Files
openclaw/docs/security/THREAT-MODEL-ATLAS.md
Peter Steinberger f7d7148cf0 docs: rewrite published docs grounded in current source (#100142)
Source-grounded rewrite of 529 published docs pages with per-unit information-loss verification: 1,713 factual corrections cited to src/**, generated surfaces regenerated, frontmatter titles preserved for i18n, release notes pages untouched. All docs gates green.

Closes #100141
2026-07-05 00:32:47 -04:00

43 KiB

summary, title, read_when
summary title read_when
OpenClaw threat model mapped to the MITRE ATLAS framework Threat model (MITRE ATLAS)
Reviewing security posture or threat scenarios
Working on security features or audit responses

Version: 1.0-draft | Framework: MITRE ATLAS (Adversarial Threat Landscape for AI Systems) + data flow diagrams

This threat model documents adversarial threats to the OpenClaw AI agent platform and ClawHub skill marketplace. It is a living document maintained by the OpenClaw community. See Contributing to the threat model for how to report new threats, propose attack chains, or suggest mitigations.

Key ATLAS resources: Techniques | Tactics | Case studies | ATLAS GitHub | Contributing to ATLAS


1. Scope

Component Included Notes
OpenClaw agent runtime Yes Core agent execution, tool calls, sessions
Gateway Yes Authentication, routing, channel integration
Channel integrations Yes WhatsApp, Telegram, Discord, Signal, Slack, etc.
ClawHub marketplace Yes Skill publishing, moderation, distribution
MCP servers Yes External tool providers
User devices Partial Mobile apps, desktop clients

Out-of-scope reports and false-positive patterns (public internet exposure, prompt-injection-only chains without a boundary bypass, mutually untrusted operators sharing one gateway host, and others) are enumerated in SECURITY.md; that file is the current source of truth for vulnerability-report scope, not this page.

2. System architecture

2.1 Trust boundaries

┌─────────────────────────────────────────────────────────────────┐
│                    UNTRUSTED ZONE                                │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │
│  │  WhatsApp   │  │  Telegram   │  │   Discord   │  ...         │
│  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘              │
│         │                │                │                      │
└─────────┼────────────────┼────────────────┼──────────────────────┘
          │                │                │
          ▼                ▼                ▼
┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 1: Channel Access                 │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                      GATEWAY                              │   │
│  │  • Device pairing (1h DM pairing / 5m node pairing TTL)   │   │
│  │  • AllowFrom / allowlist validation                       │   │
│  │  • Token / password / Tailscale auth                      │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 2: Session Isolation              │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                   AGENT SESSIONS                          │   │
│  │  • Session key = agent:channel:peer                       │   │
│  │  • Tool policies per agent                                │   │
│  │  • Transcript logging                                     │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 3: Tool Execution                 │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                  EXECUTION SANDBOX                        │   │
│  │  • Docker sandbox (default) or host (exec approvals)      │   │
│  │  • Node remote execution                                  │   │
│  │  • SSRF protection (DNS pinning + IP blocking)            │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 4: External Content               │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │              FETCHED URLs / EMAILS / WEBHOOKS             │   │
│  │  • External content wrapping (random-boundary XML tags)   │   │
│  │  • Security notice injection                              │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 5: Supply Chain                   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                      CLAWHUB                              │   │
│  │  • Skill publishing (semver, SKILL.md required)           │   │
│  │  • Static pattern + AST-adjacent moderation scanning      │   │
│  │  • LLM-based agentic risk review + VirusTotal scanning    │   │
│  │  • GitHub account age verification (14 days)              │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘

2.2 Data flows

Flow Source Destination Data Protection
F1 Channel Gateway User messages TLS, AllowFrom
F2 Gateway Agent Routed messages Session isolation
F3 Agent Tools Tool invocations Policy enforcement
F4 Agent External web_fetch requests SSRF blocking
F5 ClawHub Agent Skill code Moderation, scanning
F6 Agent Channel Responses Output filtering

