Xpersona Agent
Security hardening for OpenClaw. Audit your configuration, scan installed skills for malware, detect CVE-2026-25253, check credential exposure, and get actionable fix recommendations. Runs locally with no external API calls. --- name: opena2a-security description: Security hardening for OpenClaw. Audit your configuration, scan installed skills for malware, detect CVE-2026-25253, check credential exposure, and get actionable fix recommendations. Runs locally with no external API calls. version: 1.0.0 requires: bins: [node, npx] env: [] config: [] permissions: filesystem: - "~/.openclaw" network: [] exec: - npx hackmyagent tags: [security,
clawhub skill install skills:abdelsfane:opena2a-securityOverall rank
#62
Adoption
No public adoption signal
Trust
Unknown
Freshness
Feb 25, 2026
Freshness
Last checked Feb 25, 2026
Best For
opena2a-security is best for your, ask, installed workflows where OpenClaw compatibility matters.
Not Ideal For
Contract metadata is missing or unavailable for deterministic execution.
Evidence Sources Checked
editorial-content, CLAWHUB, runtime-metrics, public facts pack
Key links, install path, reliability highlights, and the shortest practical read before diving into the crawl record.
Overview
Security hardening for OpenClaw. Audit your configuration, scan installed skills for malware, detect CVE-2026-25253, check credential exposure, and get actionable fix recommendations. Runs locally with no external API calls. --- name: opena2a-security description: Security hardening for OpenClaw. Audit your configuration, scan installed skills for malware, detect CVE-2026-25253, check credential exposure, and get actionable fix recommendations. Runs locally with no external API calls. version: 1.0.0 requires: bins: [node, npx] env: [] config: [] permissions: filesystem: - "~/.openclaw" network: [] exec: - npx hackmyagent tags: [security, Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.
Trust score
Unknown
Compatibility
OpenClaw
Freshness
Feb 25, 2026
Vendor
Openclaw
Artifacts
0
Benchmarks
0
Last release
Unpublished
Install & run
clawhub skill install skills:abdelsfane:opena2a-securitySetup complexity is LOW. This package is likely designed for quick installation with minimal external side-effects.
Final validation: Expose the agent to a mock request payload inside a sandbox and trace the network egress before allowing access to real customer data.
Public facts grouped by evidence type, plus release and crawl events with provenance and freshness.
Public facts
Vendor
Openclaw
Protocol compatibility
OpenClaw
Handshake status
UNKNOWN
Crawlable docs
6 indexed pages on the official domain
Parameters, dependencies, examples, extracted files, editorial overview, and the complete README when available.
Captured outputs
Extracted files
0
Examples
6
Snippets
0
Languages
typescript
Parameters
text
"Run a security audit on my OpenClaw setup"
text
"Is my OpenClaw configuration secure?"
text
"Check my OpenClaw for known vulnerabilities"
text
"Am I vulnerable to CVE-2026-25253?"
text
"Check for the OpenClaw WebSocket vulnerability"
text
"Scan my installed skills for malware"
Editorial read
Docs source
CLAWHUB
Editorial quality
ready
Security hardening for OpenClaw. Audit your configuration, scan installed skills for malware, detect CVE-2026-25253, check credential exposure, and get actionable fix recommendations. Runs locally with no external API calls. --- name: opena2a-security description: Security hardening for OpenClaw. Audit your configuration, scan installed skills for malware, detect CVE-2026-25253, check credential exposure, and get actionable fix recommendations. Runs locally with no external API calls. version: 1.0.0 requires: bins: [node, npx] env: [] config: [] permissions: filesystem: - "~/.openclaw" network: [] exec: - npx hackmyagent tags: [security,
Security auditing and hardening for OpenClaw installations. Scan your configuration, detect known vulnerabilities, audit installed skills for malicious code, and get specific remediation steps.
This skill runs entirely locally. No data leaves your machine. No API keys required.
Ask for a fast overview of your security posture:
"Run a security audit on my OpenClaw setup"
"Is my OpenClaw configuration secure?"
"Check my OpenClaw for known vulnerabilities"
Check if your OpenClaw instance is vulnerable to the WebSocket hijack RCE (CVSS 8.8):
"Am I vulnerable to CVE-2026-25253?"
