Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key →
← Back to ideas
clawsmith.com/idea/scan-openclaw-instance-for-active-cves-and-supply-chain-risks
IdeaCompetitiveCLIOPEN-SOURCESECURITYLive

A CLI tool that scans a running OpenClaw instance for active CVEs, malicious skills, and supply chain tampering before they get exploited

OpenClaw has accumulated 433+ CVEs in five months including critical auth bypasses (CVSS 9.8), sandbox escapes, and nation-state supply chain attacks targeting the npm ecosystem. Most operators have no idea which CVEs affect their specific version, whether their installed skills contain backdoors, or if their dependency tree has been tampered with. This tool runs a comprehensive security audit against a live OpenClaw instance and outputs an actionable remediation plan.

Demand Breakdown

Issues
205
HN
142
GitHub
98

Social Proof 3 sources

GH
safeBins bypass via shell expansion in heredoc bodies (CVE-2026-44115)
2026-05-06
205HN
Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm
2026-03-31
142GH
CVE-2026-44109 CVSS 9.8 Critical Auth Bypass
2026-05-01
98

Gap Assessment

CompetitiveMultiple tools exist but differentiation opportunities remain

3 tools exist (jgamblin/OpenClawCVEs, Bitdefender AI Skills Checker, Snyk OpenClaw Research) but gaps remain: Static list only, no scanning of live instances, no skill auditing, no dependency checking; Only covers skill malware, not CVE exposure, dependency chains, or network configuration.

Features5 agent-ready prompts

Version-to-CVE mapper that checks the running OpenClaw version against the full CVE database and outputs which vulnerabilities are unpatched
Installed skill scanner that checksums every ClawHub skill against known-malicious hashes and flags unsigned or modified skill files
Dependency tree auditor that walks node_modules for known-compromised packages like the Axios/plain-crypto-js supply chain attack
Network exposure checker that tests whether the OpenClaw gateway is accessible from outside localhost and flags open WebSocket endpoints
Feishu and webhook channel validator that tests all configured channel integrations for auth bypass vulnerabilities like CVE-2026-44109

Competitive LandscapeFREE

ProductDoesMissing
jgamblin/OpenClawCVEsTracks and lists OpenClaw CVEs in a GitHub repoStatic list only, no scanning of live instances, no skill auditing, no dependency checking
Bitdefender AI Skills CheckerScans ClawHub skills for malware signaturesOnly covers skill malware, not CVE exposure, dependency chains, or network configuration
Snyk OpenClaw ResearchPublished research on 283 leaky skills with credential exposureResearch report not a scanning tool, no continuous monitoring, no remediation automation

Sign in to unlock full access.

Aggregate Score
807
0 leads found
Details
TypeProduct Idea
Competitors3
Features5
Issues3
Leads0
Source Signals
All signals →
272North Korean State Actor Targets OpenClaw Ecosystem via Axios npm Supply Chain Attack — 600K Installs in 3 Hours205CVE-2026-44115: OpenClaw Shell Expansion Bypass Allows Execution Allowlist Circumvention (CVSS 8.8)157OpenClaw Hits 433 CVEs in Five Months: 2.6 Security Failures Per Day131CVE-2026-44109: Critical Feishu Webhook Auth Bypass Enables Unauthenticated RCE on OpenClaw (CVSS 9.8)9CVE-2026-44995: Environment Variable Injection in OpenClaw MCP Stdio Server Config8CVE-2026-45004: Arbitrary Code Execution in OpenClaw Plugin Setup Resolver8CVE-2026-45001: OpenClaw Gateway Config Guard Bypass Lets Prompt-Injected Model Persist Unauthorized Settings6CVE-2026-44115: OpenClaw Shell Expansion Bypass via Heredoc Bodies (CVSS 8.8)4CVE-2026-42434: OpenClaw Sandbox Escape via host=node Parameter Override (CVSS 8.8)4CVE-2026-42435: OpenClaw Shell-Wrapper Detection Bypass Allows Environment Variable Injection3CVE-2026-42437: OpenClaw Voice-Call WebSocket Denial of Service via Oversized Frames
Related Ideas
All ideas →
26.1MA pre-publish scanner that strips source maps, secrets, and internal code from npm packages before they ship to the registry445KA CLI tool that audits OpenClaw plugin dependency trees, flags transitive security risks, and recommends a minimal install profile based on actual usage183.8KA CLI security scanner that intercepts and blocks malicious ClawHub skills before they compromise your OpenClaw instance
Tags
CLIOPEN-SOURCESECURITYDEVTOOLAUDIT