3. Threat analysis by ATLAS tactic

3.1 Reconnaissance (AML.TA0002)

T-RECON-001: Agent endpoint discovery

Attribute Value
ATLAS ID AML.T0006 - Active Scanning
Description Attacker scans for exposed OpenClaw gateway endpoints
Attack vector Network scanning, Shodan queries, DNS enumeration
Affected components Gateway, exposed API endpoints
Current mitigations Tailscale auth option, bind to loopback by default
Residual risk Medium - public gateways discoverable
Recommendations Document secure deployment, add rate limiting on discovery endpoints

T-RECON-002: Channel integration probing

Attribute Value
ATLAS ID AML.T0006 - Active Scanning
Description Attacker probes messaging channels to identify AI-managed accounts
Attack vector Sending test messages, observing response patterns
Affected components All channel integrations
Current mitigations None specific
Residual risk Low - limited value from discovery alone
Recommendations Consider response timing randomization

3.2 Initial access (AML.TA0004)

T-ACCESS-001: Pairing code interception

Attribute Value
ATLAS ID AML.T0040 - AI Model Inference API Access
Description Attacker intercepts a pairing code during the pairing window (1h DM/generic pairing, 5m node pairing)
Attack vector Shoulder surfing, network sniffing, social engineering
Affected components Device pairing system
Current mitigations 1h TTL (DM/generic pairing), 5m TTL (node pairing); codes sent via the existing channel
Residual risk Medium - pairing window exploitable
Recommendations Reduce pairing window, add a confirmation step

T-ACCESS-002: AllowFrom spoofing

Attribute Value
ATLAS ID AML.T0040 - AI Model Inference API Access
Description Attacker spoofs an allowed sender identity on a channel
Attack vector Channel-dependent - phone number spoofing, username impersonation
Affected components Per-channel AllowFrom validation
Current mitigations Channel-specific identity verification
Residual risk Medium - some channels remain vulnerable to spoofing
Recommendations Document channel-specific risks, add cryptographic verification where possible

T-ACCESS-003: Token theft

Attribute Value
ATLAS ID AML.T0040 - AI Model Inference API Access
Description Attacker steals authentication tokens from config/credential files
Attack vector Malware, unauthorized device access, config backup exposure
Affected components Channel/provider credential storage, config storage
Current mitigations File permissions
Residual risk High - tokens stored in plaintext on disk
Recommendations Implement token encryption at rest, add token rotation

3.3 Execution (AML.TA0005)

T-EXEC-001: Direct prompt injection

Attribute Value
ATLAS ID AML.T0051.000 - LLM Prompt Injection: Direct
Description Attacker sends crafted prompts to manipulate agent behavior
Attack vector Channel messages containing adversarial instructions
Affected components Agent LLM, all input surfaces
Current mitigations Pattern detection, external content wrapping; treated as out-of-scope for vulnerability reports absent a boundary bypass (see SECURITY.md)
Residual risk Critical - detection only, no blocking; sophisticated attacks bypass
Recommendations Output validation and user confirmation for sensitive actions, layered on top of existing detection

T-EXEC-002: Indirect prompt injection

Attribute Value
ATLAS ID AML.T0051.001 - LLM Prompt Injection: Indirect
Description Attacker embeds malicious instructions in fetched content
Attack vector Malicious URLs, poisoned emails, compromised webhooks
Affected components web_fetch, email ingestion, external data sources
Current mitigations Content wrapping with random-boundary XML-style markers, homoglyph/special-token normalization, and a security notice
Residual risk High - LLM may still ignore wrapper instructions
Recommendations Separate execution contexts for wrapped content

T-EXEC-003: Tool argument injection

Attribute Value
ATLAS ID AML.T0051.000 - LLM Prompt Injection: Direct
Description Attacker manipulates tool arguments through prompt injection
Attack vector Crafted prompts that influence tool parameter values
Affected components All tool invocations
Current mitigations Exec approvals for dangerous commands
Residual risk High - relies on user judgment
Recommendations Argument validation, parameterized tool calls

