Securing Autonomous Agents: Lessons from a 26/100 Security Audit
These articles are AI-generated summaries. Please check the original sources for full details.
I Audited My Own OpenClaw Deployment. It Scored 26/100.
ClawGear audited an autonomous agent setup running 24/7 and discovered it scored a failing grade of 26/100. The audit identified five critical vulnerabilities, including raw API keys in non-credential files and disabled execution confirmations.
Why This Matters
While autonomous agents promise efficiency by spawning sub-agents and handling API calls independently, the technical reality often involves scattered credentials and high-risk default configurations. A score of 26/100 highlights that without strict tool gating and credential centralization, agents become open vectors for prompt injection and host-level compromise, especially when processing untrusted external content like emails or web pages.
Key Insights
- API keys stored in costs.json instead of agent-accounts.json create a leak risk during debugging or git commits (ClawGear, 2026).
- Setting exec.ask to ‘off’ allows prompt injection attacks to run arbitrary shell commands like ‘rm -rf’ without human intervention.
- Elevated tools inheriting default access levels can be triggered by unauthorized users in Telegram group chats if not explicitly restricted to DMs.
- Open group policies allow any member to task an agent, turning a private assistant into a public command interface without an allowlist.
- Third-party skills containing obfuscated code patterns like eval() or base64 blobs can exfiltrate credentials or execute hidden commands.
Working Examples
Enabling manual confirmation for unknown commands to prevent prompt injection.
openclaw config set agents.defaults.tools.exec.ask on-miss
openclaw gateway restartRestricting elevated tool access to trusted private channels only.
openclaw config set agents.defaults.tools.exec.channels '["webchat", "telegram:dm"]'Configuring a group chat allowlist to prevent unauthorized users from commanding the agent.
openclaw config set channels.telegram.groupPolicy allowlist
openclaw config set channels.telegram.groupAllowFrom '["YOUR_TELEGRAM_USER_ID"]'Practical Applications
- Use Case: Restricting tool access to webchat or telegram:dm to prevent group-based injection. Pitfall: Leaving elevated tools enabled in group contexts, leading to unauthorized host access.
- Use Case: Implementing an allowlist for Telegram group policies. Pitfall: Using groupPolicy: open, which allows any group member to issue commands to the agent.
References:
Continue reading
Next article
Lindy: A Rust-Powered Tool for One-Click Linux Dual-Boot Folder Access
Related Content
Beyond Container Isolation: Securing AI Email Agents with Least Privilege
Learn why mailbox permissions and draft-only flows are more critical for OpenClaw security than Docker isolation to prevent prompt injection incidents.
Beyond the Consumer Model: Moving to Zero-Knowledge Secret Operations for AI Agents
AI agents that store API keys in memory are vulnerable to attacks like CVE-2026-21852; the operator model removes secret values from agent memory entirely.
Securing LLMs: Why Traditional WAFs Fail Against Prompt Injection
Prompt injection attacks bypass traditional WAFs by using natural language that signature-based rules cannot detect, requiring AI-native security solutions.