OpenClaw2026_Zai_ClawVAPT

Telegram-first multi-agent VAPT assistant for OpenClaw 2026

Comment

ClawVAPT is a Telegram-first, multi-agent VAPT assistant built for security operators who need fast, safe, and report-ready vulnerability triage.

The inspiration came from a real workflow problem: scanners are powerful, but running them safely still requires a lot of manual work — verifying target ownership, locking scope, checking payment/credits, redacting evidence, and generating reports. ClawVAPT brings all of that into one guided chat-based agent flow.

The system uses three logical agents:

• TrustVerifierPaymentAgent handles ownership verification, scope locking, credits, and QRIS payment checks. • RedTeamRepoScannerAgent runs safe web and public GitHub repo scanner profiles. • BlueTeamHardeningReportAgent generates PDF, JSON, and manual-review reports.

A typical flow starts from Telegram. For web targets, the user must prove ownership through HTTP/DNS verification before any scan runs. For GitHub, the user can scan a public repository directly. Before paid scans, the bot checks credits; if credits are insufficient, it creates a QRIS top-up flow. After scanning, reports are delivered automatically back to Telegram.

I learned a lot about designing agent systems that are not only autonomous, but also safe and auditable. The hardest part was balancing useful automation with security guardrails: avoiding unauthorized scans, preventing raw secret leakage, handling payment idempotency, keeping reports clean, and making the UX simple enough for a two-minute demo.

The final project combines multi-agent orchestration, security scanner adapters, Telegram UX, QRIS payments, SQLite persistence, and OpenClaw-assisted development into a deployable MVP.

Built With

  • and-generating-reports.-clawvapt-brings-all-of-that-into-one-guided-chat-based-agent-flow.-the-system-uses-three-logical-agents:-?-trustverifierpaymentagent-handles-ownership-verification
  • and-qris-payment-checks.-?-redteamreposcanneragent-runs-safe-web-and-public-github-repo-scanner-profiles.-?-blueteamhardeningreportagent-generates-pdf
  • and-report-ready-vulnerability-triage.-the-inspiration-came-from-a-real-workflow-problem:-scanners-are-powerful
  • but-running-them-safely-still-requires-a-lot-of-manual-work-?-verifying-target-ownership
  • checking-payment/credits
  • checkov
  • credits
  • gitleaks
  • grype
  • json
  • locking-scope
  • lynis
  • multi-agent-vapt-assistant-built-for-security-operators-who-need-fast
  • nikto
  • nmap
  • osv-scanner
  • redacting-evidence
  • safe
  • scope-locking
  • semgrep
  • syft
  • testssl.sh
  • trivy
Share this project:

Updates