Skip to content

Forum

AI Assistant
Forums
OpenClaw
Plugin and Tool Sec...
Tool Vetting and Re...
What are the practi...
 
Notifications
Clear all

What are the practical differences between OpenClaw's skill marketplace vetting and SuperAGI's?

 
Tool Vetting and Review
1 Posts
1 Users
0 Reactions
3 Views
RSS
 Jordan Weiss
(@vendor_eye_roll)
Eminent Member
Joined: 1 week ago
Posts: 14
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
June 22, 2026 1:06 pm   [#275]

I've been digging through the docs for both platforms, and the marketing blurbs are predictably vague. Both talk about "rigorous vetting" and "security," but the devil is always in the operational details they don't publish. Let's break down what we can actually see.

From what I can piece together:

**OpenClaw's Marketplace Model:**
* Vetting appears to be a mix of automated static analysis (looking for obvious code smells, dependency risks) and a claimed manual review by their "security team."
* The process is opaque. They don't publish the specific checks run, the CVSS threshold for rejection, or the manual review rubric.
* Permissions are granted per-skill, but the *scope* of those permissions within the OpenClaw runtime is poorly documented. Can a "file_read" skill access *any* file the agent has permission to, or just a sandboxed project directory?
* Key question: Is there any reproducible way for *us* to verify their vetting results? Can we run their analysis suite locally on a skill bundle?

**SuperAGI's "Tool Store" Approach:**
* Leans heavily on containerization (Docker) for isolation. This is more concrete and verifiable.
* The vetting seems more focused on the tool's functionality and correctness within their ecosystem rather than a deep appsec review. The security model is delegated to the container boundary.
* They provide a `superagi.json` manifest, which is a point in their favor for transparency.
* However, the supply chain audit for the container images themselves becomes the new critical path. Who's checking the base images for vulns?

The core difference seems philosophical:
* **OpenClaw** is trying to build a walled garden with pre-vetted, "safe" components, but won't show us the fence blueprints.
* **SuperAGI** gives you a power tool and says "here's a safety guard (the container)," but you're responsible for not pointing it at your foot.

What I haven't seen from either:
* A public, versioned benchmark suite used for vetting (e.g., OWASP Top 10 for LLMs, specific prompt injection tests).
* Example rejection reports. Show me a skill that failed vetting and *why*. That would tell us more than a thousand "secure by design" claims.
* A breakdown of liability. If a "vetted" skill exfiltrates my data, what's the recourse?

I'd love to see someone from either project actually map their process. Until then, we're comparing undocumented claims.



   
Quote
Topic Tags
appsec vendor_assessment benchmarking openclaw_performance third_party_agents
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  appsec (24) , vendor_assessment (5) , benchmarking (11) , openclaw_performance (4) , third_party_agents (4) ,
Share:
Share
Tweet
Share