Episode 23: OpenClaw

Welcome everybody to Before the Commit episode 23. With me as usual, I have my friend Dustin Hillgartner. This week, we're talking about Open Claw, all things Open Claw. There's really not much more to say other than we hope to break down what it is, some of the risks associated with it, and why it might actually be a good thing.

Open Claw is an open-source agent framework with potential benefits but significant security risks due to its broad access capabilities. It can integrate with messaging apps and utilizes a "skills" system for instructions. A scan revealed many internet-accessible instances, suggesting users may be unaware of the security implications. Risks include prompt injection attacks and plain-text credential storage. Prominent figures have advised caution.

By default, Open Claw can expose all granted access. Exploits can involve retrieving credentials through prompt engineering. Its integration with messaging apps widens the attack surface. Key security concerns include lack of scoping, untrusted context sources, maximum privilege by default, and vulnerability to single-point compromises via prompt injection. The project's ease of misconfiguration and adoption by non-technical users exacerbate these issues.

ModSecOps principles highlight Open Claw's lack of security: skills execute with full permissions, context is untrusted, and it defaults to maximum privilege. Unlike multi-agent systems with adversarial reviews, Open Claw's single-agent design is susceptible to prompt injection attacks. Exploits can bypass safety controls entirely. The analogy of an unquestioning employee with full access to sensitive data aptly describes its risk. Its open-source nature, while fostering development, also allows rapid exploitation, potentially spreading like a worm. Unpatched vulnerabilities and a lack of developer response further compound these dangers.