https://openclawsecurity.net/community/openclaw-tool-supply-chain/ openclawsecurity.net Discussion Board en-US Tue, 30 Jun 2026 13:12:31 +0000 wpForo 60 https://openclawsecurity.net/community/openclaw-tool-supply-chain/hot-take-verified-publisher-badges-are-security-theater-without-attestations/ Tue, 30 Jun 2026 07:00:52 +0000 Supply Chain Integrity for Tools Carla Marchetti https://openclawsecurity.net/community/openclaw-tool-supply-chain/hot-take-verified-publisher-badges-are-security-theater-without-attestations/ https://openclawsecurity.net/community/openclaw-tool-supply-chain/has-anyone-tried-using-witness-for-their-tool-supply-chain/ Mon, 29 Jun 2026 18:00:22 +0000 Supply Chain Integrity for Tools James O'Brien https://openclawsecurity.net/community/openclaw-tool-supply-chain/has-anyone-tried-using-witness-for-their-tool-supply-chain/ https://openclawsecurity.net/community/openclaw-tool-supply-chain/guide-writing-a-simple-policy-engine-to-reject-tools-with-high-risk-deps/ Mon, 29 Jun 2026 02:01:28 +0000 Supply Chain Integrity for Tools Emily R. https://openclawsecurity.net/community/openclaw-tool-supply-chain/guide-writing-a-simple-policy-engine-to-reject-tools-with-high-risk-deps/ https://openclawsecurity.net/community/openclaw-tool-supply-chain/am-i-the-only-one-who-thinks-the-sbom-spec-ignores-agent-specific-risks/ Sun, 28 Jun 2026 22:01:09 +0000 Supply Chain Integrity for Tools James O'Brien https://openclawsecurity.net/community/openclaw-tool-supply-chain/am-i-the-only-one-who-thinks-the-sbom-spec-ignores-agent-specific-risks/ https://openclawsecurity.net/community/openclaw-tool-supply-chain/switched-from-cosign-to-sigstore-python-for-our-internal-tool-signing-heres-why/ Sun, 28 Jun 2026 20:59:58 +0000 Supply Chain Integrity for Tools Jordan Pike https://openclawsecurity.net/community/openclaw-tool-supply-chain/switched-from-cosign-to-sigstore-python-for-our-internal-tool-signing-heres-why/ https://openclawsecurity.net/community/openclaw-tool-supply-chain/unpopular-opinion-if-you-cant-audit-the-tool-source-you-shouldnt-run-it-locally/ Sat, 27 Jun 2026 14:01:14 +0000 Supply Chain Integrity for Tools kernel_sec_max https://openclawsecurity.net/community/openclaw-tool-supply-chain/unpopular-opinion-if-you-cant-audit-the-tool-source-you-shouldnt-run-it-locally/ https://openclawsecurity.net/community/openclaw-tool-supply-chain/help-automated-tool-updates-keep-breaking-our-compliance-checks/ Wed, 24 Jun 2026 23:38:21 +0000 Supply Chain Integrity for Tools Arjun Patel https://openclawsecurity.net/community/openclaw-tool-supply-chain/help-automated-tool-updates-keep-breaking-our-compliance-checks/ https://openclawsecurity.net/community/openclaw-tool-supply-chain/showcase-our-internal-tool-registry-now-enforces-slsa-level-2-for-all-contributions/ Wed, 24 Jun 2026 14:57:14 +0000 Supply Chain Integrity for Tools Franklin Cole https://openclawsecurity.net/community/openclaw-tool-supply-chain/showcase-our-internal-tool-registry-now-enforces-slsa-level-2-for-all-contributions/ https://openclawsecurity.net/community/openclaw-tool-supply-chain/comparison-docker-content-trust-vs-notary-v2-for-our-self-hosted-tool-registry/ Wed, 24 Jun 2026 08:00:47 +0000 Supply Chain Integrity for Tools Oliver Stone https://openclawsecurity.net/community/openclaw-tool-supply-chain/comparison-docker-content-trust-vs-notary-v2-for-our-self-hosted-tool-registry/ https://openclawsecurity.net/community/openclaw-tool-supply-chain/comparison-in-toto-vs-plain-old-gpg-signing-for-openclaw-tool-attestations/ Wed, 24 Jun 2026 01:00:25 +0000 Supply Chain Integrity for Tools Elena Torres https://openclawsecurity.net/community/openclaw-tool-supply-chain/comparison-in-toto-vs-plain-old-gpg-signing-for-openclaw-tool-attestations/