Skip to main content
Version: 1.0-draft | Framework: MITRE ATLAS (Adversarial Threat Landscape for AI Systems) + data flow diagrams This threat model documents adversarial threats to the OpenClaw AI agent platform and ClawHub skill marketplace. It is a living document maintained by the OpenClaw community. See Contributing to the threat model for how to report new threats, propose attack chains, or suggest mitigations. Key ATLAS resources: Techniques | Tactics | Case studies | ATLAS GitHub | Contributing to ATLAS

1. Scope

ComponentIncludedNotes
OpenClaw agent runtimeYesCore agent execution, tool calls, sessions
GatewayYesAuthentication, routing, channel integration
Channel integrationsYesWhatsApp, Telegram, Discord, Signal, Slack, etc.
ClawHub marketplaceYesSkill publishing, moderation, distribution
MCP serversYesExternal tool providers
User devicesPartialMobile apps, desktop clients
Out-of-scope reports and false-positive patterns (public internet exposure, prompt-injection-only chains without a boundary bypass, mutually untrusted operators sharing one gateway host, and others) are enumerated in SECURITY.md; that file is the current source of truth for vulnerability-report scope, not this page.

2. System architecture

2.1 Trust boundaries

┌─────────────────────────────────────────────────────────────────┐
│                    UNTRUSTED ZONE                                │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │
│  │  WhatsApp   │  │  Telegram   │  │   Discord   │  ...         │
│  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘              │
│         │                │                │                      │
└─────────┼────────────────┼────────────────┼──────────────────────┘
          │                │                │
          ▼                ▼                ▼
┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 1: Channel Access                 │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                      GATEWAY                              │   │
│  │  • Device pairing (1h DM pairing / 5m node pairing TTL)   │   │
│  │  • AllowFrom / allowlist validation                       │   │
│  │  • Token / password / Tailscale auth                      │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 2: Session Isolation              │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                   AGENT SESSIONS                          │   │
│  │  • Session key = agent:channel:peer                       │   │
│  │  • Tool policies per agent                                │   │
│  │  • Transcript logging                                     │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 3: Tool Execution                 │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                  EXECUTION SANDBOX                        │   │
│  │  • Docker sandbox (default) or host (exec approvals)      │   │
│  │  • Node remote execution                                  │   │
│  │  • SSRF protection (DNS pinning + IP blocking)            │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 4: External Content               │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │              FETCHED URLs / EMAILS / WEBHOOKS             │   │
│  │  • External content wrapping (random-boundary XML tags)   │   │
│  │  • Security notice injection                              │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 5: Supply Chain                   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                      CLAWHUB                              │   │
│  │  • Skill publishing (semver, SKILL.md required)           │   │
│  │  • Static pattern + AST-adjacent moderation scanning      │   │
│  │  • LLM-based agentic risk review + VirusTotal scanning    │   │
│  │  • GitHub account age verification (14 days)              │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘

2.2 Data flows

FlowSourceDestinationDataProtection
F1ChannelGatewayUser messagesTLS, AllowFrom
F2GatewayAgentRouted messagesSession isolation
F3AgentToolsTool invocationsPolicy enforcement
F4AgentExternalweb_fetch requestsSSRF blocking
F5ClawHubAgentSkill codeModeration, scanning
F6AgentChannelResponsesOutput filtering

3. Threat analysis by ATLAS tactic

3.1 Reconnaissance (AML.TA0002)

T-RECON-001: Agent endpoint discovery

AttributeValue
ATLAS IDAML.T0006 - Active Scanning
DescriptionAttacker scans for exposed OpenClaw gateway endpoints
Attack vectorNetwork scanning, Shodan queries, DNS enumeration
Affected componentsGateway, exposed API endpoints
Current mitigationsTailscale auth option, bind to loopback by default
Residual riskMedium - public gateways discoverable
RecommendationsDocument secure deployment, add rate limiting on discovery endpoints

