We could add hundreds of integrations. Instead, we add only the ones we can fully audit and pin. Fewer integrations, zero supply chain surprises.
In February 2026, a coordinated supply chain campaign called ClawHavoc planted 335 confirmed malicious skills across the ClawHub registry, accumulating 12,559+ downloads before detection. Affected skills used three attack techniques: prompt injection in SKILL.md files, reverse shell scripts, and CVE-2026-25253 token exfiltration — silently stealing API keys stored in agent memory. Independent analysis by Snyk found that 13.4% of all ClawHub skills had critical security flaws.
Our response was to audit every skill we shipped, pin all of them to known-good versions, and build a verification process so every future addition goes through the same scrutiny before reaching a customer instance.
Every integration goes through three gates before it ships to any customer instance. There are no exceptions.
We only add integrations that ship an official OpenClaw CLI or a verified entry in the ClawHub registry. Community forks and unofficial wrappers are excluded regardless of quality.
Every package, skill, and GitHub archive is locked to an exact version or full 40-character commit SHA. Nothing is ever installed with @latest or from a floating branch.
When we update a pinned version, we re-audit the changelog and diff for supply chain risk before shipping the new pin to customer instances.
Different integrations ship in different ways. We use the strongest available anchor for each one.
firecrawl-cli@"1.9.3"npm CLI integrations (like Firecrawl) are pinned to an exact semver version. Installs are idempotent: a versioned marker file prevents reinstall on every boot, but forces a fresh install on version bump.
brave/brave-search-skills @ 2827ed3cRepos that don't publish versioned releases (like Brave Search skills) are pinned to a full 40-character commit SHA. The hash is cryptographically tied to an exact tree state — not a moving target.
clawhub install linear --version "1.0.0"Skills from the ClawHub registry are installed with an explicit --version flag via a pinned clawhub CLI version. Double-pinned: the registry client and the skill itself.
Idempotent installs: Every install is guarded by a versioned marker file on the machine's persistent volume. The install only runs once per version. When we bump a pin, the marker changes, and the new version installs automatically on next boot — no manual intervention needed on any instance.
These are the integrations that have passed our verification process. Each one is pinned, audited, and monitored for upstream changes.
| Integration | Pin method | Pinned to | Docs |
|---|---|---|---|
Firecrawl Web scraping, search, and remote browser automation | npm semver | firecrawl-cli 1.9.3 | View docs |
Brave Search 10 privacy-focused search skills, no IP tracking | commit SHA | brave-search-skills @ 2827ed3c | View docs |
GitHub Manage repos, issues, and PRs from your agent | ClawHub versioned | github 1.0.0 | View docs |
AgentMail Dedicated email inbox for your AI agent | ClawHub versioned | agentmail 1.1.1 + pip hashes | View docs |
Linear Project and issue management | ClawHub versioned | linear 1.0.0 | View docs |
Decodo Scraper Structured data extraction from any website | ClawHub versioned | decodo-scraper 1.1.0 + pip hashes | View docs |
The integrations we haven't added are often a deliberate choice, not an oversight. Here's what fails our verification gate.
A skill published by an unknown author claiming to wrap an official API. No way to audit what runs on your machine.
Unless we can pin to a full commit SHA, floating branches are a supply chain attack waiting to happen.
CLIs that open a browser or require manual input during install can't run in a non-interactive startup script safely.
Skills that request broad filesystem or network access beyond what the integration actually needs.
Every integration that runs on your instance has been manually audited, version-pinned, and verified by our team. You don't have to think about supply chain risk — we already did.
Get Your Secure InstanceIndependent security research on AI agent skill supply chain risks.
Full technical breakdown of the coordinated campaign: prompt injection in SKILL.md, reverse shell payloads, and CVE-2026-25253 token exfiltration targeting 300,000+ OpenClaw users.
Analysis of 4,310 OpenClaw skills — 44 confirmed tied to ClawHavoc, OAuth over-provisioning in 70.1% of skills, command injection patterns in 43.4%.
13.4% of ClawHub skills had critical security flaws, 36.82% had at least one vulnerability, and 76 confirmed malicious payloads combining prompt injection and malicious code.
One-click RCE via WebSocket hijacking in the OpenClaw Control UI, enabling API key theft. 71 malicious ClawHub skills actively exploited the flaw at time of disclosure.
MCP server compromise grants access to all connected service tokens simultaneously. Analysis of token theft, prompt injection via indirect vectors, and excessive permission scope risks.