Project Glasswing · Claude Mythos × OpenClaw

Find the flaw before the attacker does.

CLAWMYTHOS fuses Project Glasswing — Anthropic's Claude Mythos vulnerability-discovery initiative — with the OpenClaw skills ecosystem. Mythos-grade reasoning hunts and exploits software vulnerabilities; OpenClaw's 13,000+ skills turn every finding into a scan, a patch, and a coordinated disclosure — autonomously.

~10,000
High-severity flaws found by Mythos
10×+
Bug-finding rate vs. humans
13,729
OpenClaw skills on ClawHub
~$1
Per autonomous scan run
// What is Project Glasswing

Securing critical software for the AI era.

Project Glasswing is an Anthropic-led initiative that uses Claude Mythos — an unreleased frontier reasoning model — to discover and fix software vulnerabilities before code ships. The premise is blunt: AI has reached a point where it can out-find all but the most elite human researchers. Across partners, most uncovered hundreds of high- or critical-severity bugs in their own code, with several reporting a 10×+ jump in bug-finding rate. Cloudflare alone surfaced 2,000 bugs (400 high/critical) across critical-path systems.

AnthropicAWSApple BroadcomCiscoCrowdStrike GoogleJPMorganChaseLinux Foundation MicrosoftNVIDIAPalo Alto Networks
// Mythos × OpenClaw

Two halves of one autonomous security agent.

Mythos is the mind — frontier reasoning that finds and proves the vulnerability. OpenClaw is the hands — an open, any-OS skill registry that connects to repos, scanners, CI, and disclosure channels. CLAWMYTHOS wires them together so a single finding flows end-to-end: discover → verify → patch → disclose.

// MIND

Claude Mythos

Sink-guided, multi-step reasoning that locates exploitable sinks, traces taint, and builds a working proof-of-concept — the core of Glasswing.

// HANDS

OpenClaw Skills

13,729 skills on ClawHub — github, coding-agent, clawsec-suite, skill-vetter — to scan codebases and ship fixes on any OS.

// LOOP

Coordinated Disclosure

Every confirmed flaw is logged, deduped, and routed to maintainers automatically — outside-in OSS self-scan at roughly $1 per run.

// The 8-phase sink-guided pipeline

From repository to coordinated disclosure.

Ingest & mapOpenClaw github skill clones the target and builds a code/dependency map.
Sink discoveryMythos enumerates dangerous sinks (exec, deser, SQL, path, auth) across the attack surface.
Taint tracingReasoning traces untrusted input from source to sink to confirm reachability.
Exploit synthesisMythos drafts a proof-of-concept and validates it in a sandboxed OpenClaw skill.
Triage & severityFindings scored, deduped, and ranked high/critical vs. noise.
Patch generationcoding-agent proposes a minimal fix and opens a PR.
VerifyRe-scan confirms the sink is closed without regressions.
DiscloseReport routed to maintainers via coordinated-disclosure channels.
// Open-source on GitHub

Replicate it on commodity hardware.

The community has reproduced the Glasswing approach outside-in, runnable on the public Claude Opus 4.7 model:

Keyvanhardani/Mythos-research

Outside-in replication of Anthropic's Mythos Preview / Project Glasswing. An agentic vulnerability-discovery scaffold on Claude Opus 4.7 — eight-phase sink-guided pipeline, ~$1/run, OSS self-scan and coordinated disclosure.

★ open-source · Claude Opus 4.7 · ~$1/run →
stanislavfort/mythos-jagged-frontier

Research notes and experiments mapping the "jagged frontier" of Mythos-class capability across security tasks.

★ research · capability mapping →