T-EXEC-004: Exec approval bypass

Attribute Value
ATLAS ID AML.T0043 - Craft Adversarial Data
Description Attacker crafts commands that bypass the approval allowlist
Attack vector Command obfuscation, alias exploitation, path manipulation
Affected components src/infra/exec-approvals*.ts, command allowlist
Current mitigations Allowlist + ask mode, plus command normalization (dispatch-wrapper unwrapping, inline-eval detection, shell-chain analysis)
Residual risk High - normalization narrows but does not eliminate obfuscation bypass; parity-only findings between exec paths are treated as hardening, not vulnerabilities (see SECURITY.md)
Recommendations Continue expanding command-normalization coverage against new obfuscation techniques

3.4 Persistence (AML.TA0006)

T-PERSIST-001: Malicious skill installation

Attribute Value
ATLAS ID AML.T0010.001 - Supply Chain Compromise: AI Software
Description Attacker publishes a malicious skill to ClawHub
Attack vector Create account, publish skill with hidden malicious code
Affected components ClawHub, skill loading, agent execution
Current mitigations GitHub account age verification, static pattern/AST-adjacent scanning, LLM-based agentic risk review, VirusTotal scanning
Residual risk High - detection layers exist but skills still run with agent privileges and no execution sandboxing
Recommendations Skill execution sandboxing, expanded community review

T-PERSIST-002: Skill update poisoning

Attribute Value
ATLAS ID AML.T0010.001 - Supply Chain Compromise: AI Software
Description Attacker compromises a popular skill and pushes a malicious update
Attack vector Account compromise, social engineering of skill owner
Affected components ClawHub versioning, auto-update flows
Current mitigations Version fingerprinting, moderation/scanning re-run on new versions
Residual risk High - auto-updates may pull malicious versions before review completes
Recommendations Update signing, rollback capability, version pinning

T-PERSIST-003: Agent configuration tampering

Attribute Value
ATLAS ID AML.T0010.002 - Supply Chain Compromise: Data
Description Attacker modifies agent configuration to persist access
Attack vector Config file modification, settings injection
Affected components Agent config, tool policies
Current mitigations File permissions
Residual risk Medium - requires local access
Recommendations Config integrity verification, audit logging for config changes

3.5 Defense evasion (AML.TA0007)

T-EVADE-001: Moderation pattern bypass

Attribute Value
ATLAS ID AML.T0043 - Craft Adversarial Data
Description Attacker crafts skill content to evade ClawHub moderation checks
Attack vector Unicode homoglyphs, encoding tricks, dynamic loading
Affected components ClawHub moderation/scanning pipeline
Current mitigations Static pattern rules, AST-adjacent code scanning, LLM agentic-risk review, VirusTotal
Residual risk Medium - novel obfuscation can still slip past layered heuristics
Recommendations Continue expanding the pattern/behavioral corpus as new evasions are found

T-EVADE-002: Content wrapper escape

Attribute Value
ATLAS ID AML.T0043 - Craft Adversarial Data
Description Attacker crafts content that escapes the external-content wrapper context
Attack vector Tag manipulation, context confusion, instruction override
Affected components External content wrapping
Current mitigations Random-boundary XML-style markers + security notice, plus homoglyph/whitespace-variant marker-spoof detection
Residual risk Medium - novel escapes discovered regularly
Recommendations Output-side validation in addition to input-side wrapping

3.6 Discovery (AML.TA0008)

T-DISC-001: Tool enumeration

Attribute Value
ATLAS ID AML.T0040 - AI Model Inference API Access
Description Attacker enumerates available tools through prompting
Attack vector "What tools do you have?" style queries
Affected components Agent tool registry
Current mitigations None specific
Residual risk Low - tools are generally documented
Recommendations Consider tool visibility controls

T-DISC-002: Session data extraction

Attribute Value
ATLAS ID AML.T0040 - AI Model Inference API Access
Description Attacker extracts sensitive data from session context
Attack vector "What did we discuss?" queries, context probing
Affected components Session transcripts, context window
Current mitigations Session isolation per sender (agent:channel:peer key)
Residual risk Medium - within-session data is accessible by design
Recommendations Sensitive-data redaction in context

3.7 Collection and exfiltration (AML.TA0009, AML.TA0010)

T-EXFIL-001: Data theft via web_fetch

Attribute Value
ATLAS ID AML.T0009 - Collection
Description Attacker exfiltrates data by instructing the agent to send it to an external URL
Attack vector Prompt injection causing the agent to POST data to an attacker server
Affected components web_fetch tool
Current mitigations SSRF blocking for internal/private networks (DNS pinning + IP blocking)
Residual risk High - arbitrary external URLs remain permitted
Recommendations URL allowlisting, data-classification awareness

