Is Your "OpenClaw" Running Naked? CertiK Test: How Vulnerable OpenClaw Skill Bypasses Audits, Takes Over Computers Without Authorization
OpenClaw, a popular open-source, self-hosted AI agent platform, has experienced rapid growth due to its flexibility and extensibility. Its ecosystem relies heavily on third-party “Skills” from the Clawhub marketplace, which can perform high-risk operations like system automation and crypto wallet transactions. However, security firm CertiK has identified critical vulnerabilities in the platform’s security model.
CertiK’s research reveals that OpenClaw’s current security—primarily dependent on pre-publishing scans like VirusTotal, static code analysis, and AI logic checks—is fundamentally flawed. These measures can be easily bypassed through simple code obfuscation, and malicious Skills can be published even before scanning is complete. In a proof-of-concept, CertiK developed a seemingly benign Skill that contained a hidden remote code execution vulnerability. It passed all checks without warnings and, once installed, allowed full system control via a remote command.
The core issue is not a specific bug but a industry-wide misconception: over-reliance on scanning instead of runtime isolation. Unlike systems like iOS, which enforce strict sandboxing, OpenClaw’s sandbox is optional and often disabled for functionality, leaving systems exposed.
CertiK recommends that OpenClaw enforce mandatory sandboxing and granular permission controls for Skills. Users are advised to deploy OpenClaw on isolated devices and avoid exposing sensitive data or assets until stronger isolation is implemented. The report stresses that security must evolve from detection-based approaches to default containment of risks at runtime.
marsbit03/17 14:39
