summary, title, read_when
summary
title
read_when
OpenClaw threat model mapped to the MITRE ATLAS framework
Threat model (MITRE ATLAS)
Reviewing security posture or threat scenarios
Working on security features or audit responses
Version: 1.0-draft | Framework: MITRE ATLAS (Adversarial Threat Landscape for AI Systems) + data flow diagrams
This threat model documents adversarial threats to the OpenClaw AI agent platform and ClawHub skill marketplace. It is a living document maintained by the OpenClaw community. See Contributing to the threat model for how to report new threats, propose attack chains, or suggest mitigations.
Key ATLAS resources: Techniques | Tactics | Case studies | ATLAS GitHub | Contributing to ATLAS
1. Scope
Component
Included
Notes
OpenClaw agent runtime
Yes
Core agent execution, tool calls, sessions
Gateway
Yes
Authentication, routing, channel integration
Channel integrations
Yes
WhatsApp, Telegram, Discord, Signal, Slack, etc.
ClawHub marketplace
Yes
Skill publishing, moderation, distribution
MCP servers
Yes
External tool providers
User devices
Partial
Mobile apps, desktop clients
Out-of-scope reports and false-positive patterns (public internet exposure, prompt-injection-only chains without a boundary bypass, mutually untrusted operators sharing one gateway host, and others) are enumerated in SECURITY.md ; that file is the current source of truth for vulnerability-report scope, not this page.
2. System architecture
2.1 Trust boundaries
2.2 Data flows
Flow
Source
Destination
Data
Protection
F1
Channel
Gateway
User messages
TLS, AllowFrom
F2
Gateway
Agent
Routed messages
Session isolation
F3
Agent
Tools
Tool invocations
Policy enforcement
F4
Agent
External
web_fetch requests
SSRF blocking
F5
ClawHub
Agent
Skill code
Moderation, scanning
F6
Agent
Channel
Responses
Output filtering
3. Threat analysis by ATLAS tactic
3.1 Reconnaissance (AML.TA0002)
T-RECON-001: Agent endpoint discovery
Attribute
Value
ATLAS ID
AML.T0006 - Active Scanning
Description
Attacker scans for exposed OpenClaw gateway endpoints
Attack vector
Network scanning, Shodan queries, DNS enumeration
Affected components
Gateway, exposed API endpoints
Current mitigations
Tailscale auth option, bind to loopback by default
Residual risk
Medium - public gateways discoverable
Recommendations
Document secure deployment, add rate limiting on discovery endpoints
T-RECON-002: Channel integration probing
Attribute
Value
ATLAS ID
AML.T0006 - Active Scanning
Description
Attacker probes messaging channels to identify AI-managed accounts
Attack vector
Sending test messages, observing response patterns
Affected components
All channel integrations
Current mitigations
None specific
Residual risk
Low - limited value from discovery alone
Recommendations
Consider response timing randomization
3.2 Initial access (AML.TA0004)
T-ACCESS-001: Pairing code interception
Attribute
Value
ATLAS ID
AML.T0040 - AI Model Inference API Access
Description
Attacker intercepts a pairing code during the pairing window (1h DM/generic pairing, 5m node pairing)
Attack vector
Shoulder surfing, network sniffing, social engineering
Affected components
Device pairing system
Current mitigations
1h TTL (DM/generic pairing), 5m TTL (node pairing); codes sent via the existing channel
Residual risk
Medium - pairing window exploitable
Recommendations
Reduce pairing window, add a confirmation step
T-ACCESS-002: AllowFrom spoofing
Attribute
Value
ATLAS ID
AML.T0040 - AI Model Inference API Access
Description
Attacker spoofs an allowed sender identity on a channel
Attack vector
Channel-dependent - phone number spoofing, username impersonation
Affected components
Per-channel AllowFrom validation
Current mitigations
Channel-specific identity verification
Residual risk
Medium - some channels remain vulnerable to spoofing
Recommendations
Document channel-specific risks, add cryptographic verification where possible
T-ACCESS-003: Token theft
Attribute
Value
ATLAS ID
AML.T0040 - AI Model Inference API Access
Description
Attacker steals authentication tokens from config/credential files
Attack vector
Malware, unauthorized device access, config backup exposure
Affected components
Channel/provider credential storage, config storage
Current mitigations
File permissions
Residual risk
High - tokens stored in plaintext on disk
Recommendations
Implement token encryption at rest, add token rotation
3.3 Execution (AML.TA0005)
T-EXEC-001: Direct prompt injection
Attribute
Value
ATLAS ID
AML.T0051.000 - LLM Prompt Injection: Direct
Description
Attacker sends crafted prompts to manipulate agent behavior
Attack vector
Channel messages containing adversarial instructions
Affected components
Agent LLM, all input surfaces
Current mitigations
Pattern detection, external content wrapping; treated as out-of-scope for vulnerability reports absent a boundary bypass (see SECURITY.md)
Residual risk
Critical - detection only, no blocking; sophisticated attacks bypass
Recommendations
