Skip to content
HomeNewsManaged AI Hosting Just Got a Security Upgrade: Meet ClawHub's New Skill Scanner

Subscribe to OpenClaw News

One short email when we publish. No spam, unsubscribe anytime.

ChatGPT Image May 10, 2026, 08 43 34 PM (2)

Managed AI Hosting Just Got a Security Upgrade: Meet ClawHub's New Skill Scanner

May 10, 2026

OpenClaw says it has partnered with VirusTotal to automatically scan every skill published to its ClawHub marketplace, including a code-level analysis powered by Google's Gemini model. The company is framing this as the first piece of a broader security program, with a threat model, roadmap, and audit details promised in the days ahead.

OpenClaw announced the integration in a February 7, 2026 post co-bylined by OpenClaw's Peter Steinberger, security advisor Jamieson O'Reilly, and VirusTotal's Bernardo Quintero. ClawHub is OpenClaw's marketplace for skills, which are bundles of code that extend what an AI agent can do on a user's behalf.

What Actually Got Shipped

Every skill published to ClawHub now gets packaged into a ZIP with a manifest file, hashed with SHA-256 (a fingerprint algorithm that produces a unique ID for any file), and checked against VirusTotal's database. If the bundle is new, it gets uploaded for a fresh scan through VirusTotal's v3 API.

The more interesting piece is Code Insight, VirusTotal's LLM-powered analysis feature, which OpenClaw says is powered by Gemini. Rather than just matching known malware signatures, Code Insight reads the skill's code and writes a security summary of what it actually does: whether it pulls down external code, touches sensitive data, makes network calls, or embeds instructions that could push the agent toward unsafe behavior.

Skills marked benign are auto-approved. Suspicious ones get a warning label but stay listed. Malicious ones are blocked from download. Every active skill is re-scanned daily, which is meant to catch skills that start clean and turn hostile in a later version.

Why AI Skills Are a Different Security Problem

Steinberger's argument for why this matters is worth paying attention to. Traditional software does exactly what its code says. AI agents interpret natural language and decide what to do, which means they can be manipulated through language itself, not just through code exploits.

A skill is code that runs inside your agent with access to your tools and data. According to the post, a malicious skill could exfiltrate sensitive information, run unauthorized commands, send messages as you, or pull down and execute external payloads. As ClawHub grows, so does the attack surface. The post does not say how many skills or publishers are currently on ClawHub, so the size of that surface is not public.

The Honest Caveats

To OpenClaw's credit, the announcement is upfront about what this does not do. A skill that uses plain English to talk an agent into doing something harmful will not trip a virus signature. A well-crafted prompt injection (text designed to hijack an AI's instructions) will not show up in a threat database.

ChatGPT Image May 10, 2026, 08 43 34 PM (3)

VirusTotal and OpenClaw logos flank a security shield symbolizing their new scanning partnership

What scanning does provide is detection of known malware, behavioral analysis of novel code, visibility into compromised dependencies, and a signal that the company is investing in security. The post calls this "one layer" in a defense-in-depth approach.

The post also notes that VirusTotal already does hash-based scanning for the Hugging Face ecosystem. OpenClaw says its integration goes further by uploading full bundles for Code Insight analysis rather than only matching against known hashes.

What's Still Missing

A few things the announcement does not answer. It does not say whether VirusTotal independently confirmed or co-issued the announcement beyond Quintero's byline. It does not give a timeline for the promised threat model, security roadmap, or audit publication, only that they are coming "in the coming days." And it references documented cases of attackers targeting AI agent platforms without naming any specific incident.

OpenClaw also says it has brought on Jamieson O'Reilly as lead security advisor, citing his roles at Dvuln, Aether AI, and the CREST Advisory Council. Readers who want to verify those credentials can check the respective organizations' public pages.

For Publishers and Users

If you publish skills to ClawHub, scans now run automatically after you push. Benign verdicts auto-approve. Suspicious flags add a warning but keep your skill live for transparency. Malicious flags block the download immediately. OpenClaw expects false positives early on and asks publishers to email security@openclaw.ai for review.

For people installing skills, scan status will show on each skill page with a link to the full VirusTotal report. The company is explicit that a clean scan is not proof a skill is safe.

What This Means for You

If you use AI agents that run third-party extensions, treat scan badges as one input, not a verdict. Three habits worth building:

  • Read the permissions a skill requests before installing it. If it wants network access or file system access and you cannot explain why, skip it.

  • Stick to publishers with a track record. A new skill from an unknown account is higher risk than one with version history and active users, even if both scan clean.

  • Watch the agent's behavior after installing. Unexpected outbound messages, file access, or API calls are worth investigating, since prompt injection attacks will not show up in any virus scanner.

Automated scanning raises the floor. It does not replace your judgment about what you let an AI agent do on your behalf.

ChatGPT Image May 10, 2026, 08 43 34 PM (1)

Helpful documentation

Get notified when we publish new articles

No spam, unsubscribe anytime.

By subscribing, you agree to our Privacy Policy.

ClawHub Skills Now Scanned | OneClickClaw News