{"id":637,"date":"2026-03-21T22:52:58","date_gmt":"2026-03-21T14:52:58","guid":{"rendered":"https:\/\/pa.yingzhi8.cn\/index.php\/2026\/03\/21\/security-threat-model-atlas\/"},"modified":"2026-03-23T09:27:26","modified_gmt":"2026-03-23T01:27:26","slug":"security-threat-model-atlas","status":"publish","type":"post","link":"https:\/\/pa.yingzhi8.cn\/index.php\/2026\/03\/21\/security-threat-model-atlas\/","title":{"rendered":"Threat Model (MITRE ATLAS)"},"content":{"rendered":"<h1>Threat Model (MITRE ATLAS)<\/h1>\n<h1>OpenClaw Threat Model v1.0<\/h1>\n<h2>MITRE ATLAS Framework<\/h2>\n<p><strong>Version:<\/strong> 1.0-draft<br \/>\n<strong>Last Updated:<\/strong> 2026-02-04<br \/>\n<strong>Methodology:<\/strong> MITRE ATLAS + Data Flow Diagrams<br \/>\n<strong>Framework:<\/strong> <a href=\"https:\/\/atlas.mitre.org\/\">MITRE ATLAS<\/a> (Adversarial Threat Landscape for AI Systems)<\/p>\n<h3>Framework Attribution<\/h3>\n<p>This threat model is built on <a href=\"https:\/\/atlas.mitre.org\/\">MITRE ATLAS<\/a>, the industry-standard framework for documenting adversarial threats to AI\/ML systems. ATLAS is maintained by <a href=\"https:\/\/www.mitre.org\/\">MITRE<\/a> in collaboration with the AI security community.<\/p>\n<p><strong>Key ATLAS Resources:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/atlas.mitre.org\/techniques\/\">ATLAS Techniques<\/a><\/li>\n<li><a href=\"https:\/\/atlas.mitre.org\/tactics\/\">ATLAS Tactics<\/a><\/li>\n<li><a href=\"https:\/\/atlas.mitre.org\/studies\/\">ATLAS Case Studies<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/mitre-atlas\/atlas-data\">ATLAS GitHub<\/a><\/li>\n<li><a href=\"https:\/\/atlas.mitre.org\/resources\/contribute\">Contributing to ATLAS<\/a><\/li>\n<\/ul>\n<h3>Contributing to This Threat Model<\/h3>\n<p>This is a living document maintained by the OpenClaw community. See <a href=\"\/security\/CONTRIBUTING-THREAT-MODEL\">CONTRIBUTING-THREAT-MODEL.md<\/a> for guidelines on contributing:<\/p>\n<ul>\n<li>Reporting new threats<\/li>\n<li>Updating existing threats<\/li>\n<li>Proposing attack chains<\/li>\n<li>Suggesting mitigations<\/li>\n<\/ul>\n<hr \/>\n<h2>1. Introduction<\/h2>\n<h3>1.1 Purpose<\/h3>\n<p>This threat model documents adversarial threats to the OpenClaw AI agent platform and ClawHub skill marketplace, using the MITRE ATLAS framework designed specifically for AI\/ML systems.<\/p>\n<h3>1.2 Scope<\/h3>\n<table>\n<thead>\n<tr>\n<th>Component<\/th>\n<th>Included<\/th>\n<th>Notes<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>OpenClaw Agent Runtime<\/td>\n<td>Yes<\/td>\n<td>Core agent execution, tool calls, sessions<\/td>\n<\/tr>\n<tr>\n<td>Gateway<\/td>\n<td>Yes<\/td>\n<td>Authentication, routing, channel integration<\/td>\n<\/tr>\n<tr>\n<td>Channel Integrations<\/td>\n<td>Yes<\/td>\n<td>WhatsApp, Telegram, Discord, Signal, Slack, etc.<\/td>\n<\/tr>\n<tr>\n<td>ClawHub Marketplace<\/td>\n<td>Yes<\/td>\n<td>Skill publishing, moderation, distribution<\/td>\n<\/tr>\n<tr>\n<td>MCP Servers<\/td>\n<td>Yes<\/td>\n<td>External tool providers<\/td>\n<\/tr>\n<tr>\n<td>User Devices<\/td>\n<td>Partial<\/td>\n<td>Mobile apps, desktop clients<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>1.3 Out of Scope<\/h3>\n<p>Nothing is explicitly out of scope for this threat model.<\/p>\n<hr \/>\n<h2>2. System Architecture<\/h2>\n<h3>2.1 Trust Boundaries<\/h3>\n<pre><code>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502                    UNTRUSTED ZONE                                \u2502\n\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510              \u2502\n\u2502  \u2502  WhatsApp   \u2502  \u2502  Telegram   \u2502  \u2502   Discord   \u2502  ...         \u2502\n\u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2518  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2518  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2518              \u2502\n\u2502         \u2502                \u2502                \u2502                      \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n          \u2502                \u2502                \u2502\n          \u25bc                \u25bc                \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502                 TRUST BOUNDARY 1: Channel Access                 \u2502\n\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2502\n\u2502  \u2502                      GATEWAY                              \u2502   \u2502\n\u2502  \u2502  \u2022 Device Pairing (30s grace period)                      \u2502   \u2502\n\u2502  \u2502  \u2022 AllowFrom \/ AllowList validation                       \u2502   \u2502\n\u2502  \u2502  \u2022 Token\/Password\/Tailscale