OpenClaw (Moltbot) — agentic threat model
OpenClaw presents a high-risk profile due to its deep integration with personal communication channels (WhatsApp, Telegram, Email) and calendar systems, combined with a self-hosted deployment model that places the burden of infrastructure security and credential protection entirely on the user.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific LLMs or foundation models utilized are not detailed, though as a self-hosted tool it likely supports various local or API-based models. Risks include prompt injection bypassing local constraints and model reprogramming.
Not certain from the listing — The exact data storage, vector database, or RAG mechanisms are unspecified. However, the agent processes highly sensitive personal data (emails, chat histories, calendars), making data exfiltration via prompt injection a severe threat.
The agent framework orchestrates tool calling, gateway routing, and a skills ecosystem. The primary threat is tool misuse, where malicious inputs could trick the agent into sending unauthorized emails, deleting calendar events, or executing unintended workflows.
As a self-hosted application with a local dashboard, the deployment infrastructure is highly critical. Threats include host compromise if the local dashboard is exposed, privilege escalation, and insecure storage of API keys/session tokens for WhatsApp, Telegram, and Email.
Not certain from the listing — While onboarding and diagnostics commands are mentioned alongside a local dashboard, there is no evidence of robust, automated guardrails, real-time anomaly detection, or alignment monitoring.
Not certain from the listing — Being an open-source, self-hosted personal assistant, it lacks formal compliance certifications (e.g., SOC2, ISO). Security controls, access management, and policy enforcement are left entirely to the end-user's configuration.
The agent features an 'ecosystem of skills and integrations'. This introduces supply-chain risks where compromised or malicious third-party skills could be loaded into the assistant, leading to unauthorized data access or remote code execution.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.