OpenClaw is the first mass-adoption AI agent — and its security failures represent what happens when autonomous agents deploy without identity governance. Every major security vendor has published advisories. Three governments have issued warnings. Behavry is the governance layer that lets you use it safely.
// the openclaw crisis · january 2026
OpenClaw connects LLMs to messaging platforms and grants them persistent access to filesystems, shell commands, browsers, email, and calendars. It went viral in January 2026 — and attackers mobilized within hours.
Identity inferred from network position (localhost trust), not cryptographic binding. Any reverse proxy deployment exposes full agent control to unauthenticated attackers.
API keys, OAuth tokens stored in plaintext in ~/.openclaw/. No rotation, no encryption, no TTL. Targeted by RedLine, Lumma, and Vidar infostealers.
In Discord and Telegram channels, OpenClaw treats instructions from any channel member as if they came from the owner. Credential theft demonstrated in 30 seconds.
Of 2,857 audited skills, 341 contained info-stealers, backdoors, or crypto drainers. No tool verification, signing, or policy enforcement. Path traversal via malicious archives (Zip Slip).
Persistent memory enables delayed-activation attacks. Inject instructions today; they execute days later when the agent encounters the right context. Single-session monitoring can't detect it.
All-or-nothing access model. Full shell access: sudo, package installs, system config — one compromised instruction escalates to root. No privilege tiers.
// vulnerability → governance control
This isn't a theoretical exercise. Each row represents a real vulnerability category with active exploits, mapped to the specific Behavry capability that addresses it.
| Vulnerability | Root Cause | Behavry Control |
|---|---|---|
| Auth bypass via reverse proxy CVE-2026-25253 · CVSS 8.8 |
Identity inferred from network position, not cryptographic binding | Agent Identity Service: JWT-based auth, never trust source IP |
| Plaintext credential storage | No credential lifecycle management; static secrets on disk | Short-lived scoped tokens per agent per resource; vault-based secret management |
| No sender identity in shared channels | No agent identity — treats all channel members as owner | Per-agent authentication; every request tied to verified identity |
| Malicious ClawHub skills (341 of 2,857) | No tool verification, signing, or policy enforcement | Policy Engine: tool allowlists, cryptographic signing, schema validation |
| Memory poisoning / time-shifted injection | Persistent memory with no behavioral monitoring | Behavioral Monitor: baseline expected patterns, flag novel sequences and delayed activation |
| No audit trail | No structured logging tied to agent identity | Audit Logger: immutable TimescaleDB trail of every action, policy decision, and anomaly score |
| Root-level execution, no privilege separation | All-or-nothing access model | RBAC with least privilege; risk-adaptive permission tiers; escalation policies |
| Infostealer malware targeting config files | Agent credentials are high-value, concentrated, unprotected targets | Credential rotation, short TTLs, agent suspension on compromise detection |
// how behavry governs openclaw
Behavry sits between your OpenClaw agents and the tools they access. Every tool call passes through the governance stack before execution. No agent code changes required.
Every OpenClaw instance receives a unique identity with short-lived JWT RS256 credentials. No shared API keys. Every request cryptographically attributed to a specific agent instance and the human who initiated it.
Replaces localhost trust with cryptographic identityBefore any policy evaluation, tool call parameters are scanned against 26 sensitive data patterns. AWS keys, API tokens, private keys, SSNs, and credentials auto-blocked at Critical severity — stopping the plaintext credential exfiltration vector cold.
26 patterns · Luhn validation · fragment reassemblyActions checked against OPA Rego policies before execution — per agent, per scenario. Tool allowlists block unauthorized ClawHub skills. Blast radius limits prevent scope creep. Requester identity requirements stop impersonation.
OPA · Rego · per-agent RBAC · tool allowlistsAfter tool calls return — before results reach agent context — Behavry scans response bodies for injected instructions. Imperative commands, authority claims, and encoded payloads are blocked at the proxy layer. This is where time-shifted prompt injection gets caught.
7 injection classes · content trust domain tiersRolling per-agent baselines detect frequency spikes, novel resource access, and behavioral drift. Cross-session memory detects trust reset attacks. Every decision — allow, block, escalate — recorded as an immutable Decision Trace: a causal chain-of-custody artifact that can only be produced from an inline position.
UEBA for agents · Decision Trace · cross-session correlation// industry response
This isn't one vendor's opinion. Every major security organization has weighed in. Gartner classified OpenClaw as "insecure by default" and recommended enterprises block it immediately.
Detection and response guidance for enterprise teams. Falcon platform integration for identifying OpenClaw across managed endpoints.
Extended the "lethal trifecta" to a fourth element: persistent memory enabling time-shifted attacks.
135,000+ exposed instances. Three CVEs with public exploit code. 33.8% correlated with Kimsuky and APT28 threat actors.
Belgium, China, and South Korea have issued government-level warnings about OpenClaw deployment risks.
Classified as "insecure by default." Recommended enterprises block immediately pending governance controls.
Discovered credential theft in shared channels takes 30 seconds. No sender identity distinction.
// frequently asked questions
Agents point their MCP configuration at the Behavry proxy instead of their target servers — a single configuration change. Behavry intercepts, authenticates, scans, evaluates policy, and forwards transparently. The agent doesn't know it's there. No code changes. No SDK required.
Behavry's AI Surface Mapping detects unenrolled AI agent activity across your network. Combined with browser extension and API proxy coverage across 20 AI surfaces, Behavry identifies shadow OpenClaw instances before they become a security event. You can't govern what you can't see — discovery comes first.
Yes. The OPA policy engine enforces tool allowlists — only approved skills can execute tool calls through the proxy. Unapproved or unsigned skills are blocked at the policy layer. This addresses the supply chain attack vector (341 malicious skills discovered in audit) without requiring any changes to OpenClaw itself.
Certiv operates at the endpoint — an agent on the workstation intercepting at runtime. ClawSec installs inside the OpenClaw agent as a skill suite. Both approaches ask the agent's execution environment to police itself.
Behavry sits at the network layer as an inline MCP proxy — architecturally independent of the agent. The Attestation Separation Principle: any entity that can act cannot independently attest to its own behavior. An agent cannot audit itself. A governance layer must be structurally independent to be trustworthy. That's why Behavry produces a Decision Trace — a causal chain-of-custody artifact — and they can't.