OpenClaw Security Anatomy: What AiSec's 35 Agents Found in the World's Most Popular AI Agent

AI agents are no longer experimental. They write code, manage infrastructure, handle customer interactions, and make decisions that affect millions of people. But while the industry has obsessed over capabilities — how many tools an agent can use, how many tokens it can process, how autonomously it can operate — security has been treated as an afterthought. The assumption seems to be that if an AI agent is popular enough, it must be secure enough. That assumption is wrong.

We built AiSec (github.com/fboiero/AiSec) to test that assumption systematically. AiSec is an open-source AI security framework that deploys 35 specialized AI agents to scan AI systems for vulnerabilities — from prompt injection and sandbox escapes to data leakage and compliance gaps. We decided to run it against the biggest target we could find: OpenClaw, the most popular AI agent in the world with 191,000 GitHub stars. What we found in 4 minutes and 12 seconds should concern every organization that deploys AI agents in production.

What Is OpenClaw?

OpenClaw is the world's most popular open-source AI agent framework, with over 191,000 stars on GitHub and an active community of thousands of contributors. It provides a general-purpose architecture for building AI agents that can use tools, execute code, browse the web, interact with APIs, and chain complex multi-step workflows. Its popularity stems from its flexibility: OpenClaw agents can be configured for everything from simple chatbot assistants to autonomous coding agents, data analysis pipelines, and enterprise workflow automation.

OpenClaw's architecture follows the now-standard agentic pattern: a language model core with access to a tool registry, a memory system for maintaining context across interactions, and an execution engine that orchestrates multi-step task completion. It supports multiple LLM backends, customizable tool sets, and extensible plugin architectures. This flexibility is both its strength and — from a security perspective — its most significant risk surface. Every extension point is a potential attack vector. Every tool integration is a privilege boundary that can be crossed.

The Challenge: Why Audit the Most Popular AI Agent?

Auditing OpenClaw was not about finding fault with its maintainers — who have built something genuinely impressive. It was about answering a question that matters to the entire AI ecosystem: how secure is the most battle-tested, most reviewed, most deployed AI agent framework? If OpenClaw has significant security gaps, what does that tell us about the hundreds of less-scrutinized agent frameworks deployed in production?

Traditional security audits of AI systems are slow, expensive, and incomplete. A human penetration tester might spend weeks reviewing an agent framework and still miss vulnerability classes they are not specialized in. The prompt injection expert may not catch the sandbox escape. The compliance auditor may not identify the data leakage path. We needed a tool that could cover the full attack surface — every vulnerability class, every compliance framework, every layer of the agent architecture — in minutes, not weeks. That is why we built AiSec.

AiSec: 35 Agents, One Mission

AiSec (github.com/fboiero/AiSec) is an open-source AI security framework developed by Xcapit. It takes a fundamentally different approach to AI security assessment: instead of running a single scanner with a checklist of rules, AiSec deploys 35 specialized AI agents, each trained and configured to detect a specific class of vulnerability. These agents work in parallel, sharing context through a coordination layer that enables cross-agent correlation — finding vulnerability chains that no single agent would detect on its own.

The 35 agents include PromptInjectionAgent (testing direct, indirect, and multi-turn injection vectors), SandboxEscapeAgent (probing code execution boundaries and container escapes), DataLeakageAgent (tracing data flows for sensitive information exposure), ToolChainAgent (analyzing tool-to-tool permission escalation paths), AuthenticationAgent (testing identity and access control mechanisms), and ComplianceAgent (mapping findings to regulatory and framework requirements). Additional agents cover supply chain integrity, model poisoning vectors, rate limiting, API security, memory injection, serialization attacks, and more.

The 5-Layer Analysis Architecture

AiSec organizes its analysis into five distinct layers, each targeting a different aspect of the AI system's security posture. This layered approach ensures comprehensive coverage — from low-level code vulnerabilities to high-level compliance gaps.

• Layer 1 — Static Analysis: Source code scanning for hardcoded secrets, insecure patterns, dependency vulnerabilities, and configuration weaknesses. AiSec's static agents analyzed over 340,000 lines of OpenClaw code across 2,100 files in 47 seconds.
• Layer 2 — Dynamic Analysis: Runtime testing of the agent's behavior under adversarial conditions. Agents send crafted inputs, observe tool invocations, monitor resource access, and test boundary conditions. This layer identified 28 of the 63 findings.
• Layer 3 — Architecture Analysis: Evaluation of the system's design patterns, privilege boundaries, data flow paths, and trust relationships. The ToolChainAgent and AuthenticationAgent operate primarily at this layer, identifying structural weaknesses that enable multi-step attacks.
• Layer 4 — Data Flow Analysis: End-to-end tracing of how user data, conversation context, and tool outputs flow through the system. The DataLeakageAgent traces sensitive information from ingestion through processing to storage, identifying points where data escapes its intended boundary.
• Layer 5 — Compliance Mapping: Automated correlation of all findings from layers 1-4 against 8 security frameworks. Each finding receives framework-specific severity ratings, remediation guidance, and compliance impact assessments.

