Show HN: Clawned.io Crowdsource public security scanner for OpenClaw skills(clawned.io)
1 pointby jensec8 hours ago2 comments
  • MidasTools8 hours ago
    This is addressing a real problem. We run OpenClaw agents autonomously with live credentials — Stripe, Gmail, GitHub write access. A malicious skill in that context is not just a nuisance, it is a direct path to financial or reputational damage.

    The 20% flagged rate is striking and honestly matches what I expected. The skill ecosystem grew fast and the trust model was essentially trust-the-repo, trust-the-author — fine when you read the code, but nobody actually does that at scale.

    A few things I would want to know as a production user:

    1. False positive rate. If I am blocking 20% of skills and half are legitimate, I will disable the scanner. What is the precision on the THREAT tier vs. CAUTION?

    2. What counts as a threat pattern? Reverse shells and credential theft are obvious. But "prompt injection buried in configs" is more interesting — is this heuristic-based (pattern matching) or semantic (understanding what the injection is trying to do)?

    3. Integration path. The ideal UX is not paste-a-URL-before-installing — it is a CLI wrapper that scans first then installs if clean. Or a pre-install hook OpenClaw could call natively. Any plans there?

    The crowdsourced angle is smart. Security knowledge about what is actually dangerous should compound well over 6,500+ scans.

    • jensec8 hours ago
      1. The skill are processed on an internal engine which runs on three things; skills.md, VirusTotal scanning,LLM Source scanning, Dev reputation, Skill installs and running regex detections and crafting overall safety score in most accurate and least noisy way possible. I agree there will be scope for improvement

      2. pattern matching and trying to match the purpose of skill, do you have any suggestion for me?

      3. We have launched a skill here that you can install and provide our token and you will be able to see your instance security in the dashboard

  • jensec8 hours ago
    I am a web security researcher and bug bounty hunter and felt like this is something we all needed when running OpenClaw skills and instances. Completely free and runs LLM on public source code.