auth                          \u2502   \u2502\n\u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518   \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n                              \u2502\n                              \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502                 TRUST BOUNDARY 2: Session Isolation              \u2502\n\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2502\n\u2502  \u2502                   AGENT SESSIONS                          \u2502   \u2502\n\u2502  \u2502  \u2022 Session key = agent:channel:peer                       \u2502   \u2502\n\u2502  \u2502  \u2022 Tool policies per agent                                \u2502   \u2502\n\u2502  \u2502  \u2022 Transcript logging                                     \u2502   \u2502\n\u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518   \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n                              \u2502\n                              \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502                 TRUST BOUNDARY 3: Tool Execution                 \u2502\n\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2502\n\u2502  \u2502                  EXECUTION SANDBOX                        \u2502   \u2502\n\u2502  \u2502  \u2022 Docker sandbox OR Host (exec-approvals)                \u2502   \u2502\n\u2502  \u2502  \u2022 Node remote execution                                  \u2502   \u2502\n\u2502  \u2502  \u2022 SSRF protection (DNS pinning + IP blocking)            \u2502   \u2502\n\u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518   \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n                              \u2502\n                              \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502                 TRUST BOUNDARY 4: External Content               \u2502\n\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2502\n\u2502  \u2502              FETCHED URLs \/ EMAILS \/ WEBHOOKS             \u2502   \u2502\n\u2502  \u2502  \u2022 External content wrapping (XML tags)                   \u2502   \u2502\n\u2502  \u2502  \u2022 Security notice injection                              \u2502   \u2502\n\u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518   \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n                              \u2502\n                              \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502                 TRUST BOUNDARY 5: Supply Chain                   \u2502\n\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2502\n\u2502  \u2502                      CLAWHUB                              \u2502   \u2502\n\u2502  \u2502  \u2022 Skill publishing (semver, SKILL.md required)           \u2502   \u2502\n\u2502  \u2502  \u2022 Pattern-based moderation flags                         \u2502   \u2502\n\u2502  \u2502  \u2022 VirusTotal scanning (coming soon)                      \u2502   \u2502\n\u2502  \u2502  \u2022 GitHub account age verification                        \u2502   \u2502\n\u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518   \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n<\/code><\/pre>\n<h3>2.2 Data Flows<\/h3>\n<table>\n<thead>\n<tr>\n<th>Flow<\/th>\n<th>Source<\/th>\n<th>Destination<\/th>\n<th>Data<\/th>\n<th>Protection<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>F1<\/td>\n<td>Channel<\/td>\n<td>Gateway<\/td>\n<td>User messages<\/td>\n<td>TLS, AllowFrom<\/td>\n<\/tr>\n<tr>\n<td>F2<\/td>\n<td>Gateway<\/td>\n<td>Agent<\/td>\n<td>Routed messages<\/td>\n<td>Session isolation<\/td>\n<\/tr>\n<tr>\n<td>F3<\/td>\n<td>Agent<\/td>\n<td>Tools<\/td>\n<td>Tool invocations<\/td>\n<td>Policy enforcement<\/td>\n<\/tr>\n<tr>\n<td>F4<\/td>\n<td>Agent<\/td>\n<td>External<\/td>\n<td>web_fetch requests<\/td>\n<td>SSRF blocking<\/td>\n<\/tr>\n<tr>\n<td>F5<\/td>\n<td>ClawHub<\/td>\n<td>Agent<\/td>\n<td>Skill code<\/td>\n<td>Moderation, scanning<\/td>\n<\/tr>\n<tr>\n<td>F6<\/td>\n<td>Agent<\/td>\n<td>Channel<\/td>\n<td>Responses<\/td>\n<td>Output filtering<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h2>3. Threat Analysis by ATLAS Tactic<\/h2>\n<h3>3.1 Reconnaissance (AML.TA0002)<\/h3>\n<h4>T-RECON-001: Agent Endpoint Discovery<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0006 &#8211; Active Scanning<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker scans for exposed OpenClaw gateway endpoints<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Network scanning, shodan queries, DNS enumeration<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Gateway, exposed API endpoints<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Tailscale auth option, bind