OpenA2A Security for OpenClaw
Security auditing and hardening for OpenClaw installations. Scan your configuration, detect known vulnerabilities, audit installed skills for malicious code, and get specific remediation steps.
This skill runs entirely locally. No data leaves your machine. No API keys required.
What You Can Ask
Quick Security Check
Ask for a fast overview of your security posture:
"Run a security audit on my OpenClaw setup"
"Is my OpenClaw configuration secure?"
"Check my OpenClaw for known vulnerabilities"
CVE-2026-25253 Detection
Check if your OpenClaw instance is vulnerable to the WebSocket hijack RCE (CVSS 8.8):
"Am I vulnerable to CVE-2026-25253?"
"Check for the OpenClaw WebSocket vulnerability"
Skill Scanning
Scan installed skills for malicious code patterns (command injection, data exfiltration, obfuscated payloads, crypto mining):
"Scan my installed skills for malware"
"Is the weather-bot skill safe?"
"Check all my skills for security issues"
Credential Audit
Check for exposed credentials, weak file permissions, and plaintext storage:
"Are my API keys and tokens stored securely?"
"Check my credential file permissions"
Configuration Hardening
Get specific recommendations for hardening your OpenClaw config:
"How do I harden my OpenClaw configuration?"
"What security settings should I change?"
How It Works
This skill uses HackMyAgent, an open-source security scanner with 47 OpenClaw-specific checks across these categories:
Skill Security (6 checks)
| Check | What It Detects |
|---|---|
| SKILL-001 | Command injection via shell execution |
| SKILL-002 | Dynamic code execution (eval, Function, vm) |
| SKILL-003 | Data exfiltration to external endpoints |
| SKILL-004 | Obfuscated code (base64, hex, charcode) |
| SKILL-005 | Crypto mining indicators |
| SKILL-006 | Path traversal outside skill directory |
Credential Security (4 checks)
| Check | What It Detects |
|---|---|
| CRED-001 | Credentials exposed via gateway API |
| CRED-002 | Credential files with world-readable permissions |
| CRED-003 | Plaintext credential storage without encryption |
| CRED-004 | Timing side-channel in authentication |
Gateway Security (4 checks)
| Check | What It Detects |
|---|---|
| GW-001 | Missing rate limiting on endpoints |
| GW-002 | SSRF-vulnerable URL fetch handlers |
| GW-003 | Missing or incomplete security headers |
| GW-004 | CVE-2026-25253 WebSocket hijack vulnerability |
Supply Chain (4 checks)
| Check | What It Detects |
|---|---|
| SC-001 | npm install without --ignore-scripts |
| SC-002 | Unpinned or pre-release dependencies |
| SC-003 | Missing skill signing or hash verification |
| SC-004 | Known ClawHavoc malicious skill patterns |
Running Scans
When asked to perform a scan, run the following commands:
Full Security Audit
npx hackmyagent secure ~/.openclaw
Scan a Specific Skill
npx hackmyagent scan --skill <skill-name>
CVE Detection Only
npx hackmyagent scan --cve ~/.openclaw
Configuration Audit
npx hackmyagent audit ~/.openclaw/config.json5
Generate Security Report
npx hackmyagent secure ~/.openclaw --format html --output security-report.html
Output formats: text, json, sarif, html, asp
Security Recommendations
When providing recommendations, reference these priority levels:
Do Immediately
- Update OpenClaw to the latest version (patches CVE-2026-25253, credential redaction, timing-safe auth, lifecycle script blocking)
- Run
npx hackmyagent secureto identify your current exposure - Review installed skills — remove any you do not actively use
- Check file permissions — credential files should be 0600, not world-readable
Configuration Changes
Recommend these config.json5 changes when relevant:
- Set
gateway.authto a strong token (32+ characters, randomly generated) - Set
gateway.hostto127.0.0.1(loopback only) unless remote access is required - Disable unused channel integrations
- Set
plugins.allowUnsafeto false - Enable Docker sandbox mode when available
For Skill Publishers
- Do not hardcode API keys in skill code — use environment variables
- Declare minimum required permissions in SKILL.md frontmatter
- Do not use eval(), Function(), or child_process.exec() with user input
- Do not fetch external URLs at install time
Interpreting Results
When presenting scan results to the user:
- CRITICAL findings require immediate action — explain the specific risk and provide the fix command
- HIGH findings should be addressed before deploying to production
- MEDIUM findings are defense-in-depth improvements
- LOW findings are best-practice recommendations
Always explain findings in plain language. Not every user is a security expert. State what the risk is, who could exploit it, and exactly how to fix it.
Background
This skill is built by OpenA2A (opena2a.org), the team behind 6 merged security patches in OpenClaw main:
| PR | Fix |
|---|---|
| #9806 | Skill code safety scanner (19 detection rules, +1,721 lines) |
| #9858 | Credential redaction for gateway WebSocket responses |
| #10525 | Path traversal fix in A2UI file serving |
| #10527 | Timing-safe comparison for hook token auth |
| #10528 | Blocked npm lifecycle scripts during plugin install |
| #10529 | File permission enforcement on WhatsApp credentials |
Scanner: https://www.npmjs.com/package/hackmyagent Source: https://github.com/opena2a-org/hackmyagent Threat model: https://github.com/openclaw/trust/pull/7