Skip to main content
Version: 1.0-draft | Framework: MITRE ATLAS (Adversarial Threat Landscape for AI Systems) + data flow diagrams This threat model documents adversarial threats to the OpenClaw AI agent platform and ClawHub skill marketplace. It is a living document maintained by the OpenClaw community. See Contributing to the threat model for how to report new threats, propose attack chains, or suggest mitigations. Key ATLAS resources: Techniques | Tactics | Case studies | ATLAS GitHub | Contributing to ATLAS

1. Scope

Out-of-scope reports and false-positive patterns (public internet exposure, prompt-injection-only chains without a boundary bypass, mutually untrusted operators sharing one gateway host, and others) are enumerated in SECURITY.md; that file is the current source of truth for vulnerability-report scope, not this page.

2. System architecture

2.1 Trust boundaries

2.2 Data flows


3. Threat analysis by ATLAS tactic

3.1 Reconnaissance (AML.TA0002)

T-RECON-001: Agent endpoint discovery

T-RECON-002: Channel integration probing


3.2 Initial access (AML.TA0004)

T-ACCESS-001: Pairing code interception

T-ACCESS-002: AllowFrom spoofing

T-ACCESS-003: Token theft


3.3 Execution (AML.TA0005)

T-EXEC-001: Direct prompt injection

T-EXEC-002: Indirect prompt injection

T-EXEC-003: Tool argument injection

T-EXEC-004: Exec approval bypass


3.4 Persistence (AML.TA0006)

T-PERSIST-001: Malicious skill installation

T-PERSIST-002: Skill update poisoning

T-PERSIST-003: Agent configuration tampering


3.5 Defense evasion (AML.TA0007)

T-EVADE-001: Moderation pattern bypass

T-EVADE-002: Content wrapper escape


3.6 Discovery (AML.TA0008)

T-DISC-001: Tool enumeration

T-DISC-002: Session data extraction


3.7 Collection and exfiltration (AML.TA0009, AML.TA0010)

T-EXFIL-001: Data theft via web_fetch

T-EXFIL-002: Unauthorized message sending

T-EXFIL-003: Credential harvesting


3.8 Impact (AML.TA0011)

T-IMPACT-001: Unauthorized command execution

T-IMPACT-002: Resource exhaustion (DoS)

T-IMPACT-003: Reputation damage


4. ClawHub supply chain analysis

4.1 Current security controls

4.2 Moderation limitations

ClawHub’s static scanning inspects skill code content directly (not just slug/metadata/frontmatter), covering dangerous exec calls, dynamic code execution, credential harvesting, exfiltration patterns, obfuscated payloads, and more. Known gaps:
  • Pattern-based detection can still be bypassed by sufficiently novel obfuscation.
  • LLM-based review and VirusTotal scanning depend on operator-side API keys/config being enabled.
  • No runtime execution sandbox isolates a skill from the agent’s own privileges once installed.

4.3 Badges

Skills and packages carry moderator-assigned badges: highlighted, official, deprecated, redactionApproved (skills only). Community reporting (skillReports) and audit logging (auditLogs) back moderation workflows.

5. Risk matrix

5.1 Likelihood vs impact

5.2 Critical path attack chains

Chain 1: Skill-based data theft
Chain 2: Prompt injection to RCE
Chain 3: Indirect injection via fetched content

6. Recommendations summary

6.1 Immediate (P0)

6.2 Short-term (P1)

6.3 Medium-term (P2)


7. Appendices

7.1 ATLAS technique mapping

7.2 Key security files

7.3 Glossary


This threat model is a living document. Report security issues to security@openclaw.ai or see the Trust page.