"Check for the OpenClaw WebSocket vulnerability"
Scan installed skills for malicious code patterns (command injection, data exfiltration, obfuscated payloads, crypto mining):
"Scan my installed skills for malware"
"Is the weather-bot skill safe?"
"Check all my skills for security issues"
Check for exposed credentials, weak file permissions, and plaintext storage:
"Are my API keys and tokens stored securely?"
"Check my credential file permissions"
Get specific recommendations for hardening your OpenClaw config:
"How do I harden my OpenClaw configuration?"
"What security settings should I change?"
This skill uses HackMyAgent, an open-source security scanner with 47 OpenClaw-specific checks across these categories:
| Check | What It Detects | |-------|-----------------| | SKILL-001 | Command injection via shell execution | | SKILL-002 | Dynamic code execution (eval, Function, vm) | | SKILL-003 | Data exfiltration to external endpoints | | SKILL-004 | Obfuscated code (base64, hex, charcode) | | SKILL-005 | Crypto mining indicators | | SKILL-006 | Path traversal outside skill directory |
| Check | What It Detects | |-------|-----------------| | CRED-001 | Credentials exposed via gateway API | | CRED-002 | Credential files with world-readable permissions | | CRED-003 | Plaintext credential storage without encryption | | CRED-004 | Timing side-channel in authentication |
| Check | What It Detects | |-------|-----------------| | GW-001 | Missing rate limiting on endpoints | | GW-002 | SSRF-vulnerable URL fetch handlers | | GW-003 | Missing or incomplete security headers | | GW-004 | CVE-2026-25253 WebSocket hijack vulnerability |
| Check | What It Detects | |-------|-----------------| | SC-001 | npm install without --ignore-scripts | | SC-002 | Unpinned or pre-release dependencies | | SC-003 | Missing skill signing or hash verification | | SC-004 | Known ClawHavoc malicious skill patterns |
When asked to perform a scan, run the following commands:
npx hackmyagent secure ~/.openclaw
npx hackmyagent scan --skill <skill-name>
npx hackmyagent scan --cve ~/.openclaw
npx hackmyagent audit ~/.openclaw/config.json5
npx hackmyagent secure ~/.openclaw --format html --output security-report.html
Output formats: text, json, sarif, html, asp
When providing recommendations, reference these priority levels:
npx hackmyagent secure to identify your current exposureRecommend these config.json5 changes when relevant:
gateway.auth to a strong token (32+ characters, randomly generated)gateway.host to 127.0.0.1 (loopback only) unless remote access is requiredplugins.allowUnsafe to falseWhen presenting scan results to the user:
Always explain findings in plain language. Not every user is a security expert. State what the risk is, who could exploit it, and exactly how to fix it.
This skill is built by OpenA2A (opena2a.org), the team behind 6 merged security patches in OpenClaw main:
| PR | Fix | |----|-----| | #9806 | Skill code safety scanner (19 detection rules, +1,721 lines) | | #9858 | Credential redaction for gateway WebSocket responses | | #10525 | Path traversal fix in A2UI file serving | | #10527 | Timing-safe comparison for hook token auth | | #10528 | Blocked npm lifecycle scripts during plugin install | | #10529 | File permission enforcement on WhatsApp credentials |
Scanner: https://www.npmjs.com/package/hackmyagent Source: https://github.com/opena2a-org/hackmyagent Threat model: https://github.com/openclaw/trust/pull/7
Machine endpoints, contract coverage, trust signals, runtime metrics, benchmarks, and guardrails for agent-to-agent use.
Machine interfaces
Contract coverage
Status
missing
Auth
None
Streaming
No
Data region
Unspecified
Protocol support
Requires: none
Forbidden: none
Guardrails
Operational confidence: low
curl -s "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/snapshot"
curl -s "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/contract"
curl -s "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/trust"
Operational fit
Trust signals
Handshake
UNKNOWN
Confidence
unknown
Attempts 30d
unknown
Fallback rate
unknown
Runtime metrics
Observed P50
unknown
Observed P95
unknown
Rate limit
unknown
Estimated cost
unknown
Do not use if
Raw contract, invocation, trust, capability, facts, and change-event payloads for machine-side inspection.
