A Security Analysis of the OpenClaw AI Agent Framework

TL;DR

This paper systematically analyzes security vulnerabilities in the OpenClaw AI agent framework, revealing critical flaws that enable remote code execution and bypass of runtime policies, highlighting the need for better cross-layer security enforcement.

Contribution

It provides a comprehensive taxonomy of 470 advisories, identifies key security weaknesses, and demonstrates real-world exploits within the OpenClaw framework.

Findings

Three advisories enable unauthenticated remote code execution.

The exec allowlist relies on invalid assumptions due to shell complexities.

Malicious skills can bypass runtime policies via plugin channels.

Abstract

AI agent frameworks connecting large language model (LLM) reasoning to host execution surfaces -- shell, filesystem, containers, and messaging -- introduce security challenges structurally distinct from conventional software. We present a systematic taxonomy of 470 advisories filed against OpenClaw, an open-source AI agent runtime, organized by architectural layer and trust-violation type. Vulnerabilities cluster along two orthogonal axes: (1) the system axis, reflecting the architectural layer (exec policy, gateway, channel, sandbox, browser, plugin, agent/prompt); and (2) the attack axis, reflecting adversarial techniques (identity spoofing, policy bypass, cross-layer composition, prompt injection, supply-chain escalation). Patch-differential evidence yields three principal findings. First, three Moderate- or High-severity advisories in the Gateway and Node-Host subsystems compose into a complete unauthenticated remote code execution (RCE) path -- spanning delivery, exploitation, and command-and-control -- from an LLM tool call to the host process. Second, the exec allowlist, the primary command-filtering mechanism, relies on a closed-world assumption that command identity is recoverable via lexical parsing. This is invalidated by shell line continuation, busybox multiplexing, and GNU option abbreviation. Third, a malicious skill distributed via the plugin channel executed a two-stage dropper within the LLM context, bypassing the exec pipeline and demonstrating that the skill distribution surface lacks runtime policy enforcement. The dominant structural weakness is per-layer trust enforcement rather than unified policy boundaries, making cross-layer attacks resilient to local remediation.