to loopback by default<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Medium &#8211; Public gateways discoverable<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Document secure deployment, add rate limiting on discovery endpoints<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-RECON-002: Channel Integration Probing<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0006 &#8211; Active Scanning<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker probes messaging channels to identify AI-managed accounts<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Sending test messages, observing response patterns<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>All channel integrations<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>None specific<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Low &#8211; Limited value from discovery alone<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Consider response timing randomization<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>3.2 Initial Access (AML.TA0004)<\/h3>\n<h4>T-ACCESS-001: Pairing Code Interception<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0040 &#8211; AI Model Inference API Access<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker intercepts pairing code during 30s grace period<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Shoulder surfing, network sniffing, social engineering<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Device pairing system<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>30s expiry, codes sent via existing channel<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Medium &#8211; Grace period exploitable<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Reduce grace period, add confirmation step<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-ACCESS-002: AllowFrom Spoofing<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0040 &#8211; AI Model Inference API Access<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker spoofs allowed sender identity in channel<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Depends on channel &#8211; phone number spoofing, username impersonation<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>AllowFrom validation per channel<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Channel-specific identity verification<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Medium &#8211; Some channels vulnerable to spoofing<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Document channel-specific risks, add cryptographic verification where possible<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-ACCESS-003: Token Theft<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0040 &#8211; AI Model Inference API Access<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker steals authentication tokens from config files<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Malware, unauthorized device access, config backup exposure<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>~\/.openclaw\/credentials\/, config storage<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>File permissions<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>High &#8211; Tokens stored in plaintext<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Implement token encryption at rest, add token rotation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>3.3 Execution (AML.TA0005)<\/h3>\n<h4>T-EXEC-001: Direct Prompt Injection<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0051.000 &#8211; LLM Prompt Injection: Direct<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker sends crafted prompts to manipulate agent behavior<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Channel messages containing adversarial instructions<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Agent LLM, all input surfaces<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Pattern detection, external content wrapping<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Critical &#8211; Detection only, no blocking; sophisticated attacks bypass<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Implement multi-layer defense, output validation, user confirmation for sensitive actions<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-EXEC-002: Indirect Prompt Injection<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0051.001 &#8211; LLM Prompt Injection: Indirect<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker embeds malicious instructions in fetched content<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Malicious URLs, poisoned emails, compromised