1. Scope
Out-of-scope reports and false-positive patterns (public internet exposure, prompt-injection-only chains without a boundary bypass, mutually untrusted operators sharing one gateway host, and others) are enumerated in
SECURITY.md; that file is the current source of truth for vulnerability-report scope, not this page.
2. System architecture
2.1 Trust boundaries
2.2 Data flows
3. Threat analysis by ATLAS tactic
3.1 Reconnaissance (AML.TA0002)
T-RECON-001: Agent endpoint discovery
T-RECON-002: Channel integration probing
3.2 Initial access (AML.TA0004)
T-ACCESS-001: Pairing code interception
T-ACCESS-002: AllowFrom spoofing
T-ACCESS-003: Token theft
3.3 Execution (AML.TA0005)
T-EXEC-001: Direct prompt injection
T-EXEC-002: Indirect prompt injection
T-EXEC-003: Tool argument injection
T-EXEC-004: Exec approval bypass
3.4 Persistence (AML.TA0006)
T-PERSIST-001: Malicious skill installation
T-PERSIST-002: Skill update poisoning
T-PERSIST-003: Agent configuration tampering
3.5 Defense evasion (AML.TA0007)
T-EVADE-001: Moderation pattern bypass
T-EVADE-002: Content wrapper escape
3.6 Discovery (AML.TA0008)
T-DISC-001: Tool enumeration
T-DISC-002: Session data extraction
3.7 Collection and exfiltration (AML.TA0009, AML.TA0010)
T-EXFIL-001: Data theft via web_fetch
T-EXFIL-002: Unauthorized message sending
T-EXFIL-003: Credential harvesting
3.8 Impact (AML.TA0011)
T-IMPACT-001: Unauthorized command execution
T-IMPACT-002: Resource exhaustion (DoS)
T-IMPACT-003: Reputation damage
4. ClawHub supply chain analysis
4.1 Current security controls
4.2 Moderation limitations
ClawHub’s static scanning inspects skill code content directly (not just slug/metadata/frontmatter), covering dangerous exec calls, dynamic code execution, credential harvesting, exfiltration patterns, obfuscated payloads, and more. Known gaps:- Pattern-based detection can still be bypassed by sufficiently novel obfuscation.
- LLM-based review and VirusTotal scanning depend on operator-side API keys/config being enabled.
- No runtime execution sandbox isolates a skill from the agent’s own privileges once installed.
4.3 Badges
Skills and packages carry moderator-assigned badges:highlighted, official, deprecated, redactionApproved (skills only). Community reporting (skillReports) and audit logging (auditLogs) back moderation workflows.
5. Risk matrix
5.1 Likelihood vs impact
5.2 Critical path attack chains
Chain 1: Skill-based data theft6. Recommendations summary
6.1 Immediate (P0)
6.2 Short-term (P1)
6.3 Medium-term (P2)
7. Appendices
7.1 ATLAS technique mapping
7.2 Key security files
7.3 Glossary
This threat model is a living document. Report security issues to
security@openclaw.ai or see the Trust page.