Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Clawdrain: Exploiting Tool-Calling Chains for Stealthy Token Exhaustion in OpenClaw Agents

Ben Dong, Hui Feng, Qian Wang

TL;DR

It is demonstrated that token-drain attacks remain feasible in real deployments, but their magnitude and observability are shaped by tool composition, recovery behavior, and interface design.

Abstract

Modern generative agents such as OpenClaw - an open-source, self-hosted personal assistant with a community skill ecosystem, are gaining attention and are used pervasively. However, the openness and rapid growth of these ecosystems often outpace systematic security evaluation. In this paper, we design, implement, and evaluate Clawdrain, a Trojanized skill that induces a multi-turn "Segmented Verification Protocol" via injected SKILL.md instructions and a companion script that returns PROGRESS/REPAIR/TERMINAL signals. We deploy Clawdrain in a production-like OpenClaw instance with real API billing and a production model (Gemini 2.5 Pro), and we measure 6-7x token amplification over a benign baseline, with a costly, failure configuration reaching approximately 9x. We observe a deployment-only phenomenon: the agent autonomously composes general-purpose tools (e.g., shell/Python) to route around brittle protocol steps, reducing amplification and altering attack dynamics. Finally, we identify production vectors enabled by OpenClaw's architecture, including SKILL.md prompt bloat, persistent tool-output pollution, cron/heartbeat frequency amplification, and behavioral instruction injection. Overall, we demonstrate that token-drain attacks remain feasible in real deployments, but their magnitude and observability are shaped by tool composition, recovery behavior, and interface design.

Clawdrain: Exploiting Tool-Calling Chains for Stealthy Token Exhaustion in OpenClaw Agents

TL;DR

It is demonstrated that token-drain attacks remain feasible in real deployments, but their magnitude and observability are shaped by tool composition, recovery behavior, and interface design.

Abstract

Modern generative agents such as OpenClaw - an open-source, self-hosted personal assistant with a community skill ecosystem, are gaining attention and are used pervasively. However, the openness and rapid growth of these ecosystems often outpace systematic security evaluation. In this paper, we design, implement, and evaluate Clawdrain, a Trojanized skill that induces a multi-turn "Segmented Verification Protocol" via injected SKILL.md instructions and a companion script that returns PROGRESS/REPAIR/TERMINAL signals. We deploy Clawdrain in a production-like OpenClaw instance with real API billing and a production model (Gemini 2.5 Pro), and we measure 6-7x token amplification over a benign baseline, with a costly, failure configuration reaching approximately 9x. We observe a deployment-only phenomenon: the agent autonomously composes general-purpose tools (e.g., shell/Python) to route around brittle protocol steps, reducing amplification and altering attack dynamics. Finally, we identify production vectors enabled by OpenClaw's architecture, including SKILL.md prompt bloat, persistent tool-output pollution, cron/heartbeat frequency amplification, and behavioral instruction injection. Overall, we demonstrate that token-drain attacks remain feasible in real deployments, but their magnitude and observability are shaped by tool composition, recovery behavior, and interface design.
Paper Structure (25 sections, 1 figure, 1 table)

This paper contains 25 sections, 1 figure, 1 table.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. OpenClaw and Tool-Calling Skills
  4. Resource Amplification in LLM Agents
  5. Prompt-Based Jailbreaking in LLM Agents
  6. The Clawdrain Attack
  7. Threat Model
  8. Attack Design: The Segmented Verification Protocol
  9. Protocol Structure
  10. Plausibility Framing
  11. Design Methodology
  12. Beyond Output Tokens: The Deployment Attack Surface
  13. Adaptive Drain Mechanisms
  14. Repair-Driven Loop Sustenance
  15. Compaction-Aware Escalation
  16. ...and 10 more sections

Figures (1)

  • Figure 1: Threat model overview. Left: under no attack, the agent calls a benign skill and answers concisely. Middle: the adversary introduces a Trojan skill into the OpenClaw skills directory (or via a registry/dependency), exploiting prompt injection of skill documentation, verbose tool outputs stored in history, and autonomous triggers. Right: under Clawdrain, the agent repeatedly follows a multi-turn protocol (calibration/repair), amplifying token consumption while still returning the correct final result.