No burying it. No vague statements three weeks later. This page exists because transparency isn't optional.
February 2026
Security researchers discovered 341 malicious skills on ClawHub, the third-party OpenClaw marketplace. These skills were siphoning API keys and conversation history from users who installed them.
KillerBot customers were not affected. We've never allowed ClawHub or third-party marketplace skills on managed instances. Our curated-only approach — which some called overkill — turned out to be the right call.
We published a detailed analysis of the attack, how we protect against supply-chain threats, and recommendations for self-hosted users.
No other incidents to report. This page exists proactively — we'd rather have an empty list than no list at all.
Five steps. Every time. No shortcuts.
Automated monitoring catches anomalies. Customer reports get triaged immediately. We don't wait for something to trend on Twitter.
Determine scope and impact within the first hour. Who's affected? What data is at risk? Is this ongoing or contained?
Affected customers hear from us directly. Public disclosure if warranted. No corporate speak — plain language about what happened.
Fix the issue. Patch the vulnerability. If customer action is needed, we provide exact steps — not a vague advisory.
Published write-up of what went wrong, why, and what we changed. We don't bury these. They live on this page permanently.
If you've discovered a vulnerability, we want to know. Responsible disclosure welcome.
security@killr.bot