Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Don't Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw

Zhengyang Shan, Jiayun Xin, Yue Zhang, Minghui Xu

TL;DR

A two-phase security analysis of the OpenClaw platform is presented, and the introduced HITL layer significantly hardens the system, successfully intercepting up to 8 severe attacks that completely bypassed OpenClaw's native defenses.

Abstract

Code agents powered by large language models can execute shell commands on behalf of users, introducing severe security vulnerabilities. This paper presents a two-phase security analysis of the OpenClaw platform. As an open-source AI agent framework that operates locally, OpenClaw can be integrated with various commercial large language models. Because its native architecture lacks built-in security constraints, it serves as an ideal subject for evaluating baseline agent vulnerabilities. First, we systematically evaluate OpenClaw's native resilience against malicious instructions. By testing 47 adversarial scenarios across six major attack categories derived from the MITRE ATLAS and ATT\&CK frameworks, we have demonstrated that OpenClaw exhibits significant inherent security issues. It primarily relies on the security capabilities of the backend LLM and is highly susceptible to sandbox escape attacks, with an average defense rate of only 17\%. To mitigate these critical security gaps, we propose and implement a novel Human-in-the-Loop (HITL) defense layer. We utilize a dual-mode testing framework to evaluate the system with and without our proposed intervention. Our findings show that the introduced HITL layer significantly hardens the system, successfully intercepting up to 8 severe attacks that completely bypassed OpenClaw's native defenses. By combining native capabilities with our HITL approach, the overall defense rate improves to a range of 19\% to 92\%. Our study not only exposes the intrinsic limitations of current code agents but also demonstrates the effectiveness of human-agent collaborative defense strategies.

Don't Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw

TL;DR

A two-phase security analysis of the OpenClaw platform is presented, and the introduced HITL layer significantly hardens the system, successfully intercepting up to 8 severe attacks that completely bypassed OpenClaw's native defenses.

Abstract

Code agents powered by large language models can execute shell commands on behalf of users, introducing severe security vulnerabilities. This paper presents a two-phase security analysis of the OpenClaw platform. As an open-source AI agent framework that operates locally, OpenClaw can be integrated with various commercial large language models. Because its native architecture lacks built-in security constraints, it serves as an ideal subject for evaluating baseline agent vulnerabilities. First, we systematically evaluate OpenClaw's native resilience against malicious instructions. By testing 47 adversarial scenarios across six major attack categories derived from the MITRE ATLAS and ATT\&CK frameworks, we have demonstrated that OpenClaw exhibits significant inherent security issues. It primarily relies on the security capabilities of the backend LLM and is highly susceptible to sandbox escape attacks, with an average defense rate of only 17\%. To mitigate these critical security gaps, we propose and implement a novel Human-in-the-Loop (HITL) defense layer. We utilize a dual-mode testing framework to evaluate the system with and without our proposed intervention. Our findings show that the introduced HITL layer significantly hardens the system, successfully intercepting up to 8 severe attacks that completely bypassed OpenClaw's native defenses. By combining native capabilities with our HITL approach, the overall defense rate improves to a range of 19\% to 92\%. Our study not only exposes the intrinsic limitations of current code agents but also demonstrates the effectiveness of human-agent collaborative defense strategies.
Paper Structure (40 sections, 1 equation, 4 figures, 4 tables)

This paper contains 40 sections, 1 equation, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background and Motivating Example
  3. Code Agent Architecture
  4. Motivating Attack Scenario
  5. Threat Model
  6. Attack Surface Overview
  7. Attacker Capability
  8. Attack Goals
  9. Testing Environment
  10. Scope Limitations
  11. Proposed Methodology: The Dual-Mode Execution Framework
  12. Comprehensive Threat Scenario Taxonomy
  13. The HITL Defense Architecture
  14. Dual-Mode Execution Engine
  15. Defense Rate Metrics
  16. ...and 25 more sections

Figures (4)

  • Figure 1: Architecture of the OpenClaw framework, illustrating the interaction between the User, LLM, HITL Defense, and the Execution Environment.
  • Figure 2: Threat model depicting three attacker capability levels targeting OpenClaw. Remote attackers exploit indirect prompt injection through external channels without system access. Local attackers leverage user-level privileges to establish persistence and escape sandboxes. Sophisticated attackers combine both approaches with advanced evasion techniques. Gray dashed box indicates out-of-scope attack vectors.
  • Figure 3: HITL defense pipeline: four-layer evaluation followed by risk-based policy decision.
  • Figure 4: OpenClaw defense rates comparing baseline versus effective defense rate (baseline + HITL new blocks). The HITL layer improves defense rates across all configurations.