This is for adding to the threat model, not reporting live vulnerabilities. If you found an exploitable vulnerability, follow the responsible-disclosure instructions on the Trust page instead.
Ways to contribute
Add a threat. Open an issue on openclaw/trust describing the attack scenario in your own words. Helpful but not required:- The attack scenario and how it could be exploited.
- Which components are affected (CLI, gateway, channels, ClawHub, MCP servers, etc.).
- Your estimate of severity (low / medium / high / critical).
- Links to related research, CVEs, or real-world examples.
Framework reference
Threats are mapped to MITRE ATLAS (Adversarial Threat Landscape for AI Systems), a framework for AI/ML-specific threats like prompt injection, tool misuse, and agent exploitation. You do not need to know ATLAS to contribute; maintainers map submissions during review. Threat IDs. Each threat gets an ID likeT-EXEC-003, assigned by maintainers during review.
Risk levels. If you are unsure about the level, just describe the impact; maintainers assess it.
Review process
- Triage - new submissions are reviewed within 48 hours.
- Assessment - maintainers verify feasibility, assign ATLAS mapping and threat ID, validate risk level.
- Documentation - formatting and completeness pass.
- Merge - added to the threat model and visualization.
Resources
Contact
- Security vulnerabilities: Trust page for reporting instructions, or
security@openclaw.ai. - Threat model questions: open an issue on openclaw/trust.
- General chat: Discord
#securitychannel.