Don't Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw

TL;DR

This paper analyzes security vulnerabilities in the OpenClaw AI agent framework and proposes a human-in-the-loop defense mechanism that significantly enhances security against malicious attacks.

Contribution

It provides a systematic security evaluation of OpenClaw and introduces a novel HITL defense layer to improve its resilience against adversarial threats.

Findings

OpenClaw has significant security vulnerabilities with only 17% defense rate.

The HITL layer intercepts up to 8 severe attacks bypassing native defenses.

Combined approach improves overall defense rate to 19%-92%.

Abstract

Code agents powered by large language models can execute shell commands on behalf of users, introducing severe security vulnerabilities. This paper presents a two-phase security analysis of the OpenClaw platform. As an open-source AI agent framework that operates locally, OpenClaw can be integrated with various commercial large language models. Because its native architecture lacks built-in security constraints, it serves as an ideal subject for evaluating baseline agent vulnerabilities. First, we systematically evaluate OpenClaw's native resilience against malicious instructions. By testing 47 adversarial scenarios across six major attack categories derived from the MITRE ATLAS and ATT\&CK frameworks, we have demonstrated that OpenClaw exhibits significant inherent security issues. It primarily relies on the security capabilities of the backend LLM and is highly susceptible to sandbox escape attacks, with an average defense rate of only 17\%. To mitigate these critical security gaps, we propose and implement a novel Human-in-the-Loop (HITL) defense layer. We utilize a dual-mode testing framework to evaluate the system with and without our proposed intervention. Our findings show that the introduced HITL layer significantly hardens the system, successfully intercepting up to 8 severe attacks that completely bypassed OpenClaw's native defenses. By combining native capabilities with our HITL approach, the overall defense rate improves to a range of 19\% to 92\%. Our study not only exposes the intrinsic limitations of current code agents but also demonstrates the effectiveness of human-agent collaborative defense strategies.