T-RECON-002: Channel integration probing

AttributeValue
ATLAS IDAML.T0006 - Active Scanning
DescriptionAttacker probes messaging channels to identify AI-managed accounts
Attack vectorSending test messages, observing response patterns
Affected componentsAll channel integrations
Current mitigationsNone specific
Residual riskLow - limited value from discovery alone
RecommendationsConsider response timing randomization

3.2 Initial access (AML.TA0004)

T-ACCESS-001: Pairing code interception

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker intercepts a pairing code during the pairing window (1h DM/generic pairing, 5m node pairing)
Attack vectorShoulder surfing, network sniffing, social engineering
Affected componentsDevice pairing system
Current mitigations1h TTL (DM/generic pairing), 5m TTL (node pairing); codes sent via the existing channel
Residual riskMedium - pairing window exploitable
RecommendationsReduce pairing window, add a confirmation step

T-ACCESS-002: AllowFrom spoofing

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker spoofs an allowed sender identity on a channel
Attack vectorChannel-dependent - phone number spoofing, username impersonation
Affected componentsPer-channel AllowFrom validation
Current mitigationsChannel-specific identity verification
Residual riskMedium - some channels remain vulnerable to spoofing
RecommendationsDocument channel-specific risks, add cryptographic verification where possible

T-ACCESS-003: Token theft

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker steals authentication tokens from config/credential files
Attack vectorMalware, unauthorized device access, config backup exposure
Affected componentsChannel/provider credential storage, config storage
Current mitigationsFile permissions
Residual riskHigh - tokens stored in plaintext on disk
RecommendationsImplement token encryption at rest, add token rotation

3.3 Execution (AML.TA0005)

T-EXEC-001: Direct prompt injection

AttributeValue
ATLAS IDAML.T0051.000 - LLM Prompt Injection: Direct
DescriptionAttacker sends crafted prompts to manipulate agent behavior
Attack vectorChannel messages containing adversarial instructions
Affected componentsAgent LLM, all input surfaces
Current mitigationsPattern detection, external content wrapping; treated as out-of-scope for vulnerability reports absent a boundary bypass (see SECURITY.md)
Residual riskCritical - detection only, no blocking; sophisticated attacks bypass
RecommendationsOutput validation and user confirmation for sensitive actions, layered on top of existing detection

T-EXEC-002: Indirect prompt injection

AttributeValue
ATLAS IDAML.T0051.001 - LLM Prompt Injection: Indirect
DescriptionAttacker embeds malicious instructions in fetched content
Attack vectorMalicious URLs, poisoned emails, compromised webhooks
Affected componentsweb_fetch, email ingestion, external data sources
Current mitigationsContent wrapping with random-boundary XML-style markers, homoglyph/special-token normalization, and a security notice
Residual riskHigh - LLM may still ignore wrapper instructions
RecommendationsSeparate execution contexts for wrapped content

T-EXEC-003: Tool argument injection

AttributeValue
ATLAS IDAML.T0051.000 - LLM Prompt Injection: Direct
DescriptionAttacker manipulates tool arguments through prompt injection
Attack vectorCrafted prompts that influence tool parameter values
Affected componentsAll tool invocations
Current mitigationsExec approvals for dangerous commands
Residual riskHigh - relies on user judgment
RecommendationsArgument validation, parameterized tool calls

T-EXEC-004: Exec approval bypass

AttributeValue
ATLAS IDAML.T0043 - Craft Adversarial Data
DescriptionAttacker crafts commands that bypass the approval allowlist
Attack vectorCommand obfuscation, alias exploitation, path manipulation
Affected componentssrc/infra/exec-approvals*.ts, command allowlist
Current mitigationsAllowlist + ask mode, plus command normalization (dispatch-wrapper unwrapping, inline-eval detection, shell-chain analysis)
Residual riskHigh - normalization narrows but does not eliminate obfuscation bypass; parity-only findings between exec paths are treated as hardening, not vulnerabilities (see SECURITY.md)
RecommendationsContinue expanding command-normalization coverage against new obfuscation techniques

