🚀 v1.5 is live — 8 panels, credential flow mapping, accept risk, and more. Read the changelog →
ACTIVE THREAT: 1,184+ malicious skills on ClawHub · 135,000+ exposed instances · Built-in audit misses 40% of risks

Your OpenClaw deployment has a security grade.
Do you know yours?

Two commands. Always-on monitoring. Zero dependencies. Nothing leaves your machine.

npm i -g openclaw-security-dashboard && openclaw-security-dashboard install

Or quick scan: npx openclaw-security-dashboard@latest

See Packages → How it works ↓
1,184+ Malicious skills on ClawHub Koi Security + Bitdefender, Feb 2026
135,000+ Internet-exposed OpenClaw instances Censys scan, Feb 2026
40% Of risks missed by built-in audit BulwarkAI analysis vs openclaw security audit --deep
15+ Free scanners — none personalized ClawHub, GitHub, npm ecosystem
As seen on
And 300+ sites
The Gap

The built-in audit is a smoke detector.
You need a fire inspection.

☠️
openclaw security audit has blind spots

The built-in audit checks gateway config, permissions, and known CVEs. It does NOT scan across multiple skill directories, hash identity files for tampering, audit MCP server configurations, check for persistence mechanisms, or detect zero-width character injection in SOUL.md files. We tested it. It misses 40% of what matters.

TESTED: Feb 2026 against 8-category threat model
🔓
Free scanners give generic output

ClawSec (SentinelOne), SecureClaw (Adversa AI), Bitdefender, Cisco, Snyk — all free, all good at what they do. But none of them know which of YOUR agents has overly broad exec permissions, whether YOUR MCP servers are version-pinned, or if YOUR SOUL.md has the injection vulnerabilities documented by Zenity Labs.

15+ free tools tested — none personalize to your deployment
💸
The real cost isn't the scan — it's the interpretation

A free tool says "HIGH: 15 findings." Now what? Which 3 of those 15 actually matter for a solo Mac Mini vs. a multi-agent VPS deployment? What's the fix priority? What can you safely ignore? That interpretation is what you're paying for — and no free tool provides it.

SOURCE: Palo Alto, CrowdStrike, JFrog warnings — Feb 2026
Pricing

How much do you want
done for you?

DIY
Security Blueprint
Everything you need to harden your deployment yourself
$97
one-time · instant download · included in all higher tiers
  • Run npx openclaw-security-dashboard before & after — watch your grade climb from F to A+
  • 50-page Security Blueprint — threat landscape, 40-point audit, deployment guides, incident response playbook
  • 4 deployment-specific hardened configs (Solo, Multi-Agent, VPS, Agency)
  • 3 bash scripts — catches what the built-in audit misses
  • Security-hardened SOUL.md templates with anti-injection patterns
  • IOC database — 1,184+ malicious skills, 12 publishers, C2 indicators
  • Printable checklists — weekly security, new skill review, new MCP server review
Get Security Blueprint
Want expert eyes on your specific deployment? See Hardening Report →
We Review Your Setup
Hardening Report
Personalized review of your deployment with a prioritized fix list
$297
one-time · 24hr delivery · includes Blueprint
  • Personalized review of YOUR deployment — your agents, skills, configs, and integrations
  • Credential flow analysis — traces each API key from storage through every exposure point
  • Memory & storage hygiene audit — core dumps, swap, debug logs, session transcripts
  • Sandbox effectiveness assessment — Docker config, escape risks, compensating controls
  • Prioritized fix list — ranked by risk × effort, with exact commands for your setup
  • Delivered within 24 hours of intake submission
  • Security Blueprint included ($97 value)
Get Hardening Report
Done-For-You
DFY Hardening
We access your deployment, fix everything, test it, hand it back
$2,497 $1,997
one-time · 72hr delivery · 3×$697 available · 30-day check-in
  • Everything in Blueprint + Hardening Report, plus:
  • Temporary access via SSH, Tailscale, or screen share
  • Full review + every fix applied directly to your deployment
  • All configs hardened, permissions set, monitoring installed
  • Weekly identity-baseline cron job configured
  • Everything tested — your deployment works exactly as before, minus the vulnerabilities
  • Complete report + git diff of every change
  • 30-minute video walkthrough of every finding
  • 30-day post-hardening check-in
  • "Secured by BulwarkAI" badge for proposals and deliverables
  • Verifiable A+ grade — run npx openclaw-security-dashboard after delivery to confirm
Get DFY Hardening
Process

No calls. No fluff.
Just results in your inbox.

01
See where you stand

Run npx openclaw-security-dashboard to get your security grade in 30 seconds — free, local, no account needed. Then pick the tier that matches what you found.

02
Submit your details

For Hardening Report and DFY: fill a short intake form about your deployment — agents, skills, platform, integrations. Takes 10–15 minutes.

03
Expert review begins

A Security Architect with 20+ years of platform security experience reviews your setup against current threat intelligence, 1,184+ known malicious skill IOCs, and the latest prompt injection research.

04
Delivered to your inbox

Blueprint: instant. Hardening Report: 24 hours. DFY: 72 hours. Written report, custom config files, video walkthrough where included.

