AgentReadyHomeAgent ListingPricing

← OpenClaw (Moltbot)

OpenClaw (Moltbot) — agentic threat model

8.9AIVSS 8.9 · High

OpenClaw presents a high-risk profile due to its deep integration with personal communication channels (WhatsApp, Telegram, Email) and calendar systems, combined with a self-hosted deployment model that places the burden of infrastructure security and credential protection entirely on the user.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.4AARS uplift