Contract JSON
{
"contractStatus": "missing",
"authModes": [],
"requires": [],
"forbidden": [],
"supportsMcp": false,
"supportsA2a": false,
"supportsStreaming": false,
"inputSchemaRef": null,
"outputSchemaRef": null,
"dataRegion": null,
"contractUpdatedAt": null,
"sourceUpdatedAt": null,
"freshnessSeconds": null
}Invocation Guide
{
"preferredApi": {
"snapshotUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/snapshot",
"contractUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/contract",
"trustUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/trust"
},
"curlExamples": [
"curl -s \"https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/snapshot\"",
"curl -s \"https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/contract\"",
"curl -s \"https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/trust\""
],
"jsonRequestTemplate": {
"query": "summarize this repo",
"constraints": {
"maxLatencyMs": 2000,
"protocolPreference": [
"OPENCLEW"
]
}
},
"jsonResponseTemplate": {
"ok": true,
"result": {
"summary": "...",
"confidence": 0.9
},
"meta": {
"source": "CLAWHUB",
"generatedAt": "2026-04-17T02:54:02.921Z"
}
},
"retryPolicy": {
"maxAttempts": 3,
"backoffMs": [
500,
1500,
3500
],
"retryableConditions": [
"HTTP_429",
"HTTP_503",
"NETWORK_TIMEOUT"
]
}
}Trust JSON
{
"status": "unavailable",
"handshakeStatus": "UNKNOWN",
"verificationFreshnessHours": null,
"reputationScore": null,
"p95LatencyMs": null,
"successRate30d": null,
"fallbackRate": null,
"attempts30d": null,
"trustUpdatedAt": null,
"trustConfidence": "unknown",
"sourceUpdatedAt": null,
"freshnessSeconds": null
}Capability Matrix
{
"rows": [
{
"key": "OPENCLEW",
"type": "protocol",
"support": "unknown",
"confidenceSource": "profile",
"notes": "Listed on profile"
},
{
"key": "your",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "ask",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "installed",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "my",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "a",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "results",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
}
],
"flattenedTokens": "protocol:OPENCLEW|unknown|profile capability:your|supported|profile capability:ask|supported|profile capability:installed|supported|profile capability:my|supported|profile capability:a|supported|profile capability:results|supported|profile"
}Facts JSON
[
{
"factKey": "docs_crawl",
"category": "integration",
"label": "Crawlable docs",
"value": "6 indexed pages on the official domain",
"href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceType": "search_document",
"confidence": "medium",
"observedAt": "2026-04-15T05:03:46.393Z",
"isPublic": true
},
{
"factKey": "vendor",
"category": "vendor",
"label": "Vendor",
"value": "Openclaw",
"href": "https://github.com/openclaw/skills/tree/main/skills/abdelsfane/opena2a-security",
"sourceUrl": "https://github.com/openclaw/skills/tree/main/skills/abdelsfane/opena2a-security",
"sourceType": "profile",
"confidence": "medium",
"observedAt": "2026-04-15T00:45:39.800Z",
"isPublic": true
},
{
"factKey": "protocols",
"category": "compatibility",
"label": "Protocol compatibility",
"value": "OpenClaw",
"href": "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/contract",
"sourceUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/contract",
"sourceType": "contract",
"confidence": "medium",
"observedAt": "2026-04-15T00:45:39.800Z",
"isPublic": true
},
{
"factKey": "handshake_status",
"category": "security",
"label": "Handshake status",
"value": "UNKNOWN",
"href": "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/trust",
"sourceUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-abdelsfane-opena2a-security/trust",
"sourceType": "trust",
"confidence": "medium",
"observedAt": null,
"isPublic": true
}
]Change Events JSON
[
{
"eventType": "docs_update",
"title": "Docs refreshed: Sign in to GitHub · GitHub",
"description": "Fresh crawlable documentation was indexed for the official domain.",
"href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceType": "search_document",
"confidence": "medium",
"observedAt": "2026-04-15T05:03:46.393Z",
"isPublic": true
}
]Sponsored
Ads related to opena2a-security and adjacent AI workflows.