Output validation and user confirmation for sensitive actions, layered on top of existing detection
T-EXEC-002: Indirect prompt injection
Attribute
Value
ATLAS ID
AML.T0051.001 - LLM Prompt Injection: Indirect
Description
Attacker embeds malicious instructions in fetched content
Attack vector
Malicious URLs, poisoned emails, compromised webhooks
Affected components
web_fetch, email ingestion, external data sources
Current mitigations
Content wrapping with random-boundary XML-style markers, homoglyph/special-token normalization, and a security notice
Residual risk
High - LLM may still ignore wrapper instructions
Recommendations
Separate execution contexts for wrapped content
T-EXEC-003: Tool argument injection
Attribute
Value
ATLAS ID
AML.T0051.000 - LLM Prompt Injection: Direct
Description
Attacker manipulates tool arguments through prompt injection
Attack vector
Crafted prompts that influence tool parameter values
Affected components
All tool invocations
Current mitigations
Exec approvals for dangerous commands
Residual risk
High - relies on user judgment
Recommendations
Argument validation, parameterized tool calls
T-EXEC-004: Exec approval bypass
Attribute
Value
ATLAS ID
AML.T0043 - Craft Adversarial Data
Description
Attacker crafts commands that bypass the approval allowlist
Attack vector
Command obfuscation, alias exploitation, path manipulation
Affected components
src/infra/exec-approvals*.ts, command allowlist
Current mitigations
Allowlist + ask mode, plus command normalization (dispatch-wrapper unwrapping, inline-eval detection, shell-chain analysis)
Residual risk
High - normalization narrows but does not eliminate obfuscation bypass; parity-only findings between exec paths are treated as hardening, not vulnerabilities (see SECURITY.md)
Recommendations
Continue expanding command-normalization coverage against new obfuscation techniques
3.4 Persistence (AML.TA0006)
T-PERSIST-001: Malicious skill installation
Attribute
Value
ATLAS ID
AML.T0010.001 - Supply Chain Compromise: AI Software
Description
Attacker publishes a malicious skill to ClawHub
Attack vector
Create account, publish skill with hidden malicious code
Affected components
ClawHub, skill loading, agent execution
Current mitigations
GitHub account age verification, static pattern/AST-adjacent scanning, LLM-based agentic risk review, VirusTotal scanning
Residual risk
High - detection layers exist but skills still run with agent privileges and no execution sandboxing
Recommendations
Skill execution sandboxing, expanded community review
T-PERSIST-002: Skill update poisoning
Attribute
Value
ATLAS ID
AML.T0010.001 - Supply Chain Compromise: AI Software
Description
Attacker compromises a popular skill and pushes a malicious update
Attack vector
Account compromise, social engineering of skill owner
Affected components
ClawHub versioning, auto-update flows
Current mitigations
Version fingerprinting, moderation/scanning re-run on new versions
Residual risk
High - auto-updates may pull malicious versions before review completes
Recommendations
Update signing, rollback capability, version pinning
T-PERSIST-003: Agent configuration tampering
Attribute
Value
ATLAS ID
AML.T0010.002 - Supply Chain Compromise: Data
Description
Attacker modifies agent configuration to persist access
Attack vector
Config file modification, settings injection
Affected components
Agent config, tool policies
Current mitigations
File permissions
Residual risk
Medium - requires local access
Recommendations
Config integrity verification, audit logging for config changes
3.5 Defense evasion (AML.TA0007)
T-EVADE-001: Moderation pattern bypass
Attribute
Value
ATLAS ID
AML.T0043 - Craft Adversarial Data
Description
Attacker crafts skill content to evade ClawHub moderation checks
Attack vector
Unicode homoglyphs, encoding tricks, dynamic loading
Affected components
ClawHub moderation/scanning pipeline
Current mitigations
Static pattern rules, AST-adjacent code scanning, LLM agentic-risk review, VirusTotal
Residual risk
Medium - novel obfuscation can still slip past layered heuristics
Recommendations
Continue expanding the pattern/behavioral corpus as new evasions are found
T-EVADE-002: Content wrapper escape
Attribute
Value
ATLAS ID
AML.T0043 - Craft Adversarial Data
Description
Attacker crafts content that escapes the external-content wrapper context
Attack vector
Tag manipulation, context confusion, instruction override
Affected components
External content wrapping
Current mitigations
Random-boundary XML-style markers + security notice, plus homoglyph/whitespace-variant marker-spoof detection
Residual risk
Medium - novel escapes discovered regularly
Recommendations
Output-side validation in addition to input-side wrapping
3.6 Discovery (AML.TA0008)
T-DISC-001: Tool enumeration
Attribute
Value
ATLAS ID
AML.T0040 - AI Model Inference API Access
Description
Attacker enumerates available tools through prompting
Attack vector
"What tools do you have?" style queries
Affected components
Agent tool registry
Current mitigations
