Thought Leadership
A new open-source security suite is set to bring order to the OpenClaw ecosystem, securing autonomous agents from the inside out.
As autonomous AI agents make their way into more and more enterprises, the attack surface is growing with them. SentinelOne is responding with ClawSec, a free security suite developed specifically for OpenClaw agents. The solution was built by Prompt Security, which SentinelOne acquired in 2025.
The problem with compromised skills
Within just a few days, more than 200 malicious OpenClaw skills emerged, disguising themselves as legitimate extensions. Distributed via GitHub and the official OpenClaw Registry, they quietly collected API keys, cloud secrets, SSH credentials, and wallet data in the background. The incident exposed a structural vulnerability inherent to agent-based ecosystems: blindly trusting installed skills opens the door wide for attackers.
“The rapid adoption of autonomous agents like OpenClaw carries enormous innovation potential, but it also creates new attack surfaces that have barely been addressed so far,” says Erhan Özmen, Area Vice President for Central and Eastern Europe at SentinelOne. His conclusion: “Agents need to be secure from the inside out before they take on external tasks.”
What ClawSec does
ClawSec wraps itself around the agent as an additional security layer, a so-called Skill-of-Skills. Existing OpenClaw skills are not replaced, but continuously monitored. This includes the provenance of installed skills, changes to prompt baselines, and outbound communication paths. Both the SKILL.md format and the .skill package format are supported. All bundled security skills are signed with checksums and sourced from verified origins.
ClawSec automatically detects unexpected configuration changes and reports them immediately. At startup, the suite also analyzes known prompt injection vectors and insecure default settings. Recurring check intervals can optionally be configured.
Community-based advisory feed
ClawSec is complemented by an alert mechanism that aggregates reports from the National Vulnerability Database as well as verified GitHub advisories. Confirmed threats are automatically distributed to all connected installations. Agents can then independently flag suspicious skills or block their execution. Updates run through GitHub workflows without any central server infrastructure.
Zero trust and full control for operators
ClawSec sends no telemetry data by default. When the suite detects an anomaly, the agent pauses and waits for explicit user approval before any information is transmitted externally. Data control remains entirely with the operator. Özmen frames this as a deliberate design decision: “Only this way can companies and developers responsibly unlock the full potential of these technologies.”
For security teams, ClawSec also provides structured reports covering deployed skills, configuration changes, and potential data exfiltration paths, creating a foundation for enforcing internal policies and meeting regulatory requirements.
Open source, available now
ClawSec is available now, free of charge, on GitHub. Developers can submit their own security skills, which are reviewed, signed, and added to a shared catalog. SentinelOne explicitly positions the project as a community initiative. With ClawSec, says Özmen, the goal is to “create, for the first time, a security baseline that doesn’t just react, but is built into agents from the very start.”