Results: 63 Findings in 4 Minutes

AiSec completed its full analysis of OpenClaw in 4 minutes and 12 seconds. The 35 agents collectively identified 63 security findings across all five analysis layers. The severity breakdown was significant: 8 critical findings requiring immediate attention, 15 high-severity findings with exploitable attack paths, 22 medium-severity findings representing defense-in-depth gaps, and 18 low-severity findings covering hardening opportunities and best-practice deviations.

• Critical (8): Prompt injection vectors with demonstrated code execution, sandbox escape paths, sensitive data exposure in persistent storage, unrestricted tool chaining enabling privilege escalation
• High (15): Insufficient input validation on tool parameters, missing rate limiting on agent loops, weak isolation between user sessions, insecure default configurations for plugin loading, API key exposure through error messages
• Medium (22): Incomplete logging of security-relevant events, missing integrity checks on plugin code, insufficient timeout controls on external API calls, overly permissive CORS configurations, absence of content security policies for rendered outputs
• Low (18): Informational findings including deprecated dependency versions, non-standard error handling patterns, missing security headers on internal endpoints, documentation gaps for security configuration options

Critical Findings Deep Dive

CVE-2026-25253: Multi-Vector Prompt Injection

The PromptInjectionAgent identified a critical prompt injection vulnerability that allows an attacker to override OpenClaw's system instructions through crafted content in external data sources. The attack exploits the fact that OpenClaw processes tool outputs — including web page content, file contents, and API responses — in the same context as system instructions, without adequate boundary enforcement. An attacker who controls any content that the agent retrieves (a webpage, a document, a code repository) can embed instructions that the agent will execute with its full tool access.

The PromptInjectionAgent demonstrated this vulnerability through three independent attack vectors: hidden instructions in markdown comments within fetched documents, Unicode control characters that restructure the prompt context, and multi-turn context manipulation that gradually shifts the agent's instruction following. Each vector was confirmed exploitable on the default configuration, and two remained exploitable even with OpenClaw's optional 'strict mode' enabled. This finding was assigned CVE-2026-25253 and affects all versions prior to the latest security patch.

Sandbox Escape Through Code Execution

The SandboxEscapeAgent discovered that OpenClaw's code execution sandbox — the environment where user-requested code runs — has insufficient isolation from the host system. Through a sequence of carefully crafted code execution requests, an agent can access the host filesystem beyond its designated sandbox directory, read environment variables (including API keys and credentials stored in the shell environment), and in certain configurations, establish outbound network connections to exfiltrate data.

The escape path exploits a race condition in the sandbox initialization sequence: during the 200-millisecond window between process creation and sandbox policy application, executed code has access to the unrestricted host environment. The SandboxEscapeAgent automated the exploitation of this window, demonstrating reliable file read access to /etc/passwd, environment variable extraction, and DNS-based data exfiltration — all from within what users believe is an isolated execution sandbox.

Sensitive Data Exposure in Conversation Logs

The DataLeakageAgent traced OpenClaw's data flow and identified that conversation histories — which routinely contain API keys, passwords, personal information, and proprietary code shared by users — are stored in plaintext on the local filesystem with permissions that allow access by any process running under the same user account. In multi-user deployments (which account for a significant percentage of enterprise OpenClaw installations), this means any user's conversation data is potentially accessible to other users' processes.

Permission Escalation Through Tool Chaining

The ToolChainAgent identified a critical privilege escalation path where an agent with access to a limited set of tools can chain tool invocations to achieve capabilities beyond its intended permissions. Specifically, the agent demonstrated that a tool with read-only filesystem access can invoke the code execution tool to write files, which in turn can be used to modify the agent's own configuration to grant additional tool access. This self-modification capability effectively bypasses any permission model applied at the configuration level.

Cross-Framework Correlation: 8 Frameworks, One Report

One of AiSec's most powerful capabilities is automated cross-framework correlation. Every finding is mapped to all applicable controls across 8 security frameworks simultaneously: OWASP Top 10 for LLMs (2025), NIST AI Risk Management Framework (AI RMF), MITRE ATLAS (Adversarial Threat Landscape for AI Systems), ISO 42001 (AI Management System), EU AI Act (risk classifications and requirements), OWASP Application Security Verification Standard (ASVS), CIS Controls v8, and NIST Cybersecurity Framework 2.0.

