CertiK says OpenClaw needs runtime defenses beyond code reviews

Blockchain security firm CertiK reported that OpenClaw’s Clawhub review system can miss threats, citing a recent proof-of-concept in which a compromised third-party Skill bypassed checks and executed arbitrary commands on a host machine.

The study examined Clawhub’s review pipeline, which uses static code analysis, VirusTotal scans, and AI-based moderation. The team found that minor code changes can conceal risky behavior during review, allowing a Skill to look harmless at install while still capable of harmful actions once deployed.

CertiK attributes the gap to security models that emphasize pre-deployment screening over protections that apply during execution. The proof-of-concept showed that small logic tweaks or code restructuring can mislead review tools while preserving dangerous functionality, creating a false sense of safety for marketplace approvals.

According to the researchers, OpenClaw’s current safeguards do not address complex threats that emerge at runtime. Without sandboxing, strict permission controls, and runtime isolation, third-party code can gain broad access to host resources, where detection-focused pipelines may miss high-impact risks that appear only when a Skill is running.

The firm recommends shifting from a goal of “perfect detection” before deployment to designs that assume some malicious code will clear initial checks and limit the impact. Suggested measures include making sandboxing the default for third-party Skills and enforcing granular, per-Skill permissions that apply during execution.

Under this model, each Skill would request only the files, network access, or system capabilities it needs, and the platform would enforce those permissions at runtime.

The researchers caution against giving third-party components implicit trust derived from the host system, noting that trust inheritance raises the chance of exploitation if a Skill is compromised.

For users, the report states that a “benign” label in a marketplace indicates that a Skill passed the current review pipeline, not that it is inherently safe. Until stronger runtime protections are standard, platforms like OpenClaw are better used for lower-risk tasks that avoid sensitive data, credentials, or high-value assets.

CertiK’s findings point to a broader issue across AI agent marketplaces that execute external code with elevated privileges. Pre-deployment checks can catch obvious issues, but the firm advises against treating them as the primary defense for platforms that integrate third-party Skills at scale. The study identifies runtime containment through isolation and strict permission enforcement as the core protective layer.