Is Your "Little Lobster" Running Naked? CertiK Test: How the Vulnerable OpenClaw Skill Bypassed Review and Took Over Computers Without Authorization
- Core Insight: CertiK's research indicates that AI agent platforms, represented by OpenClaw, commonly suffer from security misconceptions. Relying on "pre-listing review and scanning" as the core security defense is ineffective. The true security foundation lies in runtime-enforced isolation and granular permission control. Otherwise, third-party Skills running with high privileges pose serious security risks.
- Key Elements:
- Defects in the industry-standard "pre-listing scanning and review" mechanism: Static detection rules can be bypassed through code obfuscation; AI review cannot uncover hidden logical vulnerabilities; and Skills can be listed and installed even before the review is complete.
- Proof-of-Concept attack confirms the risk: A superficially compliant Skill developed by CertiK bypassed all detection, was installed before the VirusTotal scan completed, and successfully triggered a vulnerability via remote command, achieving arbitrary command execution on the host device.
- The core issue is the lack of permission and isolation: OpenClaw's sandbox mechanism is optional and relies on manual user configuration. Most users disable the sandbox to preserve functionality, leaving third-party Skills "running naked" in a high-privilege environment with direct access to sensitive information and assets.
- Security Recommendations: Developers should set sandbox isolation as the default mandatory configuration for third-party Skills with granular permissions. Until official improvements are made, users should deploy the platform in non-sensitive environments or virtual machines, keeping it away from high-value assets.
- Industry Implication: Review scanning can only intercept basic attacks and cannot serve as the security boundary for high-privilege agents. The industry must shift towards a "default risk exists" damage containment mindset, establishing isolation as a mandatory, runtime-enforced foundation.
Recently, the open-source self-hosted AI agent platform OpenClaw (commonly known as "小龙虾" or "Crayfish" within the community) has rapidly gained popularity due to its flexible scalability and self-controlled deployment characteristics, becoming a phenomenal product in the personal AI agent track. Its ecosystem core, Clawhub, serves as an application marketplace, aggregating a vast number of third-party Skill plugins. These plugins enable agents to unlock advanced capabilities with one click, ranging from web search and content creation to crypto wallet operations, on-chain interactions, and system automation, leading to explosive growth in both ecosystem scale and user base.
However, for such third-party Skills running in high-privilege environments, where does the platform's true security boundary lie?
Recently, CertiK, the world's largest Web3 security company, released its latest research on Skill security. The report points out a cognitive misalignment in the market regarding the security boundaries of AI agent ecosystems: the industry generally treats "Skill scanning" as the core security boundary, yet this mechanism is almost useless against hacker attacks.
If we compare OpenClaw to an operating system for a smart device, Skills are the various APPs installed on the system. Unlike ordinary consumer-grade APPs, some Skills in OpenClaw run in high-privilege environments. They can directly access local files, invoke system tools, connect to external services, execute host environment commands, and even operate users' crypto digital assets. Once a security issue arises, it can directly lead to severe consequences such as sensitive information leakage, remote device takeover, and theft of digital assets.
The current universal security solution for third-party Skills across the industry is "pre-listing scanning and review." OpenClaw's Clawhub has also established a three-layer review and protection system: integrating VirusTotal code scanning, a static code detection engine, and AI logic consistency detection. It pushes security pop-up warnings to users based on risk classification, attempting to secure the ecosystem. However, CertiK's research and proof-of-concept attack testing confirm that this detection system has shortcomings in real-world attack and defense scenarios and cannot bear the core responsibility of security protection.
The research first deconstructs the inherent limitations of the existing detection mechanisms:
Static detection rules are easily bypassed. The core of this engine relies on matching code features to identify risks. For example, it might flag the combination of "reading sensitive environment information + sending network requests" as high-risk behavior. However, attackers only need to make slight syntactic modifications to the code while fully preserving the malicious logic to easily bypass feature matching. It's like giving dangerous content a synonymous expression, rendering the security scanner completely ineffective.
AI review has inherent detection blind spots. The core function of Clawhub's AI review is a "logic consistency detector." It can only catch obvious malicious code where "declared functionality does not match actual behavior," but it is powerless against exploitable vulnerabilities hidden within normal business logic. It's akin to the difficulty of finding a fatal trap buried deep within the clauses of a seemingly compliant contract.
More critically, there is a fundamental design flaw in the review process: even when VirusTotal's scan results are still in a "pending" state, Skills that have not completed the full "health check" process can still be publicly listed. Users can install them without any warnings, leaving an opening for attackers.
To verify the real harm of these risks, the CertiK research team completed comprehensive testing. The team developed a Skill named "test-web-searcher." On the surface, it is a fully compliant web search tool, with code logic entirely conforming to standard development practices. In reality, it embeds a remote code execution vulnerability within the normal functional flow.
This Skill bypassed detection by both the static engine and AI review. While its VirusTotal scan was still pending, it was installed normally without any security warnings. Ultimately, by sending a remote command via Telegram, the vulnerability was successfully triggered, achieving arbitrary command execution on the host device (in the demonstration, it directly controlled the system to launch the calculator).
In its research, CertiK clearly states that these issues are not unique product bugs of OpenClaw but rather a widespread cognitive misconception across the entire AI agent industry: the industry generally treats "review scanning" as the core security line of defense, while overlooking that the true security foundation lies in runtime-enforced isolation and fine-grained permission control. This is similar to how the security core of Apple's iOS ecosystem has never been the strict review of the App Store, but rather the system-enforced sandbox mechanism and fine-grained permission management, ensuring each APP runs in its dedicated "isolation pod" without arbitrarily obtaining system permissions. In contrast, OpenClaw's existing sandbox mechanism is optional, not mandatory, and highly reliant on manual user configuration. To ensure Skill functionality, the vast majority of users choose to disable the sandbox, ultimately leaving the agent in a "naked" state. Once a Skill with vulnerabilities or malicious code is installed, it can directly lead to catastrophic consequences.
Regarding the issues discovered, CertiK also provides security guidance:
● For AI agent developers like OpenClaw, sandbox isolation must be set as the default mandatory configuration for third-party Skills. A fine-grained permission control model for Skills must be established, absolutely prohibiting third-party code from inheriting the host's high privileges by default.
● For ordinary users, a Skill labeled "Safe" in the marketplace merely indicates it hasn't been detected as risky, not that it is absolutely secure. Before the official implementation of a mandatory, underlying isolation mechanism as the default configuration, it is recommended to deploy OpenClaw on non-critical idle devices or virtual machines. Never let it near sensitive files, password credentials, or high-value crypto assets.
The AI agent track is currently on the eve of an explosion. The speed of ecosystem expansion must not outpace the pace of security development. Review scanning can only block rudimentary malicious attacks; it can never become the security boundary for high-privilege agents. Only by shifting from "pursuing perfect detection" to "assuming risk exists and focusing on damage containment," and by establishing isolation boundaries through mandatory, underlying runtime mechanisms, can we truly secure the safety baseline for AI agents and ensure this technological revolution progresses steadily and sustainably.