None specific
Residual risk
Low - tools are generally documented
Recommendations
Consider tool visibility controls
Attribute
Value
ATLAS ID
AML.T0040 - AI Model Inference API Access
Description
Attacker extracts sensitive data from session context
Attack vector
"What did we discuss?" queries, context probing
Affected components
Session transcripts, context window
Current mitigations
Session isolation per sender (agent:channel:peer key)
Residual risk
Medium - within-session data is accessible by design
Recommendations
Sensitive-data redaction in context
3.7 Collection and exfiltration (AML.TA0009, AML.TA0010)
T-EXFIL-001: Data theft via web_fetch
Attribute
Value
ATLAS ID
AML.T0009 - Collection
Description
Attacker exfiltrates data by instructing the agent to send it to an external URL
Attack vector
Prompt injection causing the agent to POST data to an attacker server
Affected components
web_fetch tool
Current mitigations
SSRF blocking for internal/private networks (DNS pinning + IP blocking)
Residual risk
High - arbitrary external URLs remain permitted
Recommendations
URL allowlisting, data-classification awareness
T-EXFIL-002: Unauthorized message sending
Attribute
Value
ATLAS ID
AML.T0009 - Collection
Description
Attacker causes the agent to send messages containing sensitive data
Attack vector
Prompt injection causing the agent to message the attacker
Affected components
Message tool, channel integrations
Current mitigations
Outbound messaging gating
Residual risk
Medium - gating may be bypassed
Recommendations
Explicit confirmation for new recipients
T-EXFIL-003: Credential harvesting
Attribute
Value
ATLAS ID
AML.T0009 - Collection
Description
Malicious skill harvests credentials from the agent context
Attack vector
Skill code reads environment variables, config files
Affected components
Skill execution environment
Current mitigations
ClawHub credential-pattern scanning (hardcoded secrets, credential env access paired with network sends); no execution sandboxing for skills at runtime
Residual risk
Critical - skills run with agent privileges
Recommendations
Skill execution sandboxing, credential isolation
3.8 Impact (AML.TA0011)
T-IMPACT-001: Unauthorized command execution
Attribute
Value
ATLAS ID
AML.T0031 - Erode AI Model Integrity
Description
Attacker executes arbitrary commands on the user system
Attack vector
Prompt injection combined with exec approval bypass
Affected components
Bash tool, command execution
Current mitigations
Exec approvals, Docker sandbox option (default runtime backend)
Residual risk
Critical - host execution possible when sandbox is disabled
Recommendations
Improve approval UX; sandbox-off deployments remain a deliberate operator choice, documented as such
T-IMPACT-002: Resource exhaustion (DoS)
Attribute
Value
ATLAS ID
AML.T0031 - Erode AI Model Integrity
Description
Attacker exhausts API credits or compute resources
Attack vector
Automated message flooding, expensive tool calls
Affected components
Gateway, agent sessions, API provider
Current mitigations
None
Residual risk
High - no per-sender rate limiting
Recommendations
Per-sender rate limits, cost budgets
T-IMPACT-003: Reputation damage
Attribute
Value
ATLAS ID
AML.T0031 - Erode AI Model Integrity
Description
Attacker causes the agent to send harmful/offensive content
Attack vector
Prompt injection causing inappropriate responses
Affected components
Output generation, channel messaging
Current mitigations
LLM provider content policies
Residual risk
Medium - provider filters are imperfect
Recommendations
Output filtering layer, user controls
4. ClawHub supply chain analysis
4.1 Current security controls
Control
Implementation
Effectiveness
GitHub account age
requireGitHubAccountAge() (14-day minimum)
Medium - raises the bar for new attackers
Path sanitization
sanitizePath()
High - prevents path traversal
File type validation
isTextFile()
Medium - only text files scanned, but still exploitable
Size limits
50MB total bundle (MAX_PUBLISH_TOTAL_BYTES)
High - prevents resource exhaustion
Required SKILL.md
Mandatory readme on publish
Low security value - informational only
Static + AST-adjacent scanning
Pattern engine covering exec, exfiltration, credential-harvest, obfuscation, and more
Medium-High - covers many known abuse patterns, still pattern-based
LLM-based agentic risk review
Security-prompt-driven verdict on publish
Medium-High - catches behavior static patterns miss
VirusTotal scanning
Wired to skill and package-release publish/rescan flows, gated on operator API key
High when enabled - static engine detection
Moderation status
moderationStatus field
Medium - manual review possible
4.2 Moderation limitations
ClawHub's static scanning inspects skill code content directly (not just slug/metadata/frontmatter), covering dangerous exec calls, dynamic code execution, credential harvesting, exfiltration patterns, obfuscated payloads, and more. Known gaps:
Pattern-based detection can still be bypassed by sufficiently novel obfuscation.
