Constant THREAT_MODEL
Source pub const THREAT_MODEL: &str = "---\ntitle: \"Threat Model (MITRE ATLAS)\"\nsummary: \"OpenClaw threat model mapped to the MITRE ATLAS framework\"\nread_when:\n - Reviewing security posture or threat scenarios\n - Working on security features or audit responses\n---\n\n# OpenClaw Threat Model v1.0\n\n## MITRE ATLAS Framework\n\n**Version:** 1.0-draft\n**Last Updated:** 2026-02-04\n**Methodology:** MITRE ATLAS + Data Flow Diagrams\n**Framework:** [MITRE ATLAS](https://atlas.mitre.org/) (Adversarial Threat Landscape for AI Systems)\n\n### Framework Attribution\n\nThis threat model is built on [MITRE ATLAS](https://atlas.mitre.org/), the industry-standard framework for documenting adversarial threats to AI/ML systems. ATLAS is maintained by [MITRE](https://www.mitre.org/) in collaboration with the AI security community.\n\n**Key ATLAS Resources:**\n\n- [ATLAS Techniques](https://atlas.mitre.org/techniques/)\n- [ATLAS Tactics](https://atlas.mitre.org/tactics/)\n- [ATLAS Case Studies](https://atlas.mitre.org/studies/)\n- [ATLAS GitHub](https://github.com/mitre-atlas/atlas-data)\n- [Contributing to ATLAS](https://atlas.mitre.org/resources/contribute)\n\n### Contributing to This Threat Model\n\nThis is a living document maintained by the OpenClaw community. See [CONTRIBUTING-THREAT-MODEL.md](/security/CONTRIBUTING-THREAT-MODEL) for guidelines on contributing:\n\n- Reporting new threats\n- Updating existing threats\n- Proposing attack chains\n- Suggesting mitigations\n\n---\n\n## 1. Introduction\n\n### 1.1 Purpose\n\nThis threat model documents adversarial threats to the OpenClaw AI agent platform and ClawHub skill marketplace, using the MITRE ATLAS framework designed specifically for AI/ML systems.\n\n### 1.2 Scope\n\n| Component | Included | Notes |\n| ---------------------- | -------- | ------------------------------------------------ |\n| OpenClaw Agent Runtime | Yes | Core agent execution, tool calls, sessions |\n| Gateway | Yes | Authentication, routing, channel integration |\n| Channel Integrations | Yes | WhatsApp, Telegram, Discord, Signal, Slack, etc. |\n| ClawHub Marketplace | Yes | Skill publishing, moderation, distribution |\n| MCP Servers | Yes | External tool providers |\n| User Devices | Partial | Mobile apps, desktop clients |\n\n### 1.3 Out of Scope\n\nNothing is explicitly out of scope for this threat model.\n\n---\n\n## 2. System Architecture\n\n### 2.1 Trust Boundaries\n\n```\n\u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510}\n\u{2502} UNTRUSTED ZONE \u{2502}\n\u{2502} \u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510} \u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510} \u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510} \u{2502}\n\u{2502} \u{2502} WhatsApp \u{2502} \u{2502} Telegram \u{2502} \u{2502} Discord \u{2502} ... \u{2502}\n\u{2502} \u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{252c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518} \u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{252c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518} \u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{252c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518} \u{2502}\n\u{2502} \u{2502} \u{2502} \u{2502} \u{2502}\n\u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{253c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{253c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{253c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518}\n \u{2502} \u{2502} \u{2502}\n \u{25bc} \u{25bc} \u{25bc}\n\u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510}\n\u{2502} TRUST BOUNDARY 1: Channel Access \u{2502}\n\u{2502} \u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510} \u{2502}\n\u{2502} \u{2502} GATEWAY \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Device Pairing (30s grace period) \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} AllowFrom / AllowList validation \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Token/Password/Tailscale auth \u{2502} \u{2502}\n\u{2502} \u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518} \u{2502}\n\u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518}\n \u{2502}\n \u{25bc}\n\u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510}\n\u{2502} TRUST BOUNDARY 2: Session Isolation \u{2502}\n\u{2502} \u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510} \u{2502}\n\u{2502} \u{2502} AGENT SESSIONS \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Session key = agent:channel:peer \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Tool policies per agent \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Transcript logging \u{2502} \u{2502}\n\u{2502} \u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518} \u{2502}\n\u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518}\n \u{2502}\n \u{25bc}\n\u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510}\n\u{2502} TRUST BOUNDARY 3: Tool Execution \u{2502}\n\u{2502} \u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510} \u{2502}\n\u{2502} \u{2502} EXECUTION SANDBOX \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Docker sandbox OR Host (exec-approvals) \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Node remote execution \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} SSRF protection (DNS pinning + IP blocking) \u{2502} \u{2502}\n\u{2502} \u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518} \u{2502}\n\u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518}\n \u{2502}\n \u{25bc}\n\u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510}\n\u{2502} TRUST BOUNDARY 4: External Content \u{2502}\n\u{2502} \u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510} \u{2502}\n\u{2502} \u{2502} FETCHED URLs / EMAILS / WEBHOOKS \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} External content wrapping (XML tags) \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Security notice injection \u{2502} \u{2502}\n\u{2502} \u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518} \u{2502}\n\u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518}\n \u{2502}\n \u{25bc}\n\u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510}\n\u{2502} TRUST BOUNDARY 5: Supply Chain \u{2502}\n\u{2502} \u{250c}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2510} \u{2502}\n\u{2502} \u{2502} CLAWHUB \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Skill publishing (semver, SKILL.md required) \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} Pattern-based moderation flags \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} VirusTotal scanning (coming soon) \u{2502} \u{2502}\n\u{2502} \u{2502} \u{2022} GitHub account age verification \u{2502} \u{2502}\n\u{2502} \u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518} \u{2502}\n\u{2514}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2500}\u{2518}\n```\n\n### 2.2 Data Flows\n\n| Flow | Source | Destination | Data | Protection |\n| ---- | ------- | ----------- | ------------------ | -------------------- |\n| F1 | Channel | Gateway | User messages | TLS, AllowFrom |\n| F2 | Gateway | Agent | Routed messages | Session isolation |\n| F3 | Agent | Tools | Tool invocations | Policy enforcement |\n| F4 | Agent | External | web_fetch requests | SSRF blocking |\n| F5 | ClawHub | Agent | Skill code | Moderation, scanning |\n| F6 | Agent | Channel | Responses | Output filtering |\n\n---\n\n## 3. Threat Analysis by ATLAS Tactic\n\n### 3.1 Reconnaissance (AML.TA0002)\n\n#### T-RECON-001: Agent Endpoint Discovery\n\n| Attribute | Value |\n| ----------------------- | -------------------------------------------------------------------- |\n| **ATLAS ID** | AML.T0006 - Active Scanning |\n| **Description** | Attacker scans for exposed OpenClaw gateway endpoints |\n| **Attack Vector** | Network scanning, shodan queries, DNS enumeration |\n| **Affected Components** | Gateway, exposed API endpoints |\n| **Current Mitigations** | Tailscale auth option, bind to loopback by default |\n| **Residual Risk** | Medium - Public gateways discoverable |\n| **Recommendations** | Document secure deployment, add rate limiting on discovery endpoints |\n\n#### T-RECON-002: Channel Integration Probing\n\n| Attribute | Value |\n| ----------------------- | ------------------------------------------------------------------ |\n| **ATLAS