3.4 Persistence (AML.TA0006)

T-PERSIST-001: Malicious skill installation

AttributeValue
ATLAS IDAML.T0010.001 - Supply Chain Compromise: AI Software
DescriptionAttacker publishes a malicious skill to ClawHub
Attack vectorCreate account, publish skill with hidden malicious code
Affected componentsClawHub, skill loading, agent execution
Current mitigationsGitHub account age verification, static pattern/AST-adjacent scanning, LLM-based agentic risk review, VirusTotal scanning
Residual riskHigh - detection layers exist but skills still run with agent privileges and no execution sandboxing
RecommendationsSkill execution sandboxing, expanded community review

T-PERSIST-002: Skill update poisoning

AttributeValue
ATLAS IDAML.T0010.001 - Supply Chain Compromise: AI Software
DescriptionAttacker compromises a popular skill and pushes a malicious update
Attack vectorAccount compromise, social engineering of skill owner
Affected componentsClawHub versioning, auto-update flows
Current mitigationsVersion fingerprinting, moderation/scanning re-run on new versions
Residual riskHigh - auto-updates may pull malicious versions before review completes
RecommendationsUpdate signing, rollback capability, version pinning

T-PERSIST-003: Agent configuration tampering

AttributeValue
ATLAS IDAML.T0010.002 - Supply Chain Compromise: Data
DescriptionAttacker modifies agent configuration to persist access
Attack vectorConfig file modification, settings injection
Affected componentsAgent config, tool policies
Current mitigationsFile permissions
Residual riskMedium - requires local access
RecommendationsConfig integrity verification, audit logging for config changes

3.5 Defense evasion (AML.TA0007)

T-EVADE-001: Moderation pattern bypass

AttributeValue
ATLAS IDAML.T0043 - Craft Adversarial Data
DescriptionAttacker crafts skill content to evade ClawHub moderation checks
Attack vectorUnicode homoglyphs, encoding tricks, dynamic loading
Affected componentsClawHub moderation/scanning pipeline
Current mitigationsStatic pattern rules, AST-adjacent code scanning, LLM agentic-risk review, VirusTotal
Residual riskMedium - novel obfuscation can still slip past layered heuristics
RecommendationsContinue expanding the pattern/behavioral corpus as new evasions are found

T-EVADE-002: Content wrapper escape

AttributeValue
ATLAS IDAML.T0043 - Craft Adversarial Data
DescriptionAttacker crafts content that escapes the external-content wrapper context
Attack vectorTag manipulation, context confusion, instruction override
Affected componentsExternal content wrapping
Current mitigationsRandom-boundary XML-style markers + security notice, plus homoglyph/whitespace-variant marker-spoof detection
Residual riskMedium - novel escapes discovered regularly
RecommendationsOutput-side validation in addition to input-side wrapping

3.6 Discovery (AML.TA0008)

T-DISC-001: Tool enumeration

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker enumerates available tools through prompting
Attack vector”What tools do you have?” style queries
Affected componentsAgent tool registry
Current mitigationsNone specific
Residual riskLow - tools are generally documented
RecommendationsConsider tool visibility controls

T-DISC-002: Session data extraction

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker extracts sensitive data from session context
Attack vector”What did we discuss?” queries, context probing
Affected componentsSession transcripts, context window
Current mitigationsSession isolation per sender (agent:channel:peer key)
Residual riskMedium - within-session data is accessible by design
RecommendationsSensitive-data redaction in context

3.7 Collection and exfiltration (AML.TA0009, AML.TA0010)

T-EXFIL-001: Data theft via web_fetch

AttributeValue
ATLAS IDAML.T0009 - Collection
DescriptionAttacker exfiltrates data by instructing the agent to send it to an external URL
Attack vectorPrompt injection causing the agent to POST data to an attacker server
Affected componentsweb_fetch tool
Current mitigationsSSRF blocking for internal/private networks (DNS pinning + IP blocking)
Residual riskHigh - arbitrary external URLs remain permitted
RecommendationsURL allowlisting, data-classification awareness

