to the review queue this week.
KiwiClaw replaces trust with verification. Browse the full catalog on our Skills Hub. Every skill is scanned, sandboxed, reviewed when necessary, and monitored continuously. If something goes wrong, revocation is immediate. If your organization requires governance controls, they are built in.
The 1,184 malicious skills from the ClawHavoc attack should not have been a surprise. The architecture made it inevitable. The question is whether the next supply chain attack hits your OpenClaw instance — or gets stopped before it reaches you.
Running OpenClaw in production? KiwiClaw gives you vetted skills, sandboxed execution, and org-level governance out of the box. Get started or reach out to discuss your security requirements.