ID** | AML.T0006 - Active Scanning |\n| **Description** | Attacker probes messaging channels to identify AI-managed accounts |\n| **Attack Vector** | Sending test messages, observing response patterns |\n| **Affected Components** | All channel integrations |\n| **Current Mitigations** | None specific |\n| **Residual Risk** | Low - Limited value from discovery alone |\n| **Recommendations** | Consider response timing randomization |\n\n---\n\n### 3.2 Initial Access (AML.TA0004)\n\n#### T-ACCESS-001: Pairing Code Interception\n\n| Attribute | Value |\n| ----------------------- | -------------------------------------------------------- |\n| **ATLAS ID** | AML.T0040 - AI Model Inference API Access |\n| **Description** | Attacker intercepts pairing code during 30s grace period |\n| **Attack Vector** | Shoulder surfing, network sniffing, social engineering |\n| **Affected Components** | Device pairing system |\n| **Current Mitigations** | 30s expiry, codes sent via existing channel |\n| **Residual Risk** | Medium - Grace period exploitable |\n| **Recommendations** | Reduce grace period, add confirmation step |\n\n#### T-ACCESS-002: AllowFrom Spoofing\n\n| Attribute | Value |\n| ----------------------- | ------------------------------------------------------------------------------ |\n| **ATLAS ID** | AML.T0040 - AI Model Inference API Access |\n| **Description** | Attacker spoofs allowed sender identity in channel |\n| **Attack Vector** | Depends on channel - phone number spoofing, username impersonation |\n| **Affected Components** | AllowFrom validation per channel |\n| **Current Mitigations** | Channel-specific identity verification |\n| **Residual Risk** | Medium - Some channels vulnerable to spoofing |\n| **Recommendations** | Document channel-specific risks, add cryptographic verification where possible |\n\n#### T-ACCESS-003: Token Theft\n\n| Attribute | Value |\n| ----------------------- | ----------------------------------------------------------- |\n| **ATLAS ID** | AML.T0040 - AI Model Inference API Access |\n| **Description** | Attacker steals authentication tokens from config files |\n| **Attack Vector** | Malware, unauthorized device access, config backup exposure |\n| **Affected Components** | ~/.openclaw/credentials/, config storage |\n| **Current Mitigations** | File permissions |\n| **Residual Risk** | High - Tokens stored in plaintext |\n| **Recommendations** | Implement token encryption at rest, add token rotation |\n\n---\n\n### 3.3 Execution (AML.TA0005)\n\n#### T-EXEC-001: Direct Prompt Injection\n\n| Attribute | Value |\n| ----------------------- | ----------------------------------------------------------------------------------------- |\n| **ATLAS ID** | AML.T0051.000 - LLM Prompt Injection: Direct |\n| **Description** | Attacker sends crafted prompts to manipulate agent behavior |\n| **Attack Vector** | Channel messages containing adversarial instructions |\n| **Affected Components** | Agent LLM, all input surfaces |\n| **Current Mitigations** | Pattern detection, external content wrapping |\n| **Residual Risk** | Critical - Detection only, no blocking; sophisticated attacks bypass |\n| **Recommendations** | Implement multi-layer defense, output validation, user confirmation for sensitive actions |\n\n#### T-EXEC-002: Indirect Prompt Injection\n\n| Attribute | Value |\n| ----------------------- | ----------------------------------------------------------- |\n| **ATLAS ID** | AML.T0051.001 - LLM Prompt Injection: Indirect |\n| **Description** | Attacker embeds malicious instructions in fetched content |\n| **Attack Vector** | Malicious URLs, poisoned emails, compromised webhooks |\n| **Affected Components** | web_fetch, email ingestion, external data sources |\n| **Current Mitigations** | Content wrapping with XML tags and security notice |\n| **Residual Risk** | High - LLM may ignore wrapper instructions |\n| **Recommendations** | Implement content sanitization, separate execution contexts |\n\n#### T-EXEC-003: Tool Argument Injection\n\n| Attribute | Value |\n| ----------------------- | ------------------------------------------------------------ |\n| **ATLAS ID** | AML.T0051.000 - LLM