What question did this study set out to answer?

The research aims to evaluate the security vulnerabilities within the OpenClaw AI agent ecosystem.

March 13, 2026Open Access

The OpenClaw Security Crisis: A Multi-Layer Empirical Analysis of Supply Chain Poisoning, Credential Exposure, and Governance Gaps in the Agentic AI Ecosystem

Puntos clave

The research aims to evaluate the security vulnerabilities within the OpenClaw AI agent ecosystem.
Analyzed supply chain poisoning in the ClawHub skill marketplace with 1,184 confirmed malicious skills.
Assessed deployment misconfigurations, identifying 42,000+ instances of credential exposure.
Examined end-to-end exploitation paths, focusing on CVE-2026-25253 with a CVSS score of 8.8.
Proposed a four-dimensional threat model T=(D,U,C,M) to extend existing frameworks.
Identified significant supply chain vulnerabilities, including a high volume of malicious skills.
Found widespread credential exposure, with 93% of exposed instances allowing authentication bypass.
The proposed threat model highlights governance gaps that exacerbate security issues within the ecosystem.

Resumen

This preprint presents a comprehensive, data-driven assessment of the OpenClaw autonomous AI agent ecosystem's security posture, synthesizing findings from 12+ security research organizations. We analyze four layers of the attack surface: (1) supply chain poisoning via the ClawHub skill marketplace (1,184+ confirmed malicious skills), (2) deployment misconfiguration and credential exposure (42,000+ internet-exposed instances, 93% with authentication bypass), (3) end-to-end exploitation paths including CVE-2026-25253 (CVSS 8.8), and (4) governance gaps in platform and institutional responses. We propose a four-dimensional threat model T=(D,U,C,M) extending Willison's "lethal trifecta" with persistent memory. Data sources include reports from Cisco, Trend Micro, Snyk, Bitdefender, Kaspersky, Microsoft, and Palo Alto Networks.

Leer artículo completoexternamente

Me gusta

Guardar

Ver artículo completo