OpenClaw, a rapidly emerging open-source AI agent framework, is gaining tremendous momentum today. However, its powerful capabilities also introduce a broad attack surface. Without careful security design and deployment, OpenClaw-based agents could be compromised and abused as part of criminally controlled botnets.
In our new invited paper at ICCCN 2026, we discussed the security of OpenClaw. While it demonstrates the power of connecting LLM reasoning to real-world execution surfaces such as shell commands, filesystems, containers, browsers, and messaging platforms, this capability also greatly expands its attack surface. In this work, we present a systematic security taxonomy of 470 advisories filed against OpenClaw, organizing vulnerabilities by architectural layer and trust-violation type. Our analysis shows how weaknesses across gateway, execution policy, plugin/skill, sandbox, browser, and agent/prompt layers can compose into serious threats, including remote code execution paths, policy bypasses, prompt-injection-driven abuse, and supply-chain trust escalation. The study highlights an urgent lesson for the next generation of AI agent systems: powerful autonomy must be matched with unified, cross-layer security boundaries, or compromised agents may become attractive infrastructure for criminal abuse and botnet-scale control.
An extended version of the invited paper is available at arXiv:2603.27517. Congratulations on the nice work, Surada (our undergraduate researcher in the lab) and Yuxuan!