Prompt Injection: Direct |\n| **Description** | Attacker manipulates tool arguments through prompt injection |\n| **Attack Vector** | Crafted prompts that influence tool parameter values |\n| **Affected Components** | All tool invocations |\n| **Current Mitigations** | Exec approvals for dangerous commands |\n| **Residual Risk** | High - Relies on user judgment |\n| **Recommendations** | Implement argument validation, parameterized tool calls |\n\n#### T-EXEC-004: Exec Approval Bypass\n\n| Attribute | Value |\n| ----------------------- | ---------------------------------------------------------- |\n| **ATLAS ID** | AML.T0043 - Craft Adversarial Data |\n| **Description** | Attacker crafts commands that bypass approval allowlist |\n| **Attack Vector** | Command obfuscation, alias exploitation, path manipulation |\n| **Affected Components** | exec-approvals.ts, command allowlist |\n| **Current Mitigations** | Allowlist + ask mode |\n| **Residual Risk** | High - No command sanitization |\n| **Recommendations** | Implement command normalization, expand blocklist |\n\n---\n\n### 3.4 Persistence (AML.TA0006)\n\n#### T-PERSIST-001: Malicious Skill Installation\n\n| Attribute | Value |\n| ----------------------- | ------------------------------------------------------------------------ |\n| **ATLAS ID** | AML.T0010.001 - Supply Chain Compromise: AI Software |\n| **Description** | Attacker publishes malicious skill to ClawHub |\n| **Attack Vector** | Create account, publish skill with hidden malicious code |\n| **Affected Components** | ClawHub, skill loading, agent execution |\n| **Current Mitigations** | GitHub account age verification, pattern-based moderation flags |\n| **Residual Risk** | Critical - No sandboxing, limited review |\n| **Recommendations** | VirusTotal integration (in progress), skill sandboxing, community review |\n\n#### T-PERSIST-002: Skill Update Poisoning\n\n| Attribute | Value |\n| ----------------------- | -------------------------------------------------------------- |\n| **ATLAS ID** | AML.T0010.001 - Supply Chain Compromise: AI Software |\n| **Description** | Attacker compromises popular skill and pushes malicious update |\n| **Attack Vector** | Account compromise, social engineering of skill owner |\n| **Affected Components** | ClawHub versioning, auto-update flows |\n| **Current Mitigations** | Version fingerprinting |\n| **Residual Risk** | High - Auto-updates may pull malicious versions |\n| **Recommendations** | Implement update signing, rollback capability, version pinning |\n\n#### T-PERSIST-003: Agent Configuration Tampering\n\n| Attribute | Value |\n| ----------------------- | --------------------------------------------------------------- |\n| **ATLAS ID** | AML.T0010.002 - Supply Chain Compromise: Data |\n| **Description** | Attacker modifies agent configuration to persist access |\n| **Attack Vector** | Config file modification, settings injection |\n| **Affected Components** | Agent config, tool policies |\n| **Current Mitigations** | File permissions |\n| **Residual Risk** | Medium - Requires local access |\n| **Recommendations** | Config integrity verification, audit logging for config changes |\n\n---\n\n### 3.5 Defense Evasion (AML.TA0007)\n\n#### T-EVADE-001: Moderation Pattern Bypass\n\n| Attribute | Value |\n| ----------------------- | ---------------------------------------------------------------------- |\n| **ATLAS ID** | AML.T0043 - Craft Adversarial Data |\n| **Description** | Attacker crafts skill content to evade moderation patterns |\n| **Attack Vector** | Unicode homoglyphs, encoding tricks, dynamic loading |\n| **Affected Components** | ClawHub moderation.ts |\n| **Current Mitigations** | Pattern-based FLAG_RULES |\n| **Residual Risk** | High - Simple regex easily bypassed |\n| **Recommendations** | Add behavioral analysis (VirusTotal Code Insight), AST-based detection |\n\n#### T-EVADE-002: Content Wrapper Escape\n\n| Attribute | Value |\n| ----------------------- | --------------------------------------------------------- |\n| **ATLAS ID** | AML.T0043 - Craft Adversarial Data |\n| **Description** | Attacker crafts content that escapes XML wrapper context |\n| **Attack