OpenClaw Threat Model
This is a living threat model for OpenClaw deployments. It identifies the primary threat actors, attack surfaces, and recommended mitigations for AI agent workloads.
Threat Actors
- External attackers: Individuals attempting to compromise the agent through messaging channels or exposed endpoints
- Malicious content: Web pages, documents, or emails containing indirect prompt injection payloads
- Supply chain: Compromised skills, plugins, or dependencies that introduce malicious behavior
- Insider threats: Authorized users who abuse their access to the agent for unauthorized purposes
Attack Surfaces
| Surface | Risk | Mitigation |
|---|---|---|
| Messaging channels | Direct prompt injection | DM pairing, input sanitization |
| Web browsing | Indirect prompt injection via web content | Content isolation, separate LLM contexts |
| File system | Unauthorized file access or modification | Path allowlists, read-only mounts |
| Command execution | Arbitrary code execution | Command allowlists, sandboxing |
| API keys | Key exfiltration or abuse | Secret redaction, environment isolation |
Defense-in-Depth Strategy
No single security control is sufficient. OpenClaw's security model layers multiple defenses:
- Perimeter: DM pairing and input sanitization block unauthorized access
- Policy: Allowlists and approval gates enforce operational boundaries
- Isolation: Sandboxing contains potential damage
- Monitoring: Logging and alerting detect anomalies in real-time
- Response: Emergency stop and incident response procedures limit blast radius
Prompt Guardian
Protect your AI agent from prompt injection and malicious commands.