Is Your “Little Lobster” Running Naked? CertiK Test: How the Vulnerable OpenClaw Skill Bypassed Review and Took Over Computers Without Authorization

However, for such third-party Skills running in high-privilege environments, where does the platform’s true security boundary lie?

Recently, CertiK, the world’s largest Web3 security company, released its latest research on Skill security. The report points out a cognitive misalignment in the market regarding the security boundaries of AI agent ecosystems: the industry generally treats “Skill scanning” as the core security boundary, yet this mechanism is almost useless against hacker attacks.

If we compare OpenClaw to an operating system for a smart device, Skills are the various APPs installed on the system. Unlike ordinary consumer-grade APPs, some Skills in OpenClaw run in high-privilege environments. They can directly access local files, invoke system tools, connect to external services, execute host environment commands, and even operate users’ 암호화폐 digital assets. Once a security issue arises, it can directly lead to severe consequences such as sensitive information leakage, remote device takeover, and theft of digital assets.

The current universal security solution for third-party Skills across the industry is “pre-listing scanning and review.” OpenClaw’s Clawhub has also established a three-layer review and protection system: integrating VirusTotal code scanning, a static code detection engine, and AI logic consistency detection. It pushes security pop-up warnings to users based on risk classification, attempting to secure the ecosystem. However, CertiK’s research and proof-of-concept attack testing confirm that this detection system has shortcomings in real-world attack and defense scenarios and cannot bear the core responsibility of security protection.

The research first deconstructs the inherent limitations of the existing detection mechanisms:

Static detection rules are easily bypassed. The core of this engine relies on matching code features to identify risks. For example, it might flag the combination of “reading sensitive environment information + sending network requests” as high-risk behavior. However, attackers only need to make slight syntactic modifications to the code while fully preserving the malicious logic to easily bypass feature matching. It’s like giving dangerous content a synonymous expression, rendering the security scanner completely ineffective.

AI review has inherent detection blind spots. The core function of Clawhub’s AI review is a “logic consistency detector.” It can only catch obvious malicious code where “declared functionality does not match actual behavior,” but it is powerless against exploitable vulnerabilities hidden within normal business logic. It’s akin to the difficulty of finding a fatal trap buried deep within the clauses of a seemingly compliant contract.

More critically, there is a fundamental design flaw in the review process: even when VirusTotal’s scan results are still in a “pending” state, Skills that have not completed the full “health check” process can still be publicly listed. Users can install them without any warnings, leaving an opening for attackers.

To verify the real harm of these risks, the CertiK research team completed comprehensive testing. The team developed a Skill named “test-web-searcher.” On the surface, it is a fully compliant web search tool, with code logic entirely conforming to standard development practices. In reality, it embeds a remote code execution vulnerability within the normal functional flow.

This Skill bypassed detection by both the static engine and AI review. While its VirusTotal scan was still pending, it was installed normally without any security warnings. Ultimately, by sending a remote command via Telegram, the vulnerability was successfully triggered, achieving arbitrary command execution on the host device (in the demonstration, it directly controlled the system to launch the calculator).

In its research, CertiK clearly states that these issues are not unique product bugs of OpenClaw but rather a widespread cognitive misconception across the entire AI agent industry: the industry generally treats “review scanning” as the core security line of defense, while overlooking that the true security foundation lies in runtime-enforced isolation and fine-grained permission control. This is similar to how the security core of Apple’s iOS ecosystem has never been the strict review of the App Store, but rather the system-enforced sandbox mechanism and fine-grained permission management, ensuring each APP runs in its dedicated “isolation pod” without arbitrarily obtaining system permissions. In contrast, OpenClaw’s existing sandbox mechanism is optional, not mandatory, and highly reliant on manual user configuration. To ensure Skill functionality, the vast majority of users choose to disable the sandbox, ultimately leaving the agent in a “naked” state. Once a Skill with vulnerabilities or malicious code is installed, it can directly lead to catastrophic consequences.

Regarding the issues discovered, CertiK also provides security guidance:

● For AI agent developers like OpenClaw, sandbox isolation must be set as the default mandatory configuration for third-party Skills. A fine-grained permission control model for Skills must be established, absolutely prohibiting third-party code from inheriting the host’s high privileges by default.

● For ordinary users, a Skill labeled “Safe” in the 시장 merely indicates it hasn’t been detected as risky, not that it is absolutely secure. Before the official implementation of a mandatory, underlying isolation mechanism as the default configuration, it is recommended to deploy OpenClaw on non-critical idle devices or virtual machines. Never let it near sensitive files, password credentials, or high-value crypto assets.

The AI agent track is currently on the eve of an explosion. The speed of ecosystem expansion must not outpace the pace of security development. Review scanning can only block rudimentary malicious attacks; it can never become the security boundary for high-privilege agents. Only by shifting from “pursuing perfect detection” to “assuming risk exists and focusing on damage containment,” and by establishing isolation boundaries through mandatory, underlying runtime mechanisms, can we truly secure the safety baseline for AI agents and ensure this technological revolution progresses steadily and sustainably.

이 글은 인터넷에서 퍼왔습니다: Is Your “Little Lobster” Running Naked? CertiK Test: How the Vulnerable OpenClaw Skill Bypassed Review and Took Over Computers Without Authorization

Related: The crypto market is not dead; it’s just entering a “reshuffle” phase.

Original Compilation: Luffy, Foresight News Everyone can feel it: the enthusiasm in the crypto market has waned, with a significant decrease in new token launches and industry announcements. Your Twitter timeline has grown quiet, dominated by AI-related posts and clickbait content. But is this reality, or simply a perception driven by sentiment? Look at the data: this is the real market situation. However, the truth behind it is far more worthy of investigation than the simplistic conclusion that “cryptocurrency is dying.” Number of Developers First, let’s look at the changes in the number of active developers across different categories: Source: Electric capital dashboards Part-time Developers: Surged to 25,000 by mid-2025, now plummeted to around 12,000. One-time/Contributing Developers: Sharply decreased from 8,000 to 2,800, hitting a new low since 2020. Full-time…