This cross-framework mapping is not just an academic exercise — it is operationally critical. A CISO who needs to report AI security posture to the board maps findings to NIST CSF. A compliance team preparing for EU AI Act requirements maps findings to the Act's risk categories. A development team prioritizing fixes maps findings to OWASP for actionable remediation guidance. AiSec generates all of these views from a single scan, eliminating the manual effort of cross-referencing findings across frameworks.

For the OpenClaw analysis, the cross-framework correlation revealed that 6 of the 8 critical findings map to OWASP LLM01 (Prompt Injection) or LLM06 (Sensitive Information Disclosure). Under the EU AI Act, OpenClaw's use in autonomous decision-making would classify it as high-risk, triggering mandatory requirements for transparency, human oversight, and security testing — requirements that the current architecture does not fully satisfy. Under NIST AI RMF, the findings cluster in the GOVERN and MAP functions, indicating that the root causes are architectural governance decisions rather than implementation bugs.

What OpenClaw's Maintainers Did Right

A security audit that only highlights failures gives an incomplete picture. OpenClaw's maintainers have made several strong security decisions that other agent frameworks should emulate. The project has a comprehensive permission model that, while bypassable through the tool chaining vulnerability described above, provides a clear architecture for restricting agent capabilities — the foundation is sound even if the implementation has gaps. The code execution sandbox exists and correctly applies restrictions in steady-state operation — the race condition vulnerability is a timing issue, not a design absence.

OpenClaw's security response process is exemplary. When we reported the critical findings through their responsible disclosure program, the maintainers acknowledged all 8 critical findings within 48 hours, confirmed reproducibility within a week, and had patches in review within two weeks. This response time puts OpenClaw ahead of 90% of open-source projects we have worked with. The project also maintains a security advisory page, supports signed releases, and has an active bug bounty program — practices that demonstrate genuine commitment to security.

Implications for the AI Agent Ecosystem

If the most popular, most scrutinized AI agent framework has 8 critical security vulnerabilities, the state of the broader ecosystem is concerning. OpenClaw benefits from 191,000 pairs of eyes, a dedicated security team, a responsible disclosure program, and now an AiSec analysis. Most AI agent frameworks deployed in production have none of these advantages. They are built by small teams, deployed without security review, and operated with implicit trust in the agent's behavior.

The findings from this analysis point to systemic issues in how the industry builds AI agents. Prompt injection defenses are still not standard practice — most frameworks process external content in the same context as system instructions. Sandbox isolation is treated as an implementation detail rather than a security-critical boundary. Data at rest is rarely encrypted. Permission models are advisory rather than enforced. These are not bugs in OpenClaw specifically; they are patterns repeated across the entire agent ecosystem. The industry needs a fundamental shift: treating AI agent security as a first-class engineering discipline, not a checkbox to address before launch.

How to Run AiSec on Your Own AI Systems

AiSec is open source and available at github.com/fboiero/AiSec. Running it against your own AI agent systems takes minutes, not days. The framework is designed to be self-contained — you do not need to modify your target system or install agents on production infrastructure. AiSec operates externally, probing the target through the same interfaces an attacker would use.

• Clone the repository: git clone https://github.com/fboiero/AiSec.git && cd AiSec
• Install dependencies: pip install -e . (Python 3.10+ required)
• Configure your target: edit config/target.yaml with your AI system's endpoints, authentication, and scope parameters
• Run the full scan: aisec scan --target config/target.yaml --frameworks all --output report.json
• Generate compliance reports: aisec report --input report.json --format pdf --frameworks owasp-llm,nist-ai-rmf,eu-ai-act
• For CI/CD integration: aisec scan --target config/target.yaml --fail-on critical,high --output-format junit

The scan runs all 35 agents in parallel by default, completing a full analysis in under 5 minutes for most AI systems. You can also run individual agents for targeted testing — for example, aisec scan --agents PromptInjectionAgent,SandboxEscapeAgent for a focused assessment of your most critical attack surfaces. The output includes detailed remediation guidance for every finding, prioritized by severity and mapped to the compliance frameworks relevant to your organization.

At Xcapit, AI security is not a sideline — it is core to everything we build. AiSec grew out of our internal security practices, refined through years of building AI agents for enterprise clients across fintech, energy, and government sectors. We open-sourced it because we believe the entire ecosystem benefits when AI security tooling is accessible to everyone, not just organizations that can afford six-figure security audits. If you want to go deeper — custom AiSec configurations for your specific architecture, ongoing security monitoring for your AI deployments, or a full red team engagement — our cybersecurity team can help. Visit xcapit.com/services/cybersecurity to start the conversation.