AiSec: AI Agent Security Analysis Framework

In March 2025, Xcapit's security team received a request that would test every assumption they had about AI security: audit OpenClaw, an open-source AI agent framework being deployed across financial services and healthcare — industries where a single vulnerability could expose millions of records. The team had spent six years building security tools, starting with traditional penetration testing in 2019 and evolving through the AI boom. But OpenClaw was different. Its agents could call external APIs, execute code, and chain actions autonomously. The attack surface was not a web application with known endpoints — it was a system that could decide, at runtime, to do things its creators never anticipated.

The Challenge

Traditional security scanners were built for a world where software does what its code says. Snyk finds known CVEs in dependencies. Semgrep matches code patterns against vulnerability databases. These tools are essential — but they are blind to an entirely new category of threats that emerge when AI agents operate autonomously.

Consider the attack vectors that traditional scanners cannot detect:

• Prompt injection: An attacker embeds instructions in user-supplied data that override the agent's system prompt. In 2024, researchers demonstrated that a resume uploaded to an AI-powered HR tool could instruct the agent to email all candidate data to an external address — and the agent complied, because it could not distinguish between its instructions and the attacker's.
• Data exfiltration through model outputs: An agent processing confidential documents can be manipulated into encoding sensitive data in its responses — not through a network exploit, but by crafting inputs that cause the model to 'leak' training data or context window contents.
• Privilege escalation via tool use: AI agents that can call tools (databases, APIs, shell commands) can be tricked into chaining tool calls in ways that escalate privileges. An agent with read-only database access, for instance, might be manipulated into calling a different tool that writes data.
• Supply chain attacks on model weights: Malicious actors can publish fine-tuned models that contain backdoors — the model performs normally on standard inputs but activates harmful behavior on specific trigger phrases.

No existing scanner addresses these threats holistically. OWASP published its AI Top 10 in 2023, MITRE released the ATLAS framework, and the EU AI Act mandated security assessments — but the tooling lagged behind the standards. Organizations knew what they should test for but had no automated way to do it.

The OpenClaw Audit: A Real-World Validation

Why OpenClaw

OpenClaw was chosen as AiSec's validation target because it represents the architecture pattern most commonly deployed in enterprise AI: a multi-agent framework where agents coordinate through shared state, call external tools via APIs, and process user-supplied inputs with minimal sanitization. If AiSec could comprehensively audit OpenClaw, it could audit the vast majority of production AI agent deployments.

Audit Methodology

AiSec deployed all 35 specialized security agents against the OpenClaw codebase in a three-phase process:

• Phase 1 — Individual agent scanning: Each of the 35 agents independently analyzed the codebase from its specialized perspective. The prompt injection agent tested input handling across all agent endpoints. The privilege escalation agent mapped tool call chains and permission boundaries. The supply chain agent analyzed model loading and dependency integrity.
• Phase 2 — Cross-agent correlation: The correlation engine ingested all 35 agents' findings and applied 31 correlation rules to identify compound vulnerabilities — cases where individually low-severity findings combine into critical attack chains. For example: a medium-severity input validation gap plus a medium-severity tool permission misconfiguration together enable a critical data exfiltration path.
• Phase 3 — Manual verification and severity classification: AiSec's AI-CVSS scoring system classified each finding by severity, accounting for AI-specific factors like model manipulability, chain-of-thought exposure, and autonomous action scope. Human security engineers then verified a sample of findings to validate accuracy.

What Was Found

The audit identified 63 security findings — 4.2x more than Snyk and Semgrep found when scanning the same codebase. The breakdown by category reveals the gap between traditional scanning and AI-specific security analysis:

• Prompt injection vulnerabilities: 14 findings, including 3 critical paths where user inputs could override system prompts in production agent configurations
• Tool use and privilege escalation: 11 findings, including agent-to-agent delegation chains that bypassed permission boundaries
• Data handling and exfiltration risks: 9 findings, including unencrypted context window contents persisted to shared storage
• Supply chain and dependency risks: 8 findings, including unsigned model weight downloads from public registries
• Compound vulnerabilities (cross-agent correlation): 12 findings that no individual scanner detected, representing the most critical attack chains
• Configuration and deployment hardening: 9 findings related to default configurations, exposed debug endpoints, and missing rate limits

The 12 compound vulnerabilities were particularly significant. These are attack chains that only become visible when you correlate findings across multiple security domains — exactly the kind of threat that single-purpose scanners miss. A static analysis tool sees a permissive input handler. A dependency scanner sees an outdated library. Only a correlation engine sees that together, they enable an attacker to inject a prompt that triggers a vulnerable dependency to exfiltrate data.

From Consulting to Product

AiSec did not begin as a product. It began as an internal necessity. In 2019, Xcapit's cybersecurity practice was delivering manual penetration testing and security consulting to clients across Latin America and Europe. As the team accumulated audit methodologies, they began automating repetitive analysis tasks — first as scripts, then as coordinated agents, then as a full framework.

The evolution followed a clear path: manual consulting (2019-2021) built the domain expertise. Internal tooling (2021-2023) encoded that expertise into automated agents. The open-source framework (2023-2024) made the tooling reusable across engagements. And the cloud platform (2025) made it accessible to organizations without dedicated security teams. Each stage built on the artifacts of the previous one, which is why AiSec's 250+ detectors reflect real-world audit findings rather than theoretical vulnerability taxonomies.

Results & Impact

• 35 specialized security agents with 250+ vulnerability detectors
• 63 findings in OpenClaw audit (4.2x more than Snyk/Semgrep alone)
• 31 cross-agent correlation rules for compound vulnerability detection
• 8 compliance frameworks (OWASP AI Top 10, NIST AI RMF, EU AI Act, ISO 42001, ISO 27001, GDPR, SOC2, MITRE ATLAS)
• 4-minute average scan time with parallel agent execution
• Auto-remediation with generated code patches and PR creation
• 12 compound vulnerabilities discovered that no single-purpose scanner detected

Technology Stack

• Python/Django orchestration engine coordinating 35 security agents in parallel
• Docker/Kubernetes for isolated scan execution with per-agent resource limits
• Falco with eBPF probes for runtime container monitoring and anomaly detection
• AI-CVSS scoring system adapted for AI-specific vulnerability severity assessment
• SARIF format export for native integration with GitHub Actions, GitLab CI, and Jenkins