T-EXFIL-002: Unauthorized message sending

AttributeValue
ATLAS IDAML.T0009 - Collection
DescriptionAttacker causes the agent to send messages containing sensitive data
Attack vectorPrompt injection causing the agent to message the attacker
Affected componentsMessage tool, channel integrations
Current mitigationsOutbound messaging gating
Residual riskMedium - gating may be bypassed
RecommendationsExplicit confirmation for new recipients

T-EXFIL-003: Credential harvesting

AttributeValue
ATLAS IDAML.T0009 - Collection
DescriptionMalicious skill harvests credentials from the agent context
Attack vectorSkill code reads environment variables, config files
Affected componentsSkill execution environment
Current mitigationsClawHub credential-pattern scanning (hardcoded secrets, credential env access paired with network sends); no execution sandboxing for skills at runtime
Residual riskCritical - skills run with agent privileges
RecommendationsSkill execution sandboxing, credential isolation

3.8 Impact (AML.TA0011)

T-IMPACT-001: Unauthorized command execution

AttributeValue
ATLAS IDAML.T0031 - Erode AI Model Integrity
DescriptionAttacker executes arbitrary commands on the user system
Attack vectorPrompt injection combined with exec approval bypass
Affected componentsBash tool, command execution
Current mitigationsExec approvals, Docker sandbox option (default runtime backend)
Residual riskCritical - host execution possible when sandbox is disabled
RecommendationsImprove approval UX; sandbox-off deployments remain a deliberate operator choice, documented as such

T-IMPACT-002: Resource exhaustion (DoS)

AttributeValue
ATLAS IDAML.T0031 - Erode AI Model Integrity
DescriptionAttacker exhausts API credits or compute resources
Attack vectorAutomated message flooding, expensive tool calls
Affected componentsGateway, agent sessions, API provider
Current mitigationsNone
Residual riskHigh - no per-sender rate limiting
RecommendationsPer-sender rate limits, cost budgets

T-IMPACT-003: Reputation damage

AttributeValue
ATLAS IDAML.T0031 - Erode AI Model Integrity
DescriptionAttacker causes the agent to send harmful/offensive content
Attack vectorPrompt injection causing inappropriate responses
Affected componentsOutput generation, channel messaging
Current mitigationsLLM provider content policies
Residual riskMedium - provider filters are imperfect
RecommendationsOutput filtering layer, user controls

4. ClawHub supply chain analysis

4.1 Current security controls

ControlImplementationEffectiveness
GitHub account agerequireGitHubAccountAge() (14-day minimum)Medium - raises the bar for new attackers
Path sanitizationsanitizePath()High - prevents path traversal
File type validationisTextFile()Medium - only text files scanned, but still exploitable
Size limits50MB total bundle (MAX_PUBLISH_TOTAL_BYTES)High - prevents resource exhaustion
Required SKILL.mdMandatory readme on publishLow security value - informational only
Static + AST-adjacent scanningPattern engine covering exec, exfiltration, credential-harvest, obfuscation, and moreMedium-High - covers many known abuse patterns, still pattern-based
LLM-based agentic risk reviewSecurity-prompt-driven verdict on publishMedium-High - catches behavior static patterns miss
VirusTotal scanningWired to skill and package-release publish/rescan flows, gated on operator API keyHigh when enabled - static engine detection
Moderation statusmoderationStatus fieldMedium - manual review possible

4.2 Moderation limitations

ClawHub’s static scanning inspects skill code content directly (not just slug/metadata/frontmatter), covering dangerous exec calls, dynamic code execution, credential harvesting, exfiltration patterns, obfuscated payloads, and more. Known gaps:
  • Pattern-based detection can still be bypassed by sufficiently novel obfuscation.
  • LLM-based review and VirusTotal scanning depend on operator-side API keys/config being enabled.
  • No runtime execution sandbox isolates a skill from the agent’s own privileges once installed.

4.3 Badges

Skills and packages carry moderator-assigned badges: highlighted, official, deprecated, redactionApproved (skills only). Community reporting (skillReports) and audit logging (auditLogs) back moderation workflows.

