'%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M12.1794%201.3291C12.4304%201.46905%2012.5536%201.76216%2012.478%202.03944L10.8183%208.12499H16.875C17.1239%208.12499%2017.349%208.27264%2017.4482%208.5009C17.5474%208.72915%2017.5017%208.9945%2017.3319%209.17644L8.58192%2018.5514C8.38582%2018.7615%208.0717%2018.8108%207.82067%2018.6709C7.56964%2018.5309%207.44641%2018.2378%207.52204%2017.9605L9.18173%2011.875H3.12501C2.87614%2011.875%202.65098%2011.7273%202.5518%2011.4991C2.45261%2011.2708%202.49829%2011.0055%202.6681%2010.8235L11.4181%201.44854C11.6142%201.23843%2011.9283%201.18914%2012.1794%201.3291Z'%20fill='url(%23paint0_linear_10198_26999)'/%3e%3c/g%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_10198_26999'%20x1='10'%20y1='1.24997'%20x2='10'%20y2='18.75'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%238B5CF6'/%3e%3cstop%20offset='1'%20stop-color='%23A5D8FB'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
Hardening OpenClaw: From Open Door to Zero Trust
Introduction
Good evening. My name is Ivor, or Ivor, or Ivor, whatever you want to call me. I'm a co -founder of a company called Gradio, a full -stack developer that was, you know, in love with all this AI stuff that I couldn't believe back in 2022.
It was the internet moment that we all had back in the day.
OpenClaw: An Agentic Tool You Can’t Fully Trust
I want to talk today about OpenClaw and it's the first real agentic tool that I have experienced that I cannot trust, but I know for a fact that it will run autonomously without even my attention.
It was vibe -coded. This project was completely vibe -coded by a technical programmer. He sold the company for hundreds of millions of dollars, and this is true.
And he was retired. And he discovered AI and he wanted to bring this to the world, it was all fun and games until it wasn't. And this project was acquired or actually hired by OpenAI.
Why Autonomy Changes the Security Stakes
And we all know that the future will be multi -agentic. Times like where you pasted things in ChatGPT and pasted it back is no longer what people want. People want autonomy.
but with autonomy comes security issues and this open claw is well I already
talked about open claw but you can see here that the moment you install open claw they will give you this message let me this will be this will be a talk that up where I move around a lot of screens.
Onboarding Warnings vs. Real-World Risk
The moment that you onboard Open Cloud, they tell you this is a hobby project. It's still in beta.
And it gives you this security audit deep that will give you a sense of security. It will say, OK, you're good to go. Everything is good.
But if you're not technical enough to understand about what a tail net is, what a look back is what a LAN is and you open you will open your computer in
your in your devices for the world to to you have to take your life away basically because my computer has my life and all my tokens etc right so
Broad Integrations and Expansive Permissions
So let's talk a little bit more about, so it has access to Telegram, WhatsApp, Discord, Slack, read and write files, shell commands. It can connect to your Gmail, Outlook, cloud storage, et cetera. So it's open to the world.
1The moment somebody sends you an email, Open Cloud will read it, will take the context, and everybody can inject. Yeah, we'll talk about it more.
I have some notes here. I apologize. OK.
Vulnerabilities in the Wild: CVEs, Exposed Gateways, and Patch Velocity
So this CVE was released, and it was a critical vulnerability that allowed one -click remote code execution through a malicious link, which would give access to the open -cloud gateway.
right and everybody started deploying OpenClaw in VPS with open ports and they were publicly exposed and discovered just by with some tools that people have and it was publicly publicly exposed and everybody was like what are we doing doing here?
Some, this is Bitdefender, right? Audited 70 % of the skills, and I will talk about skills later, and 70 % exhibited malicious behaviors.
1And there were 15 security patches just in two weeks. And as you can see, this project is moving fast, it's moving really really fast.
But everybody is excited and installing OpenClaw in their computers and in their company computers.
Six Core Security Concerns
Now, there are six core security concerns.
Even if you have one password installed in your computer, OpenClaw will read that and it will have plain text credential access you can even prompt open claw and it will print your your
credentials away excessive autonomy there's no the moment you install it no sandboxes no boundaries by default the prompt injection vector and I will show you a demo later is real and nobody talked everybody talks about it but nobody seems to really care because everybody starts uploading files, exposed admin interfaces.
So if you expose through LAN, you'll see, okay, this runs in my computer, my local network, my house. But the moment you go to a mall and connect your Wi -Fi and you have this open, everybody Everybody can scan your network and will find that you have an open call gateway open that will, well, it's really dangerous.
Exposed Interfaces and Network Risk
Now, supply chain attacks.
Supply Chain Risk Through Skills
With a simple command, you can install a skill, which is nothing but a Python script, a JavaScript file that has full access to your computer again.
And, of course, people without technical knowledge, hey, install this, follow this tutorial, you'll have an autonomous agent. People that don't really understand about security.
