OpenClaw · The Hands

The hands that execute every finding.

If Claude Mythos is the mind, OpenClaw AI is the hands. It's an open, any-OS agent framework with 13,729 skills published on ClawHub — the execution layer that connects reasoning to real repositories, build systems, CI, and disclosure channels. A discovery becomes a scan, a reproduction on a live build, a patch pull request, and a coordinated disclosure — without a human in the loop.

13,729
Skills published on ClawHub
5
Operating systems supported
5-stage
Closed autonomous loop
Open
Apache-2.0, any-OS framework
// What is OpenClaw

An open agent framework that runs anywhere.

OpenClaw AI is an open, any-OS agent framework. Where the Mythos pipeline reasons about where a vulnerability lives, OpenClaw is what reaches into the world and does something about it — cloning the target, mapping the codebase, running scans inside a scoped build sandbox, compiling and exercising live builds, drafting a minimal patch, opening a pull request, and routing the report to maintainers. Every capability is a composable skill drawn from ClawHub, a registry of 13,729 skills spanning source control, coding agents, security tooling, and protocol bridges.

It runs natively across macOS, Windows, and Linux, and reaches onto iOS and Android — so an agent can drive a desktop build, a CI runner, or a mobile target with the same skill vocabulary. That portability is what makes the autonomous loop general: the same hands that close a sink in a C/C++ kernel module can ship a fix in a PHP web service or a TypeScript front end.

macOSWindowsLinux iOSAndroidApache-2.0 ClawHub registryBuild sandbox CI integrationCoordinated disclosure
// The skills that ship the loop

Five skills do the heavy lifting.

Of the 13,729 skills on ClawHub, a small core carries the discover-to-disclose workflow. Each is an isolated, declarative capability the agent can compose on demand — and every one is verifiable before it runs.

// SOURCE CONTROL

github

Connects the agent to repositories and CI: clones the target, maps files and dependencies, reads build configuration, opens branches, and files the patch as a pull request for review.

// PATCHING

coding-agent

Reads the vulnerable code path, drafts a minimal fix that closes the sink without regressing behavior, and prepares the change set the github skill turns into a PR.

// SECURITY

clawsec-suite

The security toolkit the hands reach for — runs scans, reproduces a candidate flaw against a live build inside the scoped sandbox, and helps confirm reachability before anything is disclosed.

// TRUST

skill-vetter

Vets a skill before it executes: checks provenance and declared scope so an autonomous agent only ever invokes capabilities that have been reviewed — the safety gate on a 13,729-skill registry.

// PROTOCOL

mcporter

Bridges external tools and services into the agent's reach, porting protocol endpoints into callable skills so the framework can talk to build systems, scanners, and disclosure channels.

// REGISTRY

ClawHub

The catalog of all 13,729 skills. The agent discovers, pulls, and composes capabilities on demand — the open marketplace that makes the hands extensible to any target.

// Skill → action map

Which hand does what.

Each stage of the autonomous loop is carried by a specific skill. Mythos decides what to do; these skills are how it gets done.

SkillRole in the loopWhat it touches
githubClone & map the repository, then open the patch as a pull requestRepositories, CI, branches
clawsec-suiteRun scans and reproduce the flaw against a live build in the sandboxBuild sandbox, live binaries
coding-agentDraft the minimal fix that closes the sink without regressionsSource files, change sets
mcporterPort external tools and protocol endpoints into callable skillsBuild systems, scanners, channels
skill-vetterVerify provenance and scope before any skill is allowed to executeSkill registry, trust policy
// How the hands work

From a finding to a shipped patch.

A Mythos finding is just a claim until something proves it and fixes it. Here is how OpenClaw's skills turn that claim into a live result — the execution half of discover → reproduce → validate → patch → disclose.

Clone & map the repositoryThe github skill pulls the target and builds a code and dependency map, locating the files Mythos flagged by sink density.
Stand up a scoped build sandboxThe agent provisions an isolated environment with scoped Bash and file tools — enough to compile and exercise the target, nothing more.
Run scans & reproduce on a live buildclawsec-suite compiles, runs, and tests the candidate flaw against a live build to confirm it is real and reachable — not a false positive.
Generate a minimal patchcoding-agent drafts the smallest change that closes the sink, then re-runs the build to confirm the fix holds without regressions.
Open the patch as a pull requestThe github skill files the change on a branch and opens a PR, so maintainers review a concrete, buildable fix — not a bug report.
Route the disclosureThe confirmed finding is logged, deduped, and routed to maintainers through coordinated-disclosure channels under a lawful-use, hash-now-reveal-later policy.
// Any-OS by design

One skill vocabulary, every platform.

The hands have to reach wherever the bug lives. OpenClaw runs as a native agent on the three major desktop and server platforms and extends onto mobile, so the same loop applies to a kernel module, a web service, or firmware on a device.

// DESKTOP & SERVER

macOS · Windows · Linux

Native execution for the bulk of targets — drive developer builds, CI runners, and server-side scans with full sandboxed Bash and file tooling.

// MOBILE

iOS · Android

Reach onto mobile targets with the same skill vocabulary, so reproduction and validation aren't limited to the desktop attack surface.

// PIPELINE

Repos & CI

First-class integration with source control and continuous integration means a finding flows straight into the place code actually ships from.

// Put the hands to work

Wire the mind to the hands.

OpenClaw is the execution layer of CLAWMYTHOS. Pair it with Mythos-grade reasoning and you get a general autonomous debugger: find the bug, prove it on a live build, fix it, ship the PR.