LLM-based review and VirusTotal scanning depend on operator-side API keys/config being enabled.
No runtime execution sandbox isolates a skill from the agent's own privileges once installed.
4.3 Badges
Skills and packages carry moderator-assigned badges: highlighted, official, deprecated, redactionApproved (skills only). Community reporting (skillReports) and audit logging (auditLogs) back moderation workflows.
5. Risk matrix
5.1 Likelihood vs impact
Threat ID
Likelihood
Impact
Risk level
Priority
T-EXEC-001
High
Critical
Critical
P0
T-PERSIST-001
High
Critical
Critical
P0
T-EXFIL-003
Medium
Critical
Critical
P0
T-IMPACT-001
Medium
Critical
High
P1
T-EXEC-002
High
High
High
P1
T-EXEC-004
Medium
High
High
P1
T-ACCESS-003
Medium
High
High
P1
T-EXFIL-001
Medium
High
High
P1
T-IMPACT-002
High
Medium
High
P1
T-EVADE-001
High
Medium
Medium
P2
T-ACCESS-001
Low
High
Medium
P2
T-ACCESS-002
Low
High
Medium
P2
T-PERSIST-002
Low
High
Medium
P2
5.2 Critical path attack chains
Chain 1: Skill-based data theft
Chain 2: Prompt injection to RCE
Chain 3: Indirect injection via fetched content
6. Recommendations summary
6.1 Immediate (P0)
ID
Recommendation
Addresses
R-002
Implement skill execution sandboxing
T-PERSIST-001, T-EXFIL-003
R-003
Add output validation for sensitive actions
T-EXEC-001, T-EXEC-002
6.2 Short-term (P1)
ID
Recommendation
Addresses
R-004
Implement per-sender rate limiting
T-IMPACT-002
R-005
Add token encryption at rest
T-ACCESS-003
R-006
Improve exec approval UX and continue expanding command normalization
T-EXEC-004
R-007
Implement URL allowlisting for web_fetch
T-EXFIL-001
6.3 Medium-term (P2)
ID
Recommendation
Addresses
R-008
Add cryptographic channel verification where possible
T-ACCESS-002
R-009
Implement config integrity verification
T-PERSIST-003
R-010
Add update signing and version pinning
T-PERSIST-002
7. Appendices
7.1 ATLAS technique mapping
ATLAS ID
Technique name
OpenClaw threats
AML.T0006
Active Scanning
T-RECON-001, T-RECON-002
AML.T0009
Collection
T-EXFIL-001, T-EXFIL-002, T-EXFIL-003
AML.T0010.001
Supply Chain: AI Software
T-PERSIST-001, T-PERSIST-002
AML.T0010.002
Supply Chain: Data
T-PERSIST-003
AML.T0031
Erode AI Model Integrity
T-IMPACT-001, T-IMPACT-002, T-IMPACT-003
AML.T0040
AI Model Inference API Access
T-ACCESS-001, T-ACCESS-002, T-ACCESS-003, T-DISC-001, T-DISC-002
AML.T0043
Craft Adversarial Data
T-EXEC-004, T-EVADE-001, T-EVADE-002
AML.T0051.000
LLM Prompt Injection: Direct
T-EXEC-001, T-EXEC-003
AML.T0051.001
LLM Prompt Injection: Indirect
T-EXEC-002
7.2 Key security files
Path
Purpose
Risk level
src/infra/exec-approvals.ts
Command approval logic
Critical
src/gateway/auth.ts
Gateway authentication
Critical
src/infra/net/ssrf.ts
SSRF protection
Critical
src/security/external-content.ts
Prompt injection mitigation
Critical
src/agents/sandbox/tool-policy.ts
Sandbox tool allow/deny policy
Critical
src/routing/resolve-route.ts
Session isolation / routing
Medium
7.3 Glossary
Term
Definition
ATLAS
MITRE's Adversarial Threat Landscape for AI Systems
ClawHub
OpenClaw's skill marketplace
Gateway
OpenClaw's message routing and authentication layer
MCP
Model Context Protocol - tool provider interface
Prompt injection
Attack where malicious instructions are embedded in input
Skill
Downloadable extension for OpenClaw agents
SSRF
Server-Side Request Forgery
This threat model is a living document. Report security issues to security@openclaw.ai or see the Trust page .
Related