Stealthy OpenClaw: Evading EDR, DLP, and IAM Undetected

An Attacker’s Sneaky Move: The OpenClaw Security Challenge

Picture this: an attacker cunningly embeds a single instruction inside a forwarded email. An OpenClaw agent, as part of its routine task, unknowingly summarizes that email. The hidden instruction slyly directs the agent to forward sensitive credentials to an external endpoint. The unsuspecting agent complies, using its own OAuth tokens through a sanctioned API call. The firewall logs HTTP 200, and the EDR records a normal process. No alarms are triggered, and everything seems fine by the security stack’s standards.

But here lies the problem. In just 14 days, six independent security teams rolled out six OpenClaw defense tools. Shockingly, three attack surfaces managed to evade detection by all of them. The exposure landscape is far more alarming than most security teams realize. Token Security’s discovery that 22% of its enterprise customers have employees running OpenClaw without IT approval is just the tip of the iceberg. Bitsight’s findings of over 30,000 publicly exposed instances in two weeks, compared to the previous 1,000, paint a bleak picture. Snyk’s ToxicSkills audit reveals that a staggering 36% of ClawHub skills contain security flaws.

One of the key figures in addressing these vulnerabilities is Jamieson O’Reilly, formerly of Dvuln and now a security adviser to the OpenClaw project. O’Reilly has been instrumental in identifying and rectifying security loopholes within the system. His research on credential leakage from exposed instances served as an early warning to the community. Collaborating closely with project founder Peter Steinberger, O’Reilly spearheaded the implementation of dual-layer malicious skill detection. He is currently championing a proposal for a capabilities specification through the agentskills standards body. O’Reilly acknowledges the security shortcomings of OpenClaw, stating, “It wasn’t designed from the ground up to be as secure as possible. That’s understandable given the origins, and we’re owning it without excuses.”

The Elusive Gaps

Despite the flurry of emergency patching, three critical attack surfaces remain undetected by conventional security measures.

1. Runtime Semantic Exfiltration

The attack method conceals malicious behavior in the meaning of the instructions, evading detection by the current defense stack, which focuses on binary patterns. Palo Alto Networks’ analysis of OpenClaw flagged it for exhibiting traits from every category in the OWASP Top 10 for Agentic Applications. This includes access to private data, exposure to untrusted content, and communication capabilities with external entities. The challenge lies in EDR’s inability to discern the intent behind an agent’s actions, as they appear normal on the surface.

2. Cross-Agent Context Leakage

When multiple agents or skills share session context, a prompt injection in one channel can contaminate decisions across the entire chain. Giskard researchers demonstrated how agents silently appended attacker-controlled instructions to their workspace files, setting the stage for sleeper payload activation. This persistence poses a significant threat, as Palo Alto Networks researchers highlighted the potential for stateful, delayed-execution chains resulting from persistent memory. Existing tools like IronClaw and ClawSec fall short in addressing the propagation of context between agents.

3. Agent-to-Agent Trust Chains

The absence of mutual authentication in OpenClaw’s agent-to-agent interactions poses a grave risk. Compromising one agent in a chain grants access to every agent it communicates with, leveraging trust relationships established within the system. Microsoft’s security team flagged OpenClaw as vulnerable to untrusted code execution, emphasizing the threat of compromised agents inheriting privileges across the trust chain. Kaspersky’s assessment further underscored the danger posed by agents on personal devices, which could expose sensitive organizational credentials and configurations.

Addressing the Gaps

The response to these vulnerabilities has been multifaceted, with various tools and approaches emerging to fortify OpenClaw’s security posture.

1. Hardened Defenses

Tools like ClawSec and the VirusTotal integration bolster OpenClaw’s resilience by continuously verifying agents and scanning published ClawHub skills for malicious content. These measures aim to prevent unauthorized access and mitigate the risk of compromised skills infiltrating the system.

2. Architectural Rewrites

IronClaw and Carapace represent a shift towards a more secure foundation for OpenClaw, with a focus on sandboxing untrusted tools and enforcing fail-closed authentication. By isolating potentially risky operations and limiting access, these tools enhance the overall security posture of the system.

3. Scanning and Auditability

Tools like Cisco’s open-source scanner and NanoClaw offer comprehensive scanning capabilities and audit logs to track and analyze system activity. By reducing the attack surface through rigorous analysis and monitoring, these tools contribute to a more secure environment for OpenClaw.

The Path Forward

O’Reilly’s proposal for a skills specification standards update aims to address the core security challenges within OpenClaw. By requiring skills to declare explicit capabilities before execution, the proposal seeks to proactively mitigate the risks associated with untrusted code execution and context leakage. This shift towards a more structured and secure approach to handling skills reflects a broader industry trend towards enhancing security in AI-driven platforms.

Practical Steps for Security Teams

Given the prevalence of OpenClaw in enterprise environments, security teams must take proactive measures to secure their systems and mitigate potential risks.

1. Conduct a thorough inventory of running instances, monitoring for suspicious network activity and vulnerabilities.
2. Enforce isolated execution environments for agents connected to production infrastructure.
3. Implement security tools like ClawSec and VirusTotal integration to scan and verify the integrity of ClawHub skills.
4. Require human approval for sensitive agent actions to prevent unauthorized access to critical systems.
5. Map the remaining security gaps against your risk register and develop strategies to address them effectively.
6. Present a comprehensive evaluation of your OpenClaw security posture to the board, highlighting the urgency of addressing these critical vulnerabilities.

As the security landscape evolves, it is essential for organizations to stay vigilant and proactive in safeguarding their systems against emerging threats. By adopting a comprehensive approach to securing OpenClaw and addressing its inherent vulnerabilities, security teams can better protect their assets and mitigate potential risks.