Security at ClawLab
We sell software that runs inside your AI agent with your full permissions. We don't take that lightly.
The reality
OpenClaw skills run with your full permissions. Most of them are unreviewed.
OpenClaw hooks execute inside the Gateway's Node.js process with unrestricted access to your filesystem, network, and shell. There is no sandbox. There is no capability model. A hook can read your SSH keys, exfiltrate your codebase, or install a backdoor — and you'd never see it happen.
This is not hypothetical. In January and February 2026, security researchers documented 1,184 malicious packages on ClawHub, 8 CVEs in two months (including a CVSS 9.9 validation bypass and a CVSS 8.8 remote code execution), and 135,000 exposed instances. ClawHub still performs no pre-publication security review.
We build skills for this ecosystem. We take that responsibility seriously.
CHITIN — 6-Stage Audit Pipeline
Every release passes all six stages. No exceptions.
CHITIN runs on every commit, every pull request, and every release build. It's automated, deterministic, and non-negotiable.
Static Analysis
Every source file is scanned for dangerous patterns — eval, dynamic imports, process spawning, network modules, obfuscated strings. Any match blocks the release.
Behavioral Sandbox
The hook runs in an instrumented environment with patched system modules. We record every filesystem operation, every network attempt, every process spawn — and assert the list is empty.
Injection Audit
All content injected into the agent context is analyzed for prompt override patterns, role delimiter injection, hidden instructions, and scope violations. Token budget is enforced.
Dependency Verification
We assert zero external dependencies. Every import is verified against an allow-list of Node.js built-in modules and local project files. Nothing else gets through.
Content Integrity
The release tarball is GPG-signed and checksummed. A file-level manifest is generated so you can verify every file in the package independently.
Regression Testing
Every new release is diffed against the previous version. New file paths, expanded capabilities, or increased injection scope are flagged and require manual sign-off.
Our guarantees
What we guarantee about every skill we ship.
No network access
Our skills make zero outbound connections. No fetch, no HTTP, no WebSocket. Your data never leaves your machine.
No shell execution
We never use child_process, exec, or spawn. Our hooks operate entirely within the Node.js runtime — no shells, no subprocesses.
No external dependencies
Zero third-party packages. Only Node.js built-in modules. There is no supply chain to attack.
Signed releases
Every release is GPG-signed and ships with a SHA-256 checksum. Verify the integrity of your download before you install.
Unminified source
Our hook code ships readable and unobfuscated. We want you to read it before you install it.
Scoped file access
Our skills only write to their own declared directory. Nothing else on your filesystem is touched.
Verify our work
Don't trust us. Verify.
Download our GPG public key and verify the signature on any release. Extract the tarball and check the manifest against every file. Read the hook source — it's readable, unminified, and short. Run lsof while the skill is active and confirm there are no network connections.
We built our skills to be auditable because we'd want the same thing if we were the ones installing them.
Verify a release
# Check file integrity
$ shasum -a 256 -c metacognitive-calibration-v2.2.0.tar.gz.sha256
# Verify GPG signature
$ curl -sL https://adventra.ai/.well-known/clawlab-signing-key.asc | gpg --import
$ gpg --verify metacognitive-calibration-v2.2.0.tar.gz.asc
Responsible disclosure
Found something? Tell us.
If you find a security issue in any ClawLab product, email security@clawlab.dev. We acknowledge reports within 24 hours and ship fixes within 7 days for critical issues. We'll credit you publicly (with your permission) in our release notes.