OpenClaw Threat Model v1.0
MITRE ATLAS Framework
Version: 1.0-draft Last Updated: 2026-02-04 Methodology: MITRE ATLAS + Data Flow Diagrams Framework: MITRE ATLAS (Adversarial Threat Landscape for AI Systems)Framework Attribution
This threat model is built on MITRE ATLAS, the industry-standard framework for documenting adversarial threats to AI/ML systems. ATLAS is maintained by MITRE in collaboration with the AI security community. Key ATLAS Resources:Contributing to This Threat Model
This is a living document maintained by the OpenClaw community. See CONTRIBUTING-THREAT-MODEL.md for guidelines on contributing:- Reporting new threats
- Updating existing threats
- Proposing attack chains
- Suggesting mitigations
1. Introduction
1.1 Purpose
This threat model documents adversarial threats to the OpenClaw AI agent platform and ClawHub skill marketplace, using the MITRE ATLAS framework designed specifically for AI/ML systems.1.2 Scope
1.3 Out of Scope
Nothing is explicitly out of scope for this threat model.2. System Architecture
2.1 Trust Boundaries
2.2 Data Flows
3. Threat Analysis by ATLAS Tactic
3.1 Reconnaissance (AML.TA0002)
T-RECON-001: Agent Endpoint Discovery
T-RECON-002: Channel Integration Probing
3.2 Initial Access (AML.TA0004)
T-ACCESS-001: Pairing Code Interception
T-ACCESS-002: AllowFrom Spoofing
T-ACCESS-003: Token Theft
3.3 Execution (AML.TA0005)
T-EXEC-001: Direct Prompt Injection
T-EXEC-002: Indirect Prompt Injection
T-EXEC-003: Tool Argument Injection
T-EXEC-004: Exec Approval Bypass
3.4 Persistence (AML.TA0006)
T-PERSIST-001: Malicious Skill Installation
T-PERSIST-002: Skill Update Poisoning
T-PERSIST-003: Agent Configuration Tampering
3.5 Defense Evasion (AML.TA0007)
T-EVADE-001: Moderation Pattern Bypass
T-EVADE-002: Content Wrapper Escape
3.6 Discovery (AML.TA0008)
T-DISC-001: Tool Enumeration
T-DISC-002: Session Data Extraction
3.7 Collection & Exfiltration (AML.TA0009, AML.TA0010)
T-EXFIL-001: Data Theft via web_fetch
T-EXFIL-002: Unauthorized Message Sending
T-EXFIL-003: Credential Harvesting
3.8 Impact (AML.TA0011)
T-IMPACT-001: Unauthorized Command Execution
T-IMPACT-002: Resource Exhaustion (DoS)
T-IMPACT-003: Reputation Damage
4. ClawHub Supply Chain Analysis
4.1 Current Security Controls
4.2 Moderation Flag Patterns
Current patterns inmoderation.ts:
- Only checks slug, displayName, summary, frontmatter, metadata, file paths
- Does not analyze actual skill code content
- Simple regex easily bypassed with obfuscation
- No behavioral analysis
4.3 Planned Improvements
5. Risk Matrix
5.1 Likelihood vs Impact
5.2 Critical Path Attack Chains
Attack Chain 1: Skill-Based Data Theft6. Recommendations Summary
6.1 Immediate (P0)
6.2 Short-term (P1)
6.3 Medium-term (P2)
7. Appendices
7.1 ATLAS Technique Mapping
7.2 Key Security Files
7.3 Glossary
This threat model is a living document. Report security issues to [email protected]