T-EXFIL-002: Unauthorized message sending

Attribute Value
ATLAS ID AML.T0009 - Collection
Description Attacker causes the agent to send messages containing sensitive data
Attack vector Prompt injection causing the agent to message the attacker
Affected components Message tool, channel integrations
Current mitigations Outbound messaging gating
Residual risk Medium - gating may be bypassed
Recommendations Explicit confirmation for new recipients

T-EXFIL-003: Credential harvesting

Attribute Value
ATLAS ID AML.T0009 - Collection
Description Malicious skill harvests credentials from the agent context
Attack vector Skill code reads environment variables, config files
Affected components Skill execution environment
Current mitigations ClawHub credential-pattern scanning (hardcoded secrets, credential env access paired with network sends); no execution sandboxing for skills at runtime
Residual risk Critical - skills run with agent privileges
Recommendations Skill execution sandboxing, credential isolation

3.8 Impact (AML.TA0011)

T-IMPACT-001: Unauthorized command execution

Attribute Value
ATLAS ID AML.T0031 - Erode AI Model Integrity
Description Attacker executes arbitrary commands on the user system
Attack vector Prompt injection combined with exec approval bypass
Affected components Bash tool, command execution
Current mitigations Exec approvals, Docker sandbox option (default runtime backend)
Residual risk Critical - host execution possible when sandbox is disabled
Recommendations Improve approval UX; sandbox-off deployments remain a deliberate operator choice, documented as such

T-IMPACT-002: Resource exhaustion (DoS)

Attribute Value
ATLAS ID AML.T0031 - Erode AI Model Integrity
Description Attacker exhausts API credits or compute resources
Attack vector Automated message flooding, expensive tool calls
Affected components Gateway, agent sessions, API provider
Current mitigations None
Residual risk High - no per-sender rate limiting
Recommendations Per-sender rate limits, cost budgets

T-IMPACT-003: Reputation damage

Attribute Value
ATLAS ID AML.T0031 - Erode AI Model Integrity
Description Attacker causes the agent to send harmful/offensive content
Attack vector Prompt injection causing inappropriate responses
Affected components Output generation, channel messaging
Current mitigations LLM provider content policies
Residual risk Medium - provider filters are imperfect
Recommendations Output filtering layer, user controls

4. ClawHub supply chain analysis

4.1 Current security controls

Control Implementation Effectiveness
GitHub account age requireGitHubAccountAge() (14-day minimum) Medium - raises the bar for new attackers
Path sanitization sanitizePath() High - prevents path traversal
File type validation isTextFile() Medium - only text files scanned, but still exploitable
Size limits 50MB total bundle (MAX_PUBLISH_TOTAL_BYTES) High - prevents resource exhaustion
Required SKILL.md Mandatory readme on publish Low security value - informational only
Static + AST-adjacent scanning Pattern engine covering exec, exfiltration, credential-harvest, obfuscation, and more Medium-High - covers many known abuse patterns, still pattern-based
LLM-based agentic risk review Security-prompt-driven verdict on publish Medium-High - catches behavior static patterns miss
VirusTotal scanning Wired to skill and package-release publish/rescan flows, gated on operator API key High when enabled - static engine detection
Moderation status moderationStatus field Medium - manual review possible

4.2 Moderation limitations

ClawHub's static scanning inspects skill code content directly (not just slug/metadata/frontmatter), covering dangerous exec calls, dynamic code execution, credential harvesting, exfiltration patterns, obfuscated payloads, and more. Known gaps:

  • Pattern-based detection can still be bypassed by sufficiently novel obfuscation.
  • LLM-based review and VirusTotal scanning depend on operator-side API keys/config being enabled.
  • No runtime execution sandbox isolates a skill from the agent's own privileges once installed.

4.3 Badges

Skills and packages carry moderator-assigned badges: highlighted, official, deprecated, redactionApproved (skills only). Community reporting (skillReports) and audit logging (auditLogs) back moderation workflows.