Vector** | Tag manipulation, context confusion, instruction override |\n| **Affected Components** | External content wrapping |\n| **Current Mitigations** | XML tags + security notice |\n| **Residual Risk** | Medium - Novel escapes discovered regularly |\n| **Recommendations** | Multiple wrapper layers, output-side validation |\n\n---\n\n### 3.6 Discovery (AML.TA0008)\n\n#### T-DISC-001: Tool Enumeration\n\n| Attribute | Value |\n| ----------------------- | ----------------------------------------------------- |\n| **ATLAS ID** | AML.T0040 - AI Model Inference API Access |\n| **Description** | Attacker enumerates available tools through prompting |\n| **Attack Vector** | \"What tools do you have?\" style queries |\n| **Affected Components** | Agent tool registry |\n| **Current Mitigations** | None specific |\n| **Residual Risk** | Low - Tools generally documented |\n| **Recommendations** | Consider tool visibility controls |\n\n#### T-DISC-002: Session Data Extraction\n\n| Attribute | Value |\n| ----------------------- | ----------------------------------------------------- |\n| **ATLAS ID** | AML.T0040 - AI Model Inference API Access |\n| **Description** | Attacker extracts sensitive data from session context |\n| **Attack Vector** | \"What did we discuss?\" queries, context probing |\n| **Affected Components** | Session transcripts, context window |\n| **Current Mitigations** | Session isolation per sender |\n| **Residual Risk** | Medium - Within-session data accessible |\n| **Recommendations** | Implement sensitive data redaction in context |\n\n---\n\n### 3.7 Collection & Exfiltration (AML.TA0009, AML.TA0010)\n\n#### T-EXFIL-001: Data Theft via web_fetch\n\n| Attribute | Value |\n| ----------------------- | ---------------------------------------------------------------------- |\n| **ATLAS ID** | AML.T0009 - Collection |\n| **Description** | Attacker exfiltrates data by instructing agent to send to external URL |\n| **Attack Vector** | Prompt injection causing agent to POST data to attacker server |\n| **Affected Components** | web_fetch tool |\n| **Current Mitigations** | SSRF blocking for internal networks |\n| **Residual Risk** | High - External URLs permitted |\n| **Recommendations** | Implement URL allowlisting, data classification awareness |\n\n#### T-EXFIL-002: Unauthorized Message Sending\n\n| Attribute | Value |\n| ----------------------- | ---------------------------------------------------------------- |\n| **ATLAS ID** | AML.T0009 - Collection |\n| **Description** | Attacker causes agent to send messages containing sensitive data |\n| **Attack Vector** | Prompt injection causing agent to message attacker |\n| **Affected Components** | Message tool, channel integrations |\n| **Current Mitigations** | Outbound messaging gating |\n| **Residual Risk** | Medium - Gating may be bypassed |\n| **Recommendations** | Require explicit confirmation for new recipients |\n\n#### T-EXFIL-003: Credential Harvesting\n\n| Attribute | Value |\n| ----------------------- | ------------------------------------------------------- |\n| **ATLAS ID** | AML.T0009 - Collection |\n| **Description** | Malicious skill harvests credentials from agent context |\n| **Attack Vector** | Skill code reads environment variables, config files |\n| **Affected Components** | Skill execution environment |\n| **Current Mitigations** | None specific to skills |\n| **Residual Risk** | Critical - Skills run with agent privileges |\n| **Recommendations** | Skill sandboxing, credential isolation |\n\n---\n\n### 3.8 Impact (AML.TA0011)\n\n#### T-IMPACT-001: Unauthorized Command Execution\n\n| Attribute | Value |\n| ----------------------- | --------------------------------------------------- |\n| **ATLAS ID** | AML.T0031 - Erode AI Model Integrity |\n| **Description** | Attacker executes arbitrary commands on user system |\n| **Attack Vector** | Prompt injection combined with exec approval bypass |\n| **Affected Components** | Bash tool, command execution |\n| **Current Mitigations** | Exec approvals, Docker sandbox option |\n| **Residual Risk** | Critical - Host execution without sandbox |\n| **Recommendations** | Default to sandbox, improve