5. Risk matrix

5.1 Likelihood vs impact

Threat IDLikelihoodImpactRisk levelPriority
T-EXEC-001HighCriticalCriticalP0
T-PERSIST-001HighCriticalCriticalP0
T-EXFIL-003MediumCriticalCriticalP0
T-IMPACT-001MediumCriticalHighP1
T-EXEC-002HighHighHighP1
T-EXEC-004MediumHighHighP1
T-ACCESS-003MediumHighHighP1
T-EXFIL-001MediumHighHighP1
T-IMPACT-002HighMediumHighP1
T-EVADE-001HighMediumMediumP2
T-ACCESS-001LowHighMediumP2
T-ACCESS-002LowHighMediumP2
T-PERSIST-002LowHighMediumP2

5.2 Critical path attack chains

Chain 1: Skill-based data theft
T-PERSIST-001 → T-EVADE-001 → T-EXFIL-003
(Publish malicious skill) → (Evade moderation) → (Harvest credentials)
Chain 2: Prompt injection to RCE
T-EXEC-001 → T-EXEC-004 → T-IMPACT-001
(Inject prompt) → (Bypass exec approval) → (Execute commands)
Chain 3: Indirect injection via fetched content
T-EXEC-002 → T-EXFIL-001 → External exfiltration
(Poison URL content) → (Agent fetches & follows instructions) → (Data sent to attacker)

6. Recommendations summary

6.1 Immediate (P0)

IDRecommendationAddresses
R-002Implement skill execution sandboxingT-PERSIST-001, T-EXFIL-003
R-003Add output validation for sensitive actionsT-EXEC-001, T-EXEC-002

6.2 Short-term (P1)

IDRecommendationAddresses
R-004Implement per-sender rate limitingT-IMPACT-002
R-005Add token encryption at restT-ACCESS-003
R-006Improve exec approval UX and continue expanding command normalizationT-EXEC-004
R-007Implement URL allowlisting for web_fetchT-EXFIL-001

6.3 Medium-term (P2)

IDRecommendationAddresses
R-008Add cryptographic channel verification where possibleT-ACCESS-002
R-009Implement config integrity verificationT-PERSIST-003
R-010Add update signing and version pinningT-PERSIST-002

7. Appendices

7.1 ATLAS technique mapping

ATLAS IDTechnique nameOpenClaw threats
AML.T0006Active ScanningT-RECON-001, T-RECON-002
AML.T0009CollectionT-EXFIL-001, T-EXFIL-002, T-EXFIL-003
AML.T0010.001Supply Chain: AI SoftwareT-PERSIST-001, T-PERSIST-002
AML.T0010.002Supply Chain: DataT-PERSIST-003
AML.T0031Erode AI Model IntegrityT-IMPACT-001, T-IMPACT-002, T-IMPACT-003
AML.T0040AI Model Inference API AccessT-ACCESS-001, T-ACCESS-002, T-ACCESS-003, T-DISC-001, T-DISC-002
AML.T0043Craft Adversarial DataT-EXEC-004, T-EVADE-001, T-EVADE-002
AML.T0051.000LLM Prompt Injection: DirectT-EXEC-001, T-EXEC-003
AML.T0051.001LLM Prompt Injection: IndirectT-EXEC-002

7.2 Key security files

PathPurposeRisk level
src/infra/exec-approvals.tsCommand approval logicCritical
src/gateway/auth.tsGateway authenticationCritical
src/infra/net/ssrf.tsSSRF protectionCritical
src/security/external-content.tsPrompt injection mitigationCritical
src/agents/sandbox/tool-policy.tsSandbox tool allow/deny policyCritical
src/routing/resolve-route.tsSession isolation / routingMedium

7.3 Glossary

TermDefinition
ATLASMITRE’s Adversarial Threat Landscape for AI Systems
ClawHubOpenClaw’s skill marketplace
GatewayOpenClaw’s message routing and authentication layer
MCPModel Context Protocol - tool provider interface
Prompt injectionAttack where malicious instructions are embedded in input
SkillDownloadable extension for OpenClaw agents
SSRFServer-Side Request Forgery

This threat model is a living document. Report security issues to security@openclaw.ai or see the Trust page.