Prompt Injection and the “Lethal Trifecta”
Now, Simon Wilson is someone famous in the AI world. He coined this term called the lethal tree effect, and this was coined by the time where MCP was released.
everybody was excited about MCPs but he said the lethal trifecta is the moment you have a tool that has private data access on access to untrusted content which can be an email and external communication that can send image that can post to our URL that's the lethal trifecta it's the moment you give away
your your data so and then there is this prompt injection via email right attackers send a crafted email agent reads GOG is a CLI that open claw uses to read your email and I will give you a demo in a second here instructions can be executed by an LLM they can read PDF and your instruction can be in a hidden page or yeah it's like I like just hidden in the in the file and
agents will run a shell command in the moment you should you run the shell command you don't know it will be silent nothing will escape from it so okay so
Demo: Email-Driven Prompt Injection
here's the prompt injection demo I hope this works in case it doesn't work I I have a screen shoot. OK, so this is OpenCLO.
I connected it to my Discord. I created a personal channel as a demo and a social channel. Doesn't have any tools. It doesn't have any prompts except from the defaults.
And I gave it access to my calendar and my Gmail and everything, right? So, the model I'm running right now is GPT -Codecs.
This is for social, but the other one has Opus 4 .6. And why I talk about the model?
Model Choice, Cost, and Safety Trade-offs
So, this OpenClaw consumes tokens like nothing in the world. If you don't have a Cloud Code subscription, it will be really, really hard to control the money that it spends.
So, let's say I read on Twitter that I want that Open Router released this router, which happens to be a free model, that they release all these free models and they route your request through, like Azure, right? They wrote your request to a more intelligent model. But these are free models. These are not Opus 4 .6.
These are not codecs. These are just models that are really dumb, if you could say. And you want to save some money, and you're using a Chinese model.
Now, let's say I crafted this prompt, really simple prompt, that says, Let's use GOG. Read my latest email with config verification needed.
Now, I have to mention. Let's see if I don't mention. Right. Already acknowledged and went to read my emails.
This, OK. Well, for more, I can access GOG here on this. OK. We won't waste time on that.
that, but I did that here, right? And I said, go to GOG, write my latest email with the subject. Of course, I created this fake credential, and it printed everything.
And if you request that to Opus 4 .6, no matter what you do, it will deny access because, well, Well, OpenClaw has this prompt in their files, in their system prompts, that will deny that.
But, okay, well, I already talked a little bit about this, but this is the skills that are malicious and all that were scanned and have full access to your SSH key. So let me move a little bit faster.
Gateway URL Exposure and What It Enables
her okay so as you can see the the danger is real and every every time every day they release a security patch and you let me move so okay okay for use this is 10 okay so oh well okay so this This was the CVE that was released recently.
And of course, they demonstrated that the URL contained a query string that gave away access to your gateway URL. And if you don't know what the gateway URL is,
it's the open -cloud gateway that will give access to your environment variables and basically will give you access to your computer.
Mitigations and Hardening Recommendations
so apologies okay so let's break down the security a little bit because I already talked a lot about open claw so first of all least privileged tokens never give full access tokens it's it's convenient but it's not really well okay OK, so owner allow this with immutable IDs.
Open Cloud will give you the ability to give access to any ID, for instance, my user ID in Discord.
So DM policy pairing mode only, that it will send, it will request access, and you have to approve access. Mention gating in groups.
loops, you can allow Open Cloud to reply to anybody, to everybody. So that's, of course, if you give access to a person, to your bots, it will have access to your computer.
So write, config write false, read only, and bind to loop back only. Bind to your computer, to your local network.
you can access it through your devices throughout with a VPN and I've seen this on Twitter give access oh this requests a token no no go ahead and allowing secure auth or dangerously disabled device auth so that you can access your instance everywhere and this is a recipe for disaster okay so I'll explain a
Sandboxing, Host Isolation, and Deny-by-Default Controls
little bit what this is elevated enabled false will this is kill chain of the fence if you if you enable sandbox which will run your instance of up and claw in a container elevated false will deny access to the host machine right it will
say okay I want to execute this bash because I don't have this command you you know, in my container, I will request access to your computer, and this will immediately deny it.
Ask, fallback, deny, never give access and deny access to cron, to group memory, because anybody can inject into the memory, into the, you know, the context of the memory, and sessions and disable, right?
access to the workspace only, which will contain even more because it will access only that workspace, the OpenCLO, and disable network.
And this is really important because if you don't disable cap drop, it will have wide access to your system and to your Linux environment and can even drop the permissions.
So, without further ado, I mean, there are more, but, so, yeah. The self -escalation mode, okay, so, okay.
Conclusion: Prompt Injection Isn’t Solved Yet
And this is, I wanted to end with this, is OpenAI released this statement that even the best jailbreak, prompt jailbreak systems, systems, this institute discovered a way to bypass security by chat GPT. So nobody is, prompt injection is not solved, is not solved, not really solved.