approval UX |\n\n#### T-IMPACT-002: Resource Exhaustion (DoS)\n\n| Attribute | Value |\n| ----------------------- | -------------------------------------------------- |\n| **ATLAS ID** | AML.T0031 - Erode AI Model Integrity |\n| **Description** | Attacker exhausts API credits or compute resources |\n| **Attack Vector** | Automated message flooding, expensive tool calls |\n| **Affected Components** | Gateway, agent sessions, API provider |\n| **Current Mitigations** | None |\n| **Residual Risk** | High - No rate limiting |\n| **Recommendations** | Implement per-sender rate limits, cost budgets |\n\n#### T-IMPACT-003: Reputation Damage\n\n| Attribute | Value |\n| ----------------------- | ------------------------------------------------------- |\n| **ATLAS ID** | AML.T0031 - Erode AI Model Integrity |\n| **Description** | Attacker causes agent to send harmful/offensive content |\n| **Attack Vector** | Prompt injection causing inappropriate responses |\n| **Affected Components** | Output generation, channel messaging |\n| **Current Mitigations** | LLM provider content policies |\n| **Residual Risk** | Medium - Provider filters imperfect |\n| **Recommendations** | Output filtering layer, user controls |\n\n---\n\n## 4. ClawHub Supply Chain Analysis\n\n### 4.1 Current Security Controls\n\n| Control | Implementation | Effectiveness |\n| -------------------- | --------------------------- | ---------------------------------------------------- |\n| GitHub Account Age | `requireGitHubAccountAge()` | Medium - Raises bar for new attackers |\n| Path Sanitization | `sanitizePath()` | High - Prevents path traversal |\n| File Type Validation | `isTextFile()` | Medium - Only text files, but can still be malicious |\n| Size Limits | 50MB total bundle | High - Prevents resource exhaustion |\n| Required SKILL.md | Mandatory readme | Low security value - Informational only |\n| Pattern Moderation | FLAG_RULES in moderation.ts | Low - Easily bypassed |\n| Moderation Status | `moderationStatus` field | Medium - Manual review possible |\n\n### 4.2 Moderation Flag Patterns\n\nCurrent patterns in `moderation.ts`:\n\n```javascript\n// Known-bad identifiers\n/(keepcold131\\/ClawdAuthenticatorTool|ClawdAuthenticatorTool)/i\n\n// Suspicious keywords\n/(malware|stealer|phish|phishing|keylogger)/i\n/(api[-_ ]?key|token|password|private key|secret)/i\n/(wallet|seed phrase|mnemonic|crypto)/i\n/(discord\\.gg|webhook|hooks\\.slack)/i\n/(curl[^\\n]+\\|\\s*(sh|bash))/i\n/(bit\\.ly|tinyurl\\.com|t\\.co|goo\\.gl|is\\.gd)/i\n```\n\n**Limitations:**\n\n- Only checks slug, displayName, summary, frontmatter, metadata, file paths\n- Does not analyze actual skill code content\n- Simple regex easily bypassed with obfuscation\n- No behavioral analysis\n\n### 4.3 Planned Improvements\n\n| Improvement | Status | Impact |\n| ---------------------- | ------------------------------------- | --------------------------------------------------------------------- |\n| VirusTotal Integration | In Progress | High - Code Insight behavioral analysis |\n| Community Reporting | Partial (`skillReports` table exists) | Medium |\n| Audit Logging | Partial (`auditLogs` table exists) | Medium |\n| Badge System | Implemented | Medium - `highlighted`, `official`, `deprecated`, `redactionApproved` |\n\n---\n\n## 5. Risk Matrix\n\n### 5.1 Likelihood vs Impact\n\n| Threat ID | Likelihood | Impact | Risk Level | Priority |\n| ------------- | ---------- | -------- | ------------ | -------- |\n| T-EXEC-001 | High | Critical | **Critical** | P0 |\n| T-PERSIST-001 | High | Critical | **Critical** | P0 |\n| T-EXFIL-003 | Medium | Critical | **Critical** | P0 |\n| T-IMPACT-001 | Medium | Critical | **High** | P1 |\n| T-EXEC-002 | High | High | **High** | P1 |\n| T-EXEC-004 | Medium | High | **High** | P1 |\n| T-ACCESS-003 | Medium | High | **High** | P1 |\n| T-EXFIL-001 | Medium | High | **High** | P1 |\n| T-IMPACT-002 | High | Medium | **High** | P1 |\n| T-EVADE-001 | High | Medium | **Medium** | P2 |\n| T-ACCESS-001 | Low | High | **Medium** | P2 |\n| T-ACCESS-002 | Low | High | **Medium** | P2 |\n| T-PERSIST-002 | Low | High | **Medium** | P2 |\n\n### 5.2 Critical Path Attack Chains\n\n**Attack Chain 1: Skill-Based Data Theft**\n\n```\nT-PERSIST-001 \u{2192} T-EVADE-001 \u{2192} T-EXFIL-003\n(Publish malicious skill) \u{2192} (Evade moderation) \u{2192} (Harvest credentials)\n```\n\n**Attack Chain 2: Prompt Injection to RCE**\n\n```\nT-EXEC-001 \u{2192} T-EXEC-004 \u{2192} T-IMPACT-001\n(Inject prompt) \u{2192} (Bypass exec approval) \u{2192} (Execute commands)\n```\n\n**Attack Chain 3: Indirect Injection via Fetched Content**\n\n```\nT-EXEC-002 \u{2192} T-EXFIL-001 \u{2192} External exfiltration\n(Poison URL content) \u{2192} (Agent fetches & follows instructions) \u{2192} (Data sent to attacker)\n```\n\n---\n\n## 6. Recommendations Summary\n\n### 6.1 Immediate (P0)\n\n| ID | Recommendation | Addresses |\n| ----- | ------------------------------------------- | -------------------------- |\n| R-001 | Complete VirusTotal integration | T-PERSIST-001, T-EVADE-001 |\n| R-002 | Implement skill sandboxing | T-PERSIST-001, T-EXFIL-003 |\n| R-003 | Add output validation for sensitive actions | T-EXEC-001, T-EXEC-002 |\n\n### 6.2 Short-term (P1)\n\n| ID | Recommendation | Addresses |\n| ----- | ---------------------------------------- | ------------ |\n| R-004 | Implement rate limiting | T-IMPACT-002 |\n| R-005 | Add token encryption at rest | T-ACCESS-003 |\n| R-006 | Improve exec approval UX and validation | T-EXEC-004 |\n| R-007 | Implement URL allowlisting for web_fetch | T-EXFIL-001 |\n\n### 6.3 Medium-term (P2)\n\n| ID | Recommendation | Addresses |\n| ----- | ----------------------------------------------------- | ------------- |\n| R-008 | Add cryptographic channel verification where possible | T-ACCESS-002 |\n| R-009 | Implement config integrity verification | T-PERSIST-003 |\n| R-010 | Add update signing and version pinning | T-PERSIST-002 |\n\n---\n\n## 7. Appendices\n\n### 7.1 ATLAS Technique Mapping\n\n| ATLAS ID | Technique Name | OpenClaw Threats |\n| ------------- | ------------------------------ | ---------------------------------------------------------------- |\n| AML.T0006 | Active Scanning | T-RECON-001, T-RECON-002 |\n| AML.T0009 | Collection | T-EXFIL-001, T-EXFIL-002, T-EXFIL-003 |\n| AML.T0010.001 | Supply Chain: AI Software | T-PERSIST-001, T-PERSIST-002 |\n| AML.T0010.002 | Supply Chain: Data | T-PERSIST-003 |\n| AML.T0031 | Erode AI Model Integrity | T-IMPACT-001, T-IMPACT-002, T-IMPACT-003 |\n| AML.T0040 | AI Model Inference API Access | T-ACCESS-001, T-ACCESS-002, T-ACCESS-003, T-DISC-001, T-DISC-002 |\n| AML.T0043 | Craft Adversarial Data | T-EXEC-004, T-EVADE-001, T-EVADE-002 |\n| AML.T0051.000 | LLM Prompt Injection: Direct | T-EXEC-001, T-EXEC-003 |\n| AML.T0051.001 | LLM Prompt Injection: Indirect | T-EXEC-002 |\n\n### 7.2 Key Security Files\n\n| Path | Purpose | Risk Level |\n| ----------------------------------- | --------------------------- | ------------ |\n| `src/infra/exec-approvals.ts` | Command approval logic | **Critical** |\n| `src/gateway/auth.ts` | Gateway authentication | **Critical** |\n| `src/web/inbound/access-control.ts` | Channel access control | **Critical** |\n| `src/infra/net/ssrf.ts` | SSRF protection | **Critical** |\n| `src/security/external-content.ts` | Prompt injection mitigation | **Critical** |\n| `src/agents/sandbox/tool-policy.ts` | Tool policy enforcement | **Critical** |\n| `convex/lib/moderation.ts` | ClawHub moderation | **High** |\n| `convex/lib/skillPublish.ts` | Skill publishing flow | **High** |\n| `src/routing/resolve-route.ts` | Session isolation | **Medium** |\n\n### 7.3 Glossary\n\n| Term | Definition |\n| -------------------- | --------------------------------------------------------- |\n| **ATLAS** | MITRE\'s Adversarial Threat Landscape for AI Systems |\n| **ClawHub** | OpenClaw\'s skill marketplace |\n| **Gateway** | OpenClaw\'s message routing and authentication layer |\n| **MCP** | Model Context Protocol - tool provider interface |\n| **Prompt Injection** | Attack where malicious instructions are embedded in input |\n| **Skill** | Downloadable extension for OpenClaw agents |\n| **SSRF** | Server-Side Request Forgery |\n\n---\n\n_This threat model is a living document. Report security issues to security@openclaw.ai_\n";