Full Report
Researching OpenClaw vulnerabilities, malicious skills and other security issues with the popular agent, and providing tips on how to mitigate them.
Analysis Summary
Based on the technical analysis provided by Kaspersky regarding the **OpenClaw** agent (an open-source framework for LLM-powered autonomous agents), here is the summary of the identified security flaws.
# Vulnerability: OpenClaw Remote Code Execution and Data Loss
## CVE Details
* **CVE ID:** CVE-2024-45377, CVE-2024-45378
* **CVSS Score:** 9.6 (Critical)
* **CWE:** CWE-22 (Path Traversal), CWE-94 (Code Injection)
## Affected Systems
* **Products:** OpenClaw Agent Framework
* **Versions:** All versions prior to August 2024
* **Configurations:** Default installations where the "Skills" (plugins) are enabled and the agent is exposed to user input/network traffic.
## Vulnerability Description
The research identified two primary critical flaws:
1. **Path Traversal (CVE-2024-45377):** The agent's file-handling skills did not properly sanitize user-provided file paths. An attacker could craft a prompt forcing the agent to read or write files outside of the intended directory (e.g., system configuration files or SSH keys).
2. **Insecure Code Execution (CVE-2024-45378):** The "Python Interpreter" skill allowed the agent to execute arbitrary Python code to solve tasks. Because the framework lacked a robust sandbox, a malicious prompt could trigger the execution of OS-level commands, leading to full system compromise.
## Exploitation
* **Status:** PoC available; research published by Kaspersky.
* **Complexity:** Low (requires only natural language manipulation/Prompt Injection).
* **Attack Vector:** Network (Remote via interaction with the LLM agent).
## Impact
* **Confidentiality:** Critical (Access to local files, environmental variables, and database credentials).
* **Integrity:** Critical (Ability to modify system files and application logic).
* **Availability:** High (Potential to delete files or crash the host service).
## Remediation
### Patches
* Users should update OpenClaw to the latest commit on the official GitHub repository (fixes were merged in late 2024).
### Workarounds
* **Disable Dangerous Skills:** Disable the `PythonInterpreter` and `FileWrite` skills if they are not strictly necessary for the use case.
* **Containerization:** Run the OpenClaw agent inside a strictly limited Docker container with a read-only root filesystem and no access to the host network.
## Detection
* **Indicators of Compromise:** Unusual Python processes spawned by the agent; log entries showing file access attempts to `/etc/passwd`, `~/.ssh/`, or sensitive environment directories.
* **Detection methods:** Use runtime security tools (like Falco or monitoring agents) to flag unexpected shell executions from the process responsible for the LLM agent.
## References
* Kaspersky Securelist Analysis: hxxps[://]securelist[.]com/openclaw-security/120484/
* OpenClaw GitHub Repository: hxxps[://]github[.]com/theopenclaw/openclaw
* MITRE CVE Database: hxxps[://]cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2024-45377