Who Built This

Security at the
hardware level.

BulwarkAI was built by Peter, a Platform Security Architect with 20+ years in the industry — including deep experience building security into silicon and platform firmware. The kind of experience that comes from building security into chips, not patching it onto applications.

When CrowdStrike, Palo Alto Networks, JFrog, Cisco, and Kaspersky are all issuing warnings about OpenClaw security, you want someone who's spent two decades thinking about exactly these attack surfaces — not someone who learned about AI agents last month.

🔩
Silicon & Platform Security — Hardware-level security architecture, Root of Trust, secure boot, hardware attestation
🌐
Open-Source Security Standards — Contributor to industry hardware Root of Trust standards adopted in data center silicon
🤖
AI-native practitioner — Running 9 OpenClaw agents in production across 3 locations, testing every recommendation on real deployments
bulwark-audit — beyond-builtin scan
# Running BulwarkAI security scanner...
$ npx openclaw-security-dashboard

Scanning 3 skill directories...
✓ ~/.openclaw/skills — 14 skills scanned
✓ ~/custom-skills — 3 skills scanned
⚠ /opt/openclaw/shared — UNSCANNED by built-in audit

Hashing identity files...
✓ SOUL.md — SHA-256: a8f3c2...
✗ AGENTS.md — MODIFIED since last baseline
✗ memory/core.md — zero-width characters detected

Auditing MCP servers...
⚠ github-mcp — not version-pinned
⚠ slack-mcp — broad scope, no allowlist

Checking persistence...
✗ com.openclaw.heartbeat — LaunchAgent active, no approval gate

4 findings the built-in audit missed.
→ Get your personalized report: bulwarkai.io
FAQ

Common questions.

Use them! Seriously. Run openclaw security audit, install SecureClaw, try Cisco's Skill Scanner. They're good tools and they're free. Here's what they don't do: they don't know YOUR deployment. They check for generic misconfigurations — pass/fail on 56 items. But they can't tell you which of your 9 agents has the permissions that actually matter, whether your MCP servers are appropriate for your use case, or which of the 56 findings to fix first. The Blueprint ($97) gives you hardened configs tuned for your deployment type, audit scripts that go beyond what any free tool checks, and a 1,184-skill IOC database. The Hardening Report ($297) is a human expert reviewing your specific setup. The free tools are your automated baseline. BulwarkAI is the personalized layer on top. Read the full comparison →
That's a great start and you absolutely should run it. But it only covers about 60% of the threat surface. It doesn't scan across multiple skill directories, hash identity files for drift detection, audit MCP server configurations, check for persistence mechanisms, or detect prompt injection patterns in SOUL.md. The Blueprint includes scripts that cover those gaps. The Hardening Report goes further with personalized analysis of your specific deployment. You can see this for yourself: run npx openclaw-security-dashboard and compare its findings to what the built-in audit catches. The gap is usually 30-40% of your threat surface.
We agree — that's why we built one. Run npx openclaw-security-dashboard for a free, local security grade across 6 panels with 102+ malicious skill IOCs. It's MIT licensed and nothing leaves your machine. The difference with paid products: the scanner tells you WHAT's wrong. The Blueprint ($97) tells you HOW to fix it with hardened configs and scripts. The Hardening Report ($297) tells you WHY it matters for YOUR specific deployment, in what order to fix it, and gives you specific remediation steps. The DFY ($1,997) means we fix everything ourselves. Free scanner → self-service fix → expert review → concierge hardening. Pick the level that matches your situation.
The Blueprint ($97) is a self-serve toolkit — hardened configs, audit scripts, IOC database, and guides for your deployment type. The Hardening Report ($297) adds personalized expert review: credential flow analysis tracing each API key through every exposure point, memory and storage hygiene audit, sandbox effectiveness assessment, and a prioritized fix list with exact commands — delivered within 24 hours. DFY Hardening ($1,997) goes further: we get temporary access to your deployment, apply every fix, test everything still works, set up monitoring, and hand it back fully hardened with documentation of every change. Each tier includes everything below it.
No. BulwarkAI is an independent security service. We are not affiliated with OpenClaw, its creator, or OpenAI. We're practitioners who use OpenClaw in production and built this because the security gap is real and no one with serious security credentials was addressing it.
The security fundamentals — prompt injection defense, skill vetting, permission scoping, identity file integrity — are durable regardless of how OpenClaw evolves. Tactical guides and scripts will be updated. Anyone who purchases gets access to updated versions.
OpenClaw Experts is a marketplace — they match you with freelancers of varying experience. VibeAudits does general "vibe code" security reviews. BulwarkAI is purpose-built for OpenClaw deployment security by a 20-year security architect who runs 9 agents in production. We bring the deepest OpenClaw-specific threat intelligence (1,184+ malicious skill IOC database, 12 banned publisher accounts, C2 indicators) combined with 20 years of platform security architecture experience.
Get Started

Your agent is running.
Is it safe?

Most businesses start with the Hardening Report — expert eyes on your specific deployment, personalized findings with specific remediation steps, delivered in 24 hours.

Get Hardening Report — $297 → Or start with the Blueprint — $97 →

Stay Protected