OpenClaw Collaborates with NVIDIA for Stronger Agent Skill Security OpenClaw has partnered with NVIDIA to strengthen security for AI agent skill files, integrating NVIDIA's SkillSpector scanner and Skill Card trust artifacts into its ClawHub registry. The collaboration aims to address "agentic risk" — threats that traditional malware scanners miss, such as skills that misrepresent their behavior or cause unintended damage. Initial analysis of the combined scanning pipeline found that three independent scanners flagged only 0.69% of skills in common, revealing that most security risks are detected by only a single tool. Agent skill files have a reputation for being insecure, and that reputation is earned. When we launched ClawHub alongside OpenClaw, we were immediately targeted by actors who tried to publish skills bundling known malware. We partnered with VirusTotal https://openclaw.ai/blog/virustotal-partnership to flag those skills and ban the publishers automatically. Traditional malware scanning is a relatively solved problem. Identifying agentic risk is not. A skill can claim to summarize your logs while bundling a script that ships them off your machine. A well-meaning skill can point your agent at a CLI that wipes production on the wrong flag. Neither of those is malware in the classic sense, and neither is something a virus scanner was built to catch. So before installing a skill, you really want to know three things: - What it claims to do. - Whether the bundled code actually matches that claim. - What the blast radius looks like if something goes wrong. Answering those questions at the ecosystem scale is core to ClawHub’s mission. To take full advantage of OpenClaw, our users need to trust that the skills and plugins they install have been thoroughly vetted. Today we’re sharing how we do that work, what we found when we measured it, and a public dataset so the rest of the community can build on it. The ClawScan Pipeline Our first attempt at building trust was a Codex agent prompted to look for OWASP agentic risks https://owasp.org/www-project-agentic-skills-top-10/ . It worked, and it caught real bad actors. But it was a closed-source effort, and the agentic-risk problem is too new and too fast-moving for any single registry to defend on its own. So we’re now collaborating with NVIDIA on its verified agent skills initiative https://developer.nvidia.com/blog/nvidia-verified-agent-skills-provide-capability-governance-for-ai-agents/ , doing the work in the open. Every skill that flows through ClawHub passes a pre-catalog verification gate before it is ever published: When a new skill version is published, an OpenAI Codex agent receives the output of three independent scanners as context: our static analysis, VirusTotal, and NVIDIA SkillSpector. The Evaluate step, ClawScan, weighs all three alongside provenance, metadata, and moderation history, then produces a Skill Card along with a final verdict: Clean, Suspicious, or Malicious. NVIDIA Skill Cards and SkillSpector collaboration Two pieces of that security process are new, and both come out of the NVIDIA collaboration. NVIDIA Skill Cards are an open trust-artifact specification, and they now ship with every published skill. Each card tells you who published it, what it can do, what ClawScan found, and exactly where it came from. These are all verified by ClawHub, not taken from the publisher’s self-description. Read it in a tab on the skill detail page, or from the terminal with openclaw skills verify