2026 OpenClaw安全报告

Executive Summary The rapid adoption of OpenClaw, a popular open-source autonomous AI agent framework,reflects a broader shift toward AI-driven assistants. However, the widespread integration ofthis framework has historically introduced critical security risks that may lead to unauthorizedactions, data exposure, and system compromise. This report is compiled to review the representative security issues that emerged throughout thedevelopment and rapid adoption of OpenClaw, and to distill actionable security insights for the AIagent industry. Its core mission is to provide security design references for developers buildingsimilar agent systems, and to deliver clear risk awareness and mitigation guidance for end users,via actionable security recommendations from both development and deployment perspectives. We present a comprehensive security analysis of OpenClaw’s architecture and core components,encompassing ingress categories, internal modules, supply chain inputs, and externaldependencies. By diving deep into the detailed workflows, the assessment identifies inherentsecurity weaknesses and attack surface. It evaluates the specific risks associated with eachmajor component by analyzing representative vulnerabilities, common attack techniques, andunderlying threat patterns. This report is based on data and analysis available before March 18, 2026. Given the extremelyrapid evolution of OpenClaw-style agent systems, their architectures, attack methods, andvulnerabilities are constantly shifting and have not yet reached a stable phase. Readers areadvised to follow our subsequent analysis updates for the latest information. Key Takeaways: OpenClaw's explosive growth from side projects to 300,000+ GitHub stars created massivesecurity debt.1. Originally assuming a trusted local environment, its security model was rapidly outpaced byreal-world deployment complexity, accumulating 280+ GitHub Security Advisories and 100+CVEs between November 2025 and March 2026. Historical analysis shows that the Gateway treated local network access as proof of identity,bypassing authentication checks that should have been required.2. Localhost origin, URL parameters, and OS app boundaries were each exploited to gainfull orchestration authority - shell execution, filesystem access, browser automation, andmulti-device control - making the blast radius effectively unbounded for most self-hosteddeployments. Identity binding across 20+ messaging platforms proved structurally fragile, historicallyproducing more than 60 allowlist bypass issues.3. Mutable attributes used for authorization, privilege-level conflation across interaction modes,and absent webhook verification created recurring bypass paths that granted attackers accessto the full execution pipeline. Disclosed vulnerabilities repeatedly revealed divergence between policy validation andactual execution.4. Flag abbreviations bypassed exact-match deny lists, approved commands were not boundto file paths, and sandbox restrictions failed to propagate to child sessions or secondaryendpoints - showing that enforcement must validate the final resolved form across all codepaths. Local credentials, session histories, and agent memory stored were exposed throughmultiple disclosed vulnerabilities related to inconsistent boundary checks across modules.Path traversal and sandbox gaps appeared independently across multiple modules becauseeach implemented its own validation logic rather than sharing a common boundaryenforcement mechanism.5. The extension ecosystem became a primary supply chain attack vector at scale.Hundreds of malicious skills were found on ClawHub, alongside fake installers and lookalikenpm packages. Unlike conventional supply chain attacks, agent skills can influence behaviorthrough natural language, making them resistant to traditional scanning.6. Deployment misconfiguration posed risks equal to or greater than code-level bugs, with135,000+ internet-exposed instances found across 82 countries.Disabled sandboxes, overly broad tool policies, and shared gateways across trust boundariesrequire no buggy code to exploit - a correctly functioning but carelessly deployed agent isindistinguishable from a compromised machine.7. Prompt injection poses a persistent, long-term threat that is hard to be fully resolved, withtechniques spanning indirect injection, marker spoofing, state poisoning, and agent-to-agent exploitation.8. This cannot be addressed at the model level alone and requires layered system-level defenses,strict capability controls, and protection of persistent memory as an attack surface. For developers, security in OpenClaw-style agent systems must be a first-class designconcern from day one - not a retrofit after growth.9. This means establishing formal threat models before building, hardening the control plane asan admin API rather than a convenience layer, enforcing immutable privilege inheritance forall spawned subprocesses, applying layered prom