5. Risk matrix

5.1 Likelihood vs impact

Threat ID Likelihood Impact Risk level Priority
T-EXEC-001 High Critical Critical P0
T-PERSIST-001 High Critical Critical P0
T-EXFIL-003 Medium Critical Critical P0
T-IMPACT-001 Medium Critical High P1
T-EXEC-002 High High High P1
T-EXEC-004 Medium High High P1
T-ACCESS-003 Medium High High P1
T-EXFIL-001 Medium High High P1
T-IMPACT-002 High Medium High P1
T-EVADE-001 High Medium Medium P2
T-ACCESS-001 Low High Medium P2
T-ACCESS-002 Low High Medium P2
T-PERSIST-002 Low High Medium P2

5.2 Critical path attack chains

Chain 1: Skill-based data theft

T-PERSIST-001 → T-EVADE-001 → T-EXFIL-003
(Publish malicious skill) → (Evade moderation) → (Harvest credentials)

Chain 2: Prompt injection to RCE

T-EXEC-001 → T-EXEC-004 → T-IMPACT-001
(Inject prompt) → (Bypass exec approval) → (Execute commands)

Chain 3: Indirect injection via fetched content

T-EXEC-002 → T-EXFIL-001 → External exfiltration
(Poison URL content) → (Agent fetches & follows instructions) → (Data sent to attacker)

6. Recommendations summary

6.1 Immediate (P0)

ID Recommendation Addresses
R-002 Implement skill execution sandboxing T-PERSIST-001, T-EXFIL-003
R-003 Add output validation for sensitive actions T-EXEC-001, T-EXEC-002

6.2 Short-term (P1)

ID Recommendation Addresses
R-004 Implement per-sender rate limiting T-IMPACT-002
R-005 Add token encryption at rest T-ACCESS-003
R-006 Improve exec approval UX and continue expanding command normalization T-EXEC-004
R-007 Implement URL allowlisting for web_fetch T-EXFIL-001

6.3 Medium-term (P2)

ID Recommendation Addresses
R-008 Add cryptographic channel verification where possible T-ACCESS-002
R-009 Implement config integrity verification T-PERSIST-003
R-010 Add update signing and version pinning T-PERSIST-002

7. Appendices

7.1 ATLAS technique mapping

ATLAS ID Technique name OpenClaw threats
AML.T0006 Active Scanning T-RECON-001, T-RECON-002
AML.T0009 Collection T-EXFIL-001, T-EXFIL-002, T-EXFIL-003
AML.T0010.001 Supply Chain: AI Software T-PERSIST-001, T-PERSIST-002
AML.T0010.002 Supply Chain: Data T-PERSIST-003
AML.T0031 Erode AI Model Integrity T-IMPACT-001, T-IMPACT-002, T-IMPACT-003
AML.T0040 AI Model Inference API Access T-ACCESS-001, T-ACCESS-002, T-ACCESS-003, T-DISC-001, T-DISC-002
AML.T0043 Craft Adversarial Data T-EXEC-004, T-EVADE-001, T-EVADE-002
AML.T0051.000 LLM Prompt Injection: Direct T-EXEC-001, T-EXEC-003
AML.T0051.001 LLM Prompt Injection: Indirect T-EXEC-002

7.2 Key security files

Path Purpose Risk level
src/infra/exec-approvals.ts Command approval logic Critical
src/gateway/auth.ts Gateway authentication Critical
src/infra/net/ssrf.ts SSRF protection Critical
src/security/external-content.ts Prompt injection mitigation Critical
src/agents/sandbox/tool-policy.ts Sandbox tool allow/deny policy Critical
src/routing/resolve-route.ts Session isolation / routing Medium

7.3 Glossary

Term Definition
ATLAS MITRE's Adversarial Threat Landscape for AI Systems
ClawHub OpenClaw's skill marketplace
Gateway OpenClaw's message routing and authentication layer
MCP Model Context Protocol - tool provider interface
Prompt injection Attack where malicious instructions are embedded in input
Skill Downloadable extension for OpenClaw agents
SSRF Server-Side Request Forgery

This threat model is a living document. Report security issues to security@openclaw.ai or see the Trust page.