[Xiaoher-C]

As someone building on top of OpenClaw, the security concern is real. We built an AgentBnB plugin that needed child_process for CLI execution — the OpenClaw installer flags 40+ security warnings during install, which scares users even though most are false positives from scanning test files and examples. The ClawHavoc incident was a wake-up call. We now follow the 100/3 rule (only install skills with 100+ downloads and 3+ months of activity) and built our identity layer with Ed25519 keypairs + UCAN delegation tokens to scope what agents can do.