OpenClaw Threat Model

Phase I Architecture-Focused Red Team Assessment  ·  MAESTRO + OWASP ASI Top 10 (2026)

Phase I v1.0 · Feb 2026
3
Critical Threats
4
High Threats
3
Medium Threats
10/10
ASI Coverage
7/7
MAESTRO Layers
Top-Level Threat Enumeration
IDThreatSeverityMappings
T01 Agent Goal Hijack via Prompt Injection Critical L2L1ASI01
T02 Unrestricted exec/Shell Without Sandboxing Critical L3L4ASI02ASI05
T03 Credential Exposure via Auth Profiles Critical L6L2ASI03
T04 Memory & Context Poisoning High L2L1ASI06
T05 Supply Chain via ClawHub/Plugins High L7L3ASI04
T06 Multi-Agent Privilege Escalation High L7L3ASI03ASI07
T07 Gateway Single Point of Failure High L4L3ASI08
T08 Cross-Channel Data Exfiltration Medium L7L2ASI02ASI09
T09 Cron Autonomous Actions w/o Oversight Medium L5L3ASI10
T10 Peripheral Node Compromise Medium L4L7ASI07ASI08
MAESTRO Layer Distribution
L1 Found. Models
T01,T03,T04
3
L2 Data Ops
T01,T03,T04,T06,T08
5
L3 Agent Frmwks
T01–T07,T09
8
L4 Deploy/Infra
T02,T05,T07,T09,T10
5
L5 Eval/Observe
T04,T05,T09
3
L6 Security/Comp
T02,T03,T05–T10
8
L7 Agent Ecosys
T01,T04,T05,T06,T08,T10
6
CSA MAESTRO 7-Layer Reference Architecture  ·  7/7 LAYERS COVERED
OWASP ASI Coverage
ASI01
FULL
ASI02
FULL
ASI03
FULL
ASI04
FULL
ASI05
FULL
ASI06
FULL
ASI07
FULL
ASI08
FULL
ASI09
FULL
ASI10
FULL
Trust Boundary Risk Map
TB-1
Internet → Channel Adapters
CRIT
TB-2
Channel → Gateway WebSocket
HIGH
TB-3
Gateway → Agent Context Assembly
CRIT
TB-4
Agent → LLM Provider API (Bidirectional)
HIGH
TB-5
Agent → Tool Surface (exec/read/write/browser)
CRIT
TB-6
Gateway → Peripheral Nodes (VPN/mDNS)
HIGH
Top Recommended Mitigations
R1
Mandatory tool-execution sandboxing — container/namespace isolation for all exec, shell, and browser tools
P0T02
R2
Instruction/data separation in context assembly pipeline to prevent prompt injection
P0T01
R3
Encrypt auth-profiles.json + credential vault — no plaintext credentials in LLM context window
P0T03
R4
Deploy reverse proxy + rate limiting + pairing code brute-force hardening for gateway exposure
P1T07
R5
Per-channel access control + data loss prevention on message tool to prevent cross-channel exfiltration
P1T08
R6
Formal inter-agent trust model with capability-bounded delegation to prevent privilege escalation
P1T06
R7
Memory integrity validation + anomaly detection for context poisoning prevention
P1T04
R8
Plugin sandboxing + mandatory code signing for all ClawHub marketplace extensions
P2T05
R9
Restricted tool surface for cron-triggered agents — read-only default with explicit escalation
P2T09
R10
Mutual TLS for gateway↔node communication + certificate-pinned registration for peripherals
P2T10
OpenClaw Phase I Threat Model  ·  Project Feral  ·  MAESTRO + OWASP ASI Top 10 (2026)  ·  February 2026  ·  v1.0
Framework references: CSA MAESTRO  ·  OWASP ASI