Skip to main content

OpenClaw Threat Model v1.0

MITRE ATLAS Framework

Version: 1.0-draft Last Updated: 2026-02-04 Methodology: MITRE ATLAS + Data Flow Diagrams Framework: MITRE ATLAS (Adversarial Threat Landscape for AI Systems)

Framework Attribution

This threat model is built on MITRE ATLAS, the industry-standard framework for documenting adversarial threats to AI/ML systems. ATLAS is maintained by MITRE in collaboration with the AI security community. Key ATLAS Resources:

Contributing to This Threat Model

This is a living document maintained by the OpenClaw community. See CONTRIBUTING-THREAT-MODEL.md for guidelines on contributing:
  • Reporting new threats
  • Updating existing threats
  • Proposing attack chains
  • Suggesting mitigations

1. Introduction

1.1 Purpose

This threat model documents adversarial threats to the OpenClaw AI agent platform and ClawHub skill marketplace, using the MITRE ATLAS framework designed specifically for AI/ML systems.

1.2 Scope

1.3 Out of Scope

Nothing is explicitly out of scope for this threat model.

2. System Architecture

2.1 Trust Boundaries

2.2 Data Flows


3. Threat Analysis by ATLAS Tactic

3.1 Reconnaissance (AML.TA0002)

T-RECON-001: Agent Endpoint Discovery

T-RECON-002: Channel Integration Probing


3.2 Initial Access (AML.TA0004)

T-ACCESS-001: Pairing Code Interception

T-ACCESS-002: AllowFrom Spoofing

T-ACCESS-003: Token Theft


3.3 Execution (AML.TA0005)

T-EXEC-001: Direct Prompt Injection

T-EXEC-002: Indirect Prompt Injection

T-EXEC-003: Tool Argument Injection

T-EXEC-004: Exec Approval Bypass


3.4 Persistence (AML.TA0006)

T-PERSIST-001: Malicious Skill Installation

T-PERSIST-002: Skill Update Poisoning

T-PERSIST-003: Agent Configuration Tampering


3.5 Defense Evasion (AML.TA0007)

T-EVADE-001: Moderation Pattern Bypass

T-EVADE-002: Content Wrapper Escape


3.6 Discovery (AML.TA0008)

T-DISC-001: Tool Enumeration

T-DISC-002: Session Data Extraction


3.7 Collection & Exfiltration (AML.TA0009, AML.TA0010)

T-EXFIL-001: Data Theft via web_fetch

T-EXFIL-002: Unauthorized Message Sending

T-EXFIL-003: Credential Harvesting


3.8 Impact (AML.TA0011)

T-IMPACT-001: Unauthorized Command Execution

T-IMPACT-002: Resource Exhaustion (DoS)

T-IMPACT-003: Reputation Damage


4. ClawHub Supply Chain Analysis

4.1 Current Security Controls

4.2 Moderation Flag Patterns

Current patterns in moderation.ts:
Limitations:
  • Only checks slug, displayName, summary, frontmatter, metadata, file paths
  • Does not analyze actual skill code content
  • Simple regex easily bypassed with obfuscation
  • No behavioral analysis

4.3 Planned Improvements


5. Risk Matrix

5.1 Likelihood vs Impact

5.2 Critical Path Attack Chains

Attack Chain 1: Skill-Based Data Theft
Attack Chain 2: Prompt Injection to RCE
Attack Chain 3: Indirect Injection via Fetched Content

6. Recommendations Summary

6.1 Immediate (P0)

6.2 Short-term (P1)

6.3 Medium-term (P2)


7. Appendices

7.1 ATLAS Technique Mapping

7.2 Key Security Files

7.3 Glossary


This threat model is a living document. Report security issues to [email protected]