webhooks<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>web_fetch, email ingestion, external data sources<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Content wrapping with XML tags and security notice<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>High &#8211; LLM may ignore wrapper instructions<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Implement content sanitization, separate execution contexts<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-EXEC-003: Tool Argument Injection<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0051.000 &#8211; LLM Prompt Injection: Direct<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker manipulates tool arguments through prompt injection<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Crafted prompts that influence tool parameter values<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>All tool invocations<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Exec approvals for dangerous commands<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>High &#8211; Relies on user judgment<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Implement argument validation, parameterized tool calls<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-EXEC-004: Exec Approval Bypass<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0043 &#8211; Craft Adversarial Data<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker crafts commands that bypass approval allowlist<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Command obfuscation, alias exploitation, path manipulation<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>exec-approvals.ts, command allowlist<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Allowlist + ask mode<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>High &#8211; No command sanitization<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Implement command normalization, expand blocklist<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>3.4 Persistence (AML.TA0006)<\/h3>\n<h4>T-PERSIST-001: Malicious Skill Installation<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0010.001 &#8211; Supply Chain Compromise: AI Software<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker publishes malicious skill to ClawHub<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Create account, publish skill with hidden malicious code<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>ClawHub, skill loading, agent execution<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>GitHub account age verification, pattern-based moderation flags<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Critical &#8211; No sandboxing, limited review<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>VirusTotal integration (in progress), skill sandboxing, community review<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-PERSIST-002: Skill Update Poisoning<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0010.001 &#8211; Supply Chain Compromise: AI Software<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker compromises popular skill and pushes malicious update<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Account compromise, social engineering of skill owner<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>ClawHub versioning, auto-update flows<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Version fingerprinting<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>High &#8211; Auto-updates may pull malicious versions<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Implement update signing, rollback capability, version pinning<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-PERSIST-003: Agent Configuration Tampering<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0010.002 &#8211; Supply Chain Compromise: Data<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker modifies agent configuration to persist access<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Config file modification, settings injection<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Agent config, tool policies<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>File permissions<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Medium &#8211; Requires local access<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Config integrity verification, audit logging for config changes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>3.5 Defense Evasion (AML.TA0007)<\/h3>\n<h4>T-EVADE-001: Moderation Pattern Bypass<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0043 &#8211; Craft Adversarial Data<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker crafts skill content to evade moderation