CertiK Hands-On Test: How the Vulnerable OpenClaw Skill Evades Audits and Takes Over Computers Without Authorization

However, for these third-party Skills running in high-privilege environments, where exactly does the platform’s real security boundary lie?

Recently, CertiK, the world’s largest Web3 security company, published its latest research on Skill security. The report points out a significant cognitive misalignment in the market regarding the security boundaries of AI agent ecosystems: the industry widely considers “Skill scanning” as the core security boundary, yet this mechanism is almost useless against hacker attacks.

If we compare OpenClaw to an operating system for smart devices, Skills are the various APPs installed on it. Unlike ordinary consumer-grade APPs, some Skills in OpenClaw run in high-privilege environments. They can directly access local files, invoke system tools, connect to external services, execute host environment commands, and even operate users’ kripto digital assets. Once a security issue arises, it can directly lead to severe consequences such as sensitive information leakage, remote device takeover, and theft of digital assets.

The current universal security solution for third-party Skills across the industry is “pre-listing scanning and review.” OpenClaw’s Clawhub has also established a three-layer review and protection system: integrating VirusTotal code scanning, a static code detection engine, and AI logic consistency detection. It pushes security pop-up warnings to users based on risk classification, attempting to secure the ecosystem. However, CertiK’s research and proof-of-concept attack tests confirm that this detection system has shortcomings in real-world attack and defense scenarios and cannot bear the core responsibility of security protection.

The research first deconstructs the inherent limitations of the existing detection mechanisms:

Static detection rules are extremely easy to bypass. The core of this engine relies on matching code features to identify risks, such as flagging the combination of “reading sensitive environmental information + making external network requests” as high-risk behavior. However, attackers only need to make slight syntactic modifications to the code while completely preserving the malicious logic to easily bypass feature matching. It’s like rephrasing dangerous content with synonyms, rendering the security scanner completely ineffective.

AI review has inherent detection blind spots. The core function of Clawhub’s AI review is a “logic consistency detector,” which can only catch obvious malicious code where “declared functionality does not match actual behavior.” It is powerless against exploitable vulnerabilities hidden within normal business logic, much like how it’s difficult to find a fatal trap buried deep within seemingly compliant contract clauses.

More critically, there is a fundamental design flaw in the review process: even when VirusTotal’s scan results are still in a “pending” state, Skills that have not completed the full “health check” process can still be listed publicly. Users can install them without any warning, leaving an opening for attackers.

To verify the real harm of these risks, the CertiK research team conducted a complete test. The team developed a Skill named “test-web-searcher.” On the surface, it is a fully compliant web search tool, with code logic entirely adhering to standard development practices. In reality, it embeds a remote code execution vulnerability within its normal functional flow.

This Skill bypassed detection by both the static engine and AI review. While its VirusTotal scan was still pending, it was installed normally without any security warnings. Ultimately, by sending a remote command via Telegram, the vulnerability was successfully triggered, achieving arbitrary command execution on the host device (in the demo, it directly caused the system to launch the calculator).

In its research, CertiK clearly states that these issues are not unique bugs of OpenClaw but rather a widespread cognitive misconception across the entire AI agent industry: the industry generally treats “review scanning” as the core security defense line, overlooking that the true security foundation lies in runtime-enforced isolation and granular permission control. This is similar to how the security core of Apple’s iOS ecosystem has never been the strict review of the App Store, but rather the system-enforced sandbox mechanism and granular permission management, ensuring each APP runs in its dedicated “isolation pod” without arbitrarily obtaining system permissions. In contrast, OpenClaw’s existing sandbox mechanism is optional, not mandatory, and highly reliant on manual user configuration. Most users, to ensure Skill functionality, choose to disable the sandbox, ultimately leaving the agent in a “naked” state. Once a Skill with vulnerabilities or malicious code is installed, it can directly lead to catastrophic consequences.

Regarding the issues discovered, CertiK also provides security guidance:

● For AI agent developers like OpenClaw, sandbox isolation must be set as the default mandatory configuration for third-party Skills. A granular permission control model for Skills must be implemented, and third-party code must never be allowed to inherit the host’s high privileges by default.

● For ordinary users, Skills with a “Safe” label in the Skill pasar merely indicate they haven’t been detected as risky, not that they are absolutely safe. Before the official implementation of a default, underlying strong isolation mechanism, it is recommended to deploy OpenClaw on non-critical idle devices or virtual machines. Never let it near sensitive files, password credentials, or high-value crypto assets.

The AI agent track is currently on the eve of an explosion. The speed of ecosystem expansion must not outpace the pace of security construction. Review scanning can only block elementary malicious attacks but can never become the security boundary for high-privilege agents. Only by shifting from “pursuing perfect detection” to “assuming risk exists and focusing on damage containment,” and by enforcing isolation boundaries from the runtime layer, can we truly secure the safety baseline for AI agents, allowing this technological revolution to progress steadily and sustainably.

Original Research: https://x.com/hhj4ck/status/2033527312042315816?s=20

https://mp.weixin.qq.com/s/Wxrzt7bAo86h3bOKkx6 UoA

Artikel ini bersumber dari internet: CertiK Hands-On Test: How the Vulnerable OpenClaw Skill Evades Audits and Takes Over Computers Without Authorization

Related: When Migration Becomes the Norm: Why “Your Own EVM Chain” Is Becoming Standard

Noble’s pivot is a classic case. As one of the most successful stablecoin infrastructure projects within the Cosmos ecosystem, it was responsible for the issuance and cross-chain distribution of native USDC, connecting numerous chains and stablecoin settlement scenarios via IBC. However, when it announced its migration to an independent EVM L1 and deeply integrated its stablecoin product with network value capture mechanisms, the signal was clear enough: the main battleground for stablecoins, settlement, and application distribution remains within the EVM ecosystem. Stablecoin market share is highly concentrated in EVM, and its developer tools and wallet/dApp ecosystems are more mature. But this doesn’t mean that “going to EVM” is synonymous with “squeezing onto a general-purpose chain” and calling it a day. On the contrary, while more and more teams are moving…