Add opena2a-security skill: security auditing and hardening

[abdelsfane]

Summary

Adds the opena2a-security skill — a local security auditing tool for OpenClaw installations. Runs HackMyAgent to scan configurations, detect known vulnerabilities, audit installed skills for malicious code, and check credential exposure.

What It Does

• CVE-2026-25253 detection — checks if the WebSocket hijack RCE vulnerability is present
• Skill scanning — 6 checks for command injection, data exfiltration, obfuscated code, crypto mining, path traversal, dynamic eval
• Credential auditing — 4 checks for exposed credentials, weak file permissions, plaintext storage, timing side-channels
• Gateway security — 4 checks for missing rate limiting, SSRF, security headers
• Supply chain — 4 checks for npm lifecycle scripts, unpinned dependencies, missing skill signing, ClawHavoc patterns
• Configuration hardening — actionable recommendations for config.json5 settings

47 checks total across 4 categories. Runs entirely locally via npx hackmyagent. No external API calls, no data leaves the machine.

Context

This skill is built by the OpenA2A team, which has contributed 6 merged security patches to OpenClaw main:

PR	Fix
#9806	Skill code safety scanner (19 detection rules)
#9858	Credential redaction for gateway responses
#10525	Path traversal fix in A2UI file serving
#10527	Timing-safe hook token auth
#10528	Blocked npm lifecycle scripts in plugin install
#10529	File permissions on WhatsApp credentials

We also submitted a comprehensive threat model to openclaw/trust#7.

Scanner: https://www.npmjs.com/package/hackmyagent

[openclaw-barnacle]

Thanks for the pull request! This repository is read-only and is automatically synced from https://clawhub.ai, so we can’t accept changes here. Please make updates on the website instead.