patterns<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Unicode homoglyphs, encoding tricks, dynamic loading<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>ClawHub moderation.ts<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Pattern-based FLAG_RULES<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>High &#8211; Simple regex easily bypassed<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Add behavioral analysis (VirusTotal Code Insight), AST-based detection<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-EVADE-002: Content Wrapper Escape<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0043 &#8211; Craft Adversarial Data<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker crafts content that escapes XML wrapper context<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Tag manipulation, context confusion, instruction override<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>External content wrapping<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>XML tags + security notice<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Medium &#8211; Novel escapes discovered regularly<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Multiple wrapper layers, output-side validation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>3.6 Discovery (AML.TA0008)<\/h3>\n<h4>T-DISC-001: Tool Enumeration<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0040 &#8211; AI Model Inference API Access<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker enumerates available tools through prompting<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>&#8220;What tools do you have?&#8221; style queries<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Agent tool registry<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>None specific<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Low &#8211; Tools generally documented<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Consider tool visibility controls<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-DISC-002: Session Data Extraction<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0040 &#8211; AI Model Inference API Access<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker extracts sensitive data from session context<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>&#8220;What did we discuss?&#8221; queries, context probing<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Session transcripts, context window<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Session isolation per sender<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Medium &#8211; Within-session data accessible<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Implement sensitive data redaction in context<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>3.7 Collection &amp; Exfiltration (AML.TA0009, AML.TA0010)<\/h3>\n<h4>T-EXFIL-001: Data Theft via web_fetch<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0009 &#8211; Collection<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker exfiltrates data by instructing agent to send to external URL<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Prompt injection causing agent to POST data to attacker server<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>web_fetch tool<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>SSRF blocking for internal networks<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>High &#8211; External URLs permitted<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Implement URL allowlisting, data classification awareness<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-EXFIL-002: Unauthorized Message Sending<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0009 &#8211; Collection<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker causes agent to send messages containing sensitive data<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Prompt injection causing agent to message attacker<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Message tool, channel integrations<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Outbound messaging gating<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Medium &#8211; Gating may be bypassed<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Require explicit confirmation for new recipients<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-EXFIL-003: Credential Harvesting<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0009 &#8211; Collection<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Malicious skill harvests credentials from agent context<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Skill code reads environment variables, config files<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Skill execution environment<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>None specific to skills<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Critical &#8211; Skills run with agent privileges<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Skill sandboxing, credential isolation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>3.8 Impact (AML.TA0011)<\/h3>\n<h4>T-IMPACT-001: Unauthorized Command Execution<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0031 &#8211; Erode AI Model Integrity<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker executes arbitrary commands on user system<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Prompt injection combined with exec approval bypass<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Bash tool, command execution<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>Exec approvals, Docker sandbox option<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Critical &#8211; Host execution without sandbox<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Default to sandbox, improve approval UX<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-IMPACT-002: Resource Exhaustion (DoS)<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0031 &#8211; Erode AI Model Integrity<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker exhausts API credits or compute resources<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Automated message flooding, expensive tool calls<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Gateway, agent sessions, API provider<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>None<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>High &#8211; No rate limiting<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Implement per-sender rate limits, cost budgets<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>T-IMPACT-003: Reputation Damage<\/h4>\n<table>\n<thead>\n<tr>\n<th>Attribute<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS ID<\/strong><\/td>\n<td>AML.T0031 &#8211; Erode AI Model Integrity<\/td>\n<\/tr>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td>Attacker causes agent to send harmful\/offensive content<\/td>\n<\/tr>\n<tr>\n<td><strong>Attack Vector<\/strong><\/td>\n<td>Prompt injection causing inappropriate responses<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Components<\/strong><\/td>\n<td>Output generation, channel messaging<\/td>\n<\/tr>\n<tr>\n<td><strong>Current Mitigations<\/strong><\/td>\n<td>LLM provider content policies<\/td>\n<\/tr>\n<tr>\n<td><strong>Residual Risk<\/strong><\/td>\n<td>Medium &#8211; Provider filters imperfect<\/td>\n<\/tr>\n<tr>\n<td><strong>Recommendations<\/strong><\/td>\n<td>Output filtering layer, user controls<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h2>4. ClawHub Supply Chain Analysis<\/h2>\n<h3>4.1 Current Security Controls<\/h3>\n<table>\n<thead>\n<tr>\n<th>Control<\/th>\n<th>Implementation<\/th>\n<th>Effectiveness<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>GitHub Account Age<\/td>\n<td><code>requireGitHubAccountAge()<\/code><\/td>\n<td>Medium &#8211; Raises bar for new attackers<\/td>\n<\/tr>\n<tr>\n<td>Path Sanitization<\/td>\n<td><code>sanitizePath()<\/code><\/td>\n<td>High &#8211; Prevents path traversal<\/td>\n<\/tr>\n<tr>\n<td>File Type Validation<\/td>\n<td><code>isTextFile()<\/code><\/td>\n<td>Medium &#8211; Only text files, but can still be malicious<\/td>\n<\/tr>\n<tr>\n<td>Size Limits<\/td>\n<td>50MB total bundle<\/td>\n<td>High &#8211; Prevents resource exhaustion<\/td>\n<\/tr>\n<tr>\n<td>Required SKILL.md<\/td>\n<td>Mandatory readme<\/td>\n<td>Low security value &#8211; Informational only<\/td>\n<\/tr>\n<tr>\n<td>Pattern Moderation<\/td>\n<td>FLAG_RULES in moderation.ts<\/td>\n<td>Low &#8211; Easily bypassed<\/td>\n<\/tr>\n<tr>\n<td>Moderation Status<\/td>\n<td><code>moderationStatus<\/code> field<\/td>\n<td>Medium &#8211; Manual review possible<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>4.2 Moderation Flag Patterns<\/h3>\n<p>Current patterns in <code>moderation.ts<\/code>:<\/p>\n<p>&#8220;`javascript  theme={&#8220;theme&#8221;:{&#8220;light&#8221;:&#8221;min-light&#8221;,&#8221;dark&#8221;:&#8221;min-dark&#8221;}}<br \/>\n\/\/ Known-bad identifiers<br \/>\n\/(keepcold131\/ClawdAuthenticatorTool|ClawdAuthenticatorTool)\/i<\/p>\n<p>\/\/ Suspicious keywords<br \/>\n\/(malware|stealer|phish|phishing|keylogger)\/i<br \/>\n\/(api[-_ ]?key|token|password|private key|secret)\/i<br \/>\n\/(wallet|seed phrase|mnemonic|crypto)\/i<br \/>\n\/(discord.gg|webhook|hooks.slack)\/i<br \/>\n\/(curl[^n]+|s*(sh|bash))\/i<br \/>\n\/(bit.ly|tinyurl.com|t.co|goo.gl|is.gd)\/i<\/p>\n<pre><code>\n**Limitations:**\n\n* Only checks slug, displayName, summary, frontmatter, metadata, file paths\n* Does not analyze actual skill code content\n* Simple regex easily bypassed with obfuscation\n* No behavioral analysis\n\n### 4.3 Planned Improvements\n\n| Improvement            | Status                                | Impact                                                                |\n| ---------------------- | ------------------------------------- | --------------------------------------------------------------------- |\n| VirusTotal Integration | In Progress                           | High - Code Insight behavioral analysis                               |\n| Community Reporting    | Partial (`skillReports` table exists) | Medium                                                                |\n| Audit Logging          | Partial (`auditLogs` table exists)    | Medium                                                                |\n| Badge System           | Implemented                           | Medium - `highlighted`, `official`, `deprecated`, `redactionApproved` |\n\n***\n\n## 5. Risk Matrix\n\n### 5.1 Likelihood vs Impact\n\n| Threat ID     | Likelihood | Impact   | Risk Level   | Priority |\n| ------------- | ---------- | -------- | ------------ | -------- |\n| T-EXEC-001    | High       | Critical | **Critical** | P0       |\n| T-PERSIST-001 | High       | Critical | **Critical** | P0       |\n| T-EXFIL-003   | Medium     | Critical | **Critical** | P0       |\n| T-IMPACT-001  | Medium     | Critical | **High**     | P1       |\n| T-EXEC-002    | High       | High     | **High**     | P1       |\n| T-EXEC-004    | Medium     | High     | **High**     | P1       |\n| T-ACCESS-003  | Medium     | High     | **High**     | P1       |\n| T-EXFIL-001   | Medium     | High     | **High**     | P1       |\n| T-IMPACT-002  | High       | Medium   | **High**     | P1       |\n| T-EVADE-001   | High       | Medium   | **Medium**   | P2       |\n| T-ACCESS-001  | Low        | High     | **Medium**   | P2       |\n| T-ACCESS-002  | Low        | High     | **Medium**   | P2       |\n| T-PERSIST-002 | Low        | High     | **Medium**   | P2       |\n\n### 5.2 Critical Path Attack Chains\n\n**Attack Chain 1: Skill-Based Data Theft**\n\n<\/code><\/pre>\n<p>T-PERSIST-001 \u2192 T-EVADE-001 \u2192 T-EXFIL-003<br \/>\n(Publish malicious skill) \u2192 (Evade moderation) \u2192 (Harvest credentials)<\/p>\n<pre><code>\n**Attack Chain 2: Prompt Injection to RCE**\n\n<\/code><\/pre>\n<p>T-EXEC-001 \u2192 T-EXEC-004 \u2192 T-IMPACT-001<br \/>\n(Inject prompt) \u2192 (Bypass exec approval) \u2192 (Execute commands)<\/p>\n<pre><code>\n**Attack Chain 3: Indirect Injection via Fetched Content**\n\n<\/code><\/pre>\n<p>T-EXEC-002 \u2192 T-EXFIL-001 \u2192 External exfiltration<br \/>\n(Poison URL content) \u2192 (Agent fetches &amp; follows instructions) \u2192 (Data sent to attacker)<br \/>\n&#8220;`<\/p>\n<hr \/>\n<h2>6. Recommendations Summary<\/h2>\n<h3>6.1 Immediate (P0)<\/h3>\n<table>\n<thead>\n<tr>\n<th>ID<\/th>\n<th>Recommendation<\/th>\n<th>Addresses<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>R-001<\/td>\n<td>Complete VirusTotal integration<\/td>\n<td>T-PERSIST-001, T-EVADE-001<\/td>\n<\/tr>\n<tr>\n<td>R-002<\/td>\n<td>Implement skill sandboxing<\/td>\n<td>T-PERSIST-001, T-EXFIL-003<\/td>\n<\/tr>\n<tr>\n<td>R-003<\/td>\n<td>Add output validation for sensitive actions<\/td>\n<td>T-EXEC-001, T-EXEC-002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>6.2 Short-term (P1)<\/h3>\n<table>\n<thead>\n<tr>\n<th>ID<\/th>\n<th>Recommendation<\/th>\n<th>Addresses<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>R-004<\/td>\n<td>Implement rate limiting<\/td>\n<td>T-IMPACT-002<\/td>\n<\/tr>\n<tr>\n<td>R-005<\/td>\n<td>Add token encryption at rest<\/td>\n<td>T-ACCESS-003<\/td>\n<\/tr>\n<tr>\n<td>R-006<\/td>\n<td>Improve exec approval UX and validation<\/td>\n<td>T-EXEC-004<\/td>\n<\/tr>\n<tr>\n<td>R-007<\/td>\n<td>Implement URL allowlisting for web_fetch<\/td>\n<td>T-EXFIL-001<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>6.3 Medium-term (P2)<\/h3>\n<table>\n<thead>\n<tr>\n<th>ID<\/th>\n<th>Recommendation<\/th>\n<th>Addresses<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>R-008<\/td>\n<td>Add cryptographic channel verification where possible<\/td>\n<td>T-ACCESS-002<\/td>\n<\/tr>\n<tr>\n<td>R-009<\/td>\n<td>Implement config integrity verification<\/td>\n<td>T-PERSIST-003<\/td>\n<\/tr>\n<tr>\n<td>R-010<\/td>\n<td>Add update signing and version pinning<\/td>\n<td>T-PERSIST-002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h2>7. Appendices<\/h2>\n<h3>7.1 ATLAS Technique Mapping<\/h3>\n<table>\n<thead>\n<tr>\n<th>ATLAS ID<\/th>\n<th>Technique Name<\/th>\n<th>OpenClaw Threats<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>AML.T0006<\/td>\n<td>Active Scanning<\/td>\n<td>T-RECON-001, T-RECON-002<\/td>\n<\/tr>\n<tr>\n<td>AML.T0009<\/td>\n<td>Collection<\/td>\n<td>T-EXFIL-001, T-EXFIL-002, T-EXFIL-003<\/td>\n<\/tr>\n<tr>\n<td>AML.T0010.001<\/td>\n<td>Supply Chain: AI Software<\/td>\n<td>T-PERSIST-001, T-PERSIST-002<\/td>\n<\/tr>\n<tr>\n<td>AML.T0010.002<\/td>\n<td>Supply Chain: Data<\/td>\n<td>T-PERSIST-003<\/td>\n<\/tr>\n<tr>\n<td>AML.T0031<\/td>\n<td>Erode AI Model Integrity<\/td>\n<td>T-IMPACT-001, T-IMPACT-002, T-IMPACT-003<\/td>\n<\/tr>\n<tr>\n<td>AML.T0040<\/td>\n<td>AI Model Inference API Access<\/td>\n<td>T-ACCESS-001, T-ACCESS-002, T-ACCESS-003, T-DISC-001, T-DISC-002<\/td>\n<\/tr>\n<tr>\n<td>AML.T0043<\/td>\n<td>Craft Adversarial Data<\/td>\n<td>T-EXEC-004, T-EVADE-001, T-EVADE-002<\/td>\n<\/tr>\n<tr>\n<td>AML.T0051.000<\/td>\n<td>LLM Prompt Injection: Direct<\/td>\n<td>T-EXEC-001, T-EXEC-003<\/td>\n<\/tr>\n<tr>\n<td>AML.T0051.001<\/td>\n<td>LLM Prompt Injection: Indirect<\/td>\n<td>T-EXEC-002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>7.2 Key Security Files<\/h3>\n<table>\n<thead>\n<tr>\n<th>Path<\/th>\n<th>Purpose<\/th>\n<th>Risk Level<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code>src\/infra\/exec-approvals.ts<\/code><\/td>\n<td>Command approval logic<\/td>\n<td><strong>Critical<\/strong><\/td>\n<\/tr>\n<tr>\n<td><code>src\/gateway\/auth.ts<\/code><\/td>\n<td>Gateway authentication<\/td>\n<td><strong>Critical<\/strong><\/td>\n<\/tr>\n<tr>\n<td><code>src\/web\/inbound\/access-control.ts<\/code><\/td>\n<td>Channel access control<\/td>\n<td><strong>Critical<\/strong><\/td>\n<\/tr>\n<tr>\n<td><code>src\/infra\/net\/ssrf.ts<\/code><\/td>\n<td>SSRF protection<\/td>\n<td><strong>Critical<\/strong><\/td>\n<\/tr>\n<tr>\n<td><code>src\/security\/external-content.ts<\/code><\/td>\n<td>Prompt injection mitigation<\/td>\n<td><strong>Critical<\/strong><\/td>\n<\/tr>\n<tr>\n<td><code>src\/agents\/sandbox\/tool-policy.ts<\/code><\/td>\n<td>Tool policy enforcement<\/td>\n<td><strong>Critical<\/strong><\/td>\n<\/tr>\n<tr>\n<td><code>convex\/lib\/moderation.ts<\/code><\/td>\n<td>ClawHub moderation<\/td>\n<td><strong>High<\/strong><\/td>\n<\/tr>\n<tr>\n<td><code>convex\/lib\/skillPublish.ts<\/code><\/td>\n<td>Skill publishing flow<\/td>\n<td><strong>High<\/strong><\/td>\n<\/tr>\n<tr>\n<td><code>src\/routing\/resolve-route.ts<\/code><\/td>\n<td>Session isolation<\/td>\n<td><strong>Medium<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>7.3 Glossary<\/h3>\n<table>\n<thead>\n<tr>\n<th>Term<\/th>\n<th>Definition<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>ATLAS<\/strong><\/td>\n<td>MITRE&#8217;s Adversarial Threat Landscape for AI Systems<\/td>\n<\/tr>\n<tr>\n<td><strong>ClawHub<\/strong><\/td>\n<td>OpenClaw&#8217;s skill marketplace<\/td>\n<\/tr>\n<tr>\n<td><strong>Gateway<\/strong><\/td>\n<td>OpenClaw&#8217;s message routing and authentication layer<\/td>\n<\/tr>\n<tr>\n<td><strong>MCP<\/strong><\/td>\n<td>Model Context Protocol &#8211; tool provider interface<\/td>\n<\/tr>\n<tr>\n<td><strong>Prompt Injection<\/strong><\/td>\n<td>Attack where malicious instructions are embedded in input<\/td>\n<\/tr>\n<tr>\n<td><strong>Skill<\/strong><\/td>\n<td>Downloadable extension for OpenClaw agents<\/td>\n<\/tr>\n<tr>\n<td><strong>SSRF<\/strong><\/td>\n<td>Server-Side Request Forgery<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<p><em>This threat model is a living document. Report security issues to <a href=\"mailto:security@openclaw.ai\">security@openclaw.ai<\/a><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat Model (MITRE ATLAS) OpenClaw Threat Model v1.0 M [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-637","post","type-post","status-publish","format-standard","hentry","category-docs"],"_links":{"self":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts\/637","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/comments?post=637"}],"version-history":[{"count":4,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts\/637\/revisions"}],"predecessor-version":[{"id":8851,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts\/637\/revisions\/8851"}],"wp:attachment":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/media?parent=637"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/categories?post=637"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/tags?post=637"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}