Security scanner for OpenClaw skills
ClawScan is a security scanner for OpenClaw skills. It detects prompt injection, credential stealers, reverse shells, invisible unicode attacks — in one command. It has found 341+ malicious skills on ClawHub. It analyzes SKILL.md and scripts to detect 10 categories of prompt injection, including role hijacking, instruction override, authority spoofing, invisible unicode, hidden comment attacks, data exfiltration prompts, privilege escalation, and conversation manipulation. It also analyzes fake prerequisites, hidden markdown commands, external binary links, and suspicious content in SKILL.md. Scripts are analyzed for reverse shells, download-and-execute chains, persistence mechanisms, and eval/exec abuse. Network detection includes blocklisted IPs/CIDRs, Discord/Telegram webhook exfiltration, and suspicious TLDs. Credential scanning looks for SSH keys, browser cookies, API tokens, OpenClaw configs, and hardcoded secrets. Obfuscation is detected via base64+exec payloads, hex encoding, minified code, and suspicious string lengths. Typosquatting is checked by Levenshtein distance against top skills. The process is: point it at a skill (local path or URL), get a combined score (e.g., exec() alone = fine; exec() + credential theft + webhook = 🔴 DANGEROUS), and receive a verdict (🟢 Safe · 🟡 Warning · 🔴 Dangerous) with explanations for each finding. It is available as an OpenClaw skill installable with one command (`openclaw skill install clawscan`) and offers 24 OpenClaw-specific checks covering config, files, skills, and network exposure, with an A-F grading system. Pro and Managed versions are available with additional features.
For solopreneurs using AI agents for client projects, ClawScan enables proactive security audits of their OpenClaw instances. Example: A freelance consultant can scan their agent setup to ensure no sensitive client data is exposed before a project begins, receiving an A-F grade and actionable fixes.
For AI developers building and deploying new OpenClaw skills, ClawScan provides a crucial pre-deployment security check. Example: A developer can scan a newly created skill to detect potential prompt injection vulnerabilities or credential leaks before it's made available to users, ensuring a safer release.
For AI security professionals, ClawScan offers a specialized tool to audit OpenClaw agent configurations against known vulnerabilities. Example: A security analyst can use ClawScan to quickly assess an organization's deployed AI agents for common misconfigurations and exposed endpoints, mapping findings to OWASP Top 10 for Agents.
For students learning about AI agent security, ClawScan provides a practical way to understand common vulnerabilities. Example: A student can use ClawScan on a personal OpenClaw instance to identify security flaws, learn from the actionable fixes, and gain hands-on experience with agent security principles.
ClawScan offers a free tier that includes community support, CLI and JSON output, zero dependencies, OpenClaw-specific audits, an A-F grading system, and 24 security checks. Paid tiers like Pro and Managed offer additional features and support.
ClawScan has a free tier. The Pro version is available for $19/mo, and a Managed version is coming soon for $49/mo. An Enterprise Audit is available for a one-time fee of $500.
ClawScan installs as an OpenClaw skill with a single command: `openclaw skill install clawscan`. It is built with pure bash and has zero dependencies.
ClawScan performs 24 security checks across five categories: OpenClaw Config, Workspace Security, Skill Audit, Network Exposure, and Secrets & Keys. It identifies vulnerabilities, misconfigurations, and exposed secrets specific to OpenClaw environments.
Based on the search results, ClawSecure appears to be a primary competitor, offering a similar suite of security scanning and auditing tools specifically for the OpenClaw ecosystem.
ClawScan emphasizes a privacy-first approach, stating that all scanning happens locally with no data leaving your machine. While GDPR compliance is not explicitly mentioned, the local processing of data aligns with privacy-focused principles.
ClawScan is designed as an OpenClaw skill and is built with pure bash, meaning it runs on any system with a shell and OpenClaw installed. It does not appear to have dedicated mobile, web, or desktop versions outside of its integration with OpenClaw.
We're still verifying the official pricing for ClawScan. In the meantime, the most up-to-date plans and prices are available directly on the publisher's website.
Are you the publisher of this tool? to edit this information.
Suggested comparisons in the same category
Or pick another tool
Be the first to leave a review (no signup required)
No reviews yet.
Be the first to share your opinion!
This space lets you connect with other users of the tool: ask questions, share tips and your experience to move forward together.
securite
ClearAudit
PaidAnalyze your website, get a score, and fix issues with AI in minutes
XploitScan
FreemiumSecurity scanner designed for AI-generated code
Safuclaw
FreemiumSecurity audits for AI agent skills. Pay-per-use.
ZeroLeaks
PaidSecurity testing for AI agents
EML Scanner
FreemiumDetect fraudulent emails in seconds
Tene
FreemiumYour .env isn't a secret. Tene protects it from AI agents.
UNPWNED
FreemiumAI security scanner for developers and teams shipping AI-generated code - scan, get AI fixes.
GuardLink
FreemiumContinuous threat modeling with AI, enforced in CI.
PolicyCortex
PaidAI cloud engineer that automatically fixes security and compliance issues
Rex IA
FreeAI-powered scam detection for websites and online services