Recently, the open-source self-hosted AI agent platform OpenClaw (colloquially known as "小龙虾" or "Little Crayfish") has rapidly gained popularity due to its flexible scalability and self-controlled deployment features, becoming a phenomenon in the personal AI agent space. Its core ecosystem, Clawhub, serves as an app marketplace, gathering a vast number of third-party Skill plugins that enable agents to unlock advanced capabilities with one click—from web search and content creation to encrypted wallet operations, on-chain interactions, and system automation—leading to explosive growth in both ecosystem scale and user base.
But for these third-party Skills running in high-privilege environments, where exactly are the platform's true security boundaries?
Recently, CertiK, the world's largest Web3 security company, released new research on Skill security. The report points out that the current market has a misperception of the security boundaries of AI agent ecosystems: the industry generally treats "Skill scanning" as the core security boundary, but this mechanism is almost useless against hacker attacks.
If OpenClaw is compared to an operating system for smart devices, Skills are the various APPs installed on the system. Unlike ordinary consumer-grade APPs, some Skills in OpenClaw run in high-privilege environments, directly accessing local files, calling system tools, connecting to external services, executing host environment commands, and even operating users' encrypted digital assets. Once security issues arise, they can directly lead to serious consequences such as sensitive information leakage, remote device takeover, and theft of digital assets.
The current universal security solution for third-party Skills across the industry is "pre-listing scanning and auditing." OpenClaw's Clawhub has also built a three-layer audit protection system: integrating VirusTotal code scanning, static code detection engines, and AI logic consistency checks, pushing security alerts to users through risk classification in an attempt to safeguard ecosystem security. However, CertiK's research and proof-of-concept attack tests confirm that this detection system has shortcomings in real attack and defense scenarios and cannot bear the core responsibility of security protection.
The research first breaks down the inherent limitations of the existing detection mechanisms:
Static detection rules are easily bypassed. The core of this engine relies on matching code features to identify risks, such as flagging the combination of "reading sensitive environmental information + sending network requests" as high-risk behavior. However, attackers only need to make slight syntactic modifications to the code to completely bypass feature matching while fully retaining malicious logic, akin to rephrasing dangerous content in synonymous terms, rendering the security scanner completely ineffective.
AI auditing has inherent detection blind spots. The core positioning of Clawhub's AI audit is a "logic consistency detector," which can only catch obvious malicious code where "declared functionality does not match actual behavior," but is helpless against exploitable vulnerabilities hidden within normal business logic, much like how it's difficult to find fatal traps buried deep in the clauses of a seemingly compliant contract.
More critically, the audit process has underlying design flaws: even when VirusTotal scan results are still in a "pending" state, Skills that have not completed the full "health check" process can be directly listed publicly, and users can install them without any warnings, leaving an opening for attackers.
To verify the real危害性 (harmfulness) of the risk, the CertiK research team completed a full test. The team developed a Skill named "test-web-searcher," which表面上 (superficially) appears to be a fully compliant web search tool with code logic that完全符合 (fully complies with)常规开发规范 (standard development norms), but actually implants a remote code execution vulnerability within the normal functional flow.
This Skill bypassed the detection of the static engine and AI audit, and was installed normally without any security warnings while the VirusTotal scan was still pending;最终 (Finally), by remotely sending an instruction via Telegram, the vulnerability was successfully triggered, achieving arbitrary command execution on the host device (in the demo, it directly controlled the system to launch the calculator).
CertiK clearly stated in the research that these issues are not unique product bugs of OpenClaw, but rather a common cognitive error across the entire AI agent industry: the industry普遍把 (generally treats) "audit scanning" as the core security防线 (defense line), but忽略了 (neglects) the true security foundation, which is runtime强制隔离 (mandatory isolation) and精细化的权限管控 (fine-grained permission control). This is就像 (just like) how the security core of Apple's iOS ecosystem has never been the strict review of the App Store, but rather the system's mandatory sandbox mechanism and fine-grained permission control, which allows each APP to run only in its dedicated "隔离舱" (isolation compartment), unable to arbitrarily obtain system permissions. However, OpenClaw's existing sandbox mechanism is optional rather than mandatory and highly relies on manual user configuration. The vast majority of users, to ensure Skill functionality and availability, choose to disable the sandbox, ultimately leaving the agent in a "裸奔" (running naked) state. Once a Skill with vulnerabilities or malicious code is installed, it can directly lead to catastrophic consequences.
Regarding the issues discovered, CertiK also provided security guidance:
● For developers of AI agents like OpenClaw, sandbox isolation must be set as the default mandatory configuration for third-party Skills, with a fine-grained permission control model for Skills, absolutely不允许 (not allowing) third-party code to inherit the host machine's high privileges by default.
● For ordinary users, Skills labeled "Safe" in the Skill marketplace merely indicate that no risks were detected, not that they are absolutely safe. Before the official implementation of underlying strong isolation mechanisms as the default configuration, it is recommended to deploy OpenClaw on non-critical idle devices or virtual machines, and never let it near sensitive files, password credentials, or high-value加密资产 (encrypted assets).
The AI agent赛道 (track) is currently on the eve of an explosion, and the speed of ecosystem expansion must not outpace the pace of security construction. Audit scanning can only block初级 (basic) malicious attacks but can never become the security boundary for high-privilege agents. Only by shifting from "pursuing perfect detection" to "assuming risk exists and containing damage," and by mandating isolation boundaries from the runtime底层 (bottom layer), can the security bottom line of AI agents truly be upheld, allowing this technological transformation to proceed steadily and go the distance.
