CertiK Test: How Vulnerable OpenClaw Skill Bypasses Audits and Takes Over Computers Without Authorization

Recently, the open-source self-hosted AI agent platform OpenClaw (commonly called “Little Lobster” in the industry) has quickly gained popularity due to its flexible scalability and autonomous, controllable deployment features, becoming a phenomenon in the personal AI agent market. Its core ecosystem, Clawhub, serves as an app marketplace that aggregates a vast array of third-party Skill plugins, enabling the AI agent to unlock advanced capabilities with a single click—from web search and content creation to crypto wallet management, on-chain interactions, and system automation. The ecosystem and user base are experiencing explosive growth.

But where exactly is the platform’s true security boundary for third-party Skills operating in high-privilege environments?

Recently, CertiK, the world’s largest Web3 security company, released new research on Skill security. The report points out that there is a misperception in the industry regarding the security boundaries of the AI ecosystem: many consider “Skill scanning” as the core security measure, but this mechanism is almost useless against hacker attacks.

If we compare OpenClaw to an operating system of a smart device, Skills are like the apps installed on it. Unlike ordinary consumer apps, some Skills in OpenClaw run in high-privilege environments, with direct access to local files, system tools, external services, and host environment commands, even operating on users’ encrypted digital assets. Once security is compromised, it can lead to serious consequences such as sensitive data leaks, remote device takeover, or theft of digital assets.

Currently, the industry’s common security solution for third-party Skills is “pre-deployment scanning and review.” OpenClaw’s Clawhub has also built a three-layer review system: integrating VirusTotal code scanning, static code analysis engines, and AI logic consistency checks, providing risk-based security prompts to users in an attempt to safeguard the ecosystem. However, CertiK’s research and proof-of-concept attack tests reveal that this detection system has shortcomings in real-world attack scenarios and cannot serve as the primary line of defense.

The study first dissects the inherent limitations of existing detection mechanisms:

Static detection rules are easily bypassed. The engine mainly relies on matching code features to identify risks—for example, flagging “reading sensitive environment info + making network requests” as high risk. Attackers can make minor syntax modifications to the code, preserving malicious logic while evading pattern matching, similar to rephrasing dangerous content with synonyms, rendering security checks ineffective.

AI-based review has inherent blind spots. Clawhub’s AI review focuses on “logic consistency detection,” which can catch obvious malicious code that claims to perform certain functions but behaves differently. However, it struggles with hidden vulnerabilities embedded within normal business logic—like finding a hidden trap in a seemingly compliant contract.

Even more critically, the review process has fundamental design flaws: Skills that are still under review in VirusTotal—i.e., not fully processed—can still be published and made available to users, who can install them without warnings, leaving room for malicious actors.

To verify the real risks, CertiK’s team conducted comprehensive testing. They developed a Skill called “test-web-searcher,” which appears to be a fully compliant web search tool with normal code logic, but secretly contains a remote code execution vulnerability.

This Skill bypassed static analysis and AI review detection, and was installed without any security warnings while still marked as “pending” in VirusTotal. By sending a remote command via Telegram, the attacker successfully triggered the vulnerability, executing arbitrary commands on the host device (in the demo, it even opened the calculator).

CertiK emphasizes that these issues are not unique to OpenClaw but reflect a widespread misconception in the AI agent industry: many treat “review scanning” as the core security line, neglecting the real security foundation—runtime isolation and fine-grained permission control. This is similar to Apple’s iOS ecosystem security, where the core is not the strict App Store review but the system-enforced sandbox and permission management, ensuring each app runs in an isolated “container” and cannot freely access system resources. Currently, OpenClaw’s sandbox mechanism is optional and relies heavily on user configuration; most users disable sandboxing to ensure Skill functionality, leaving the system exposed. Installing vulnerable or malicious Skills can lead to catastrophic consequences.

In response to these findings, CertiK offers security recommendations:

● For developers of platforms like OpenClaw, sandbox isolation should be set as the default mandatory configuration for third-party Skills. Permissions should be finely managed, and third-party code should never inherit high privileges by default.

● For ordinary users, a “security” label on Skills only indicates that no risks have been detected so far; it does not guarantee absolute safety. Before the underlying strict isolation mechanisms are enabled by default, it is recommended to deploy OpenClaw on idle or virtual machines that do not contain sensitive files, passwords, or high-value assets.

As the AI agent industry approaches a period of rapid growth, ecosystem expansion must not outpace security development. Scanning and review can only prevent basic malicious attacks; they will never serve as the ultimate security boundary for high-privilege AI agents. True security requires shifting from “perfect detection” to “damage mitigation with inherent risk awareness,” establishing runtime enforced isolation and fine-grained permission controls. Only then can the security bottom line be truly secured, ensuring the sustainable and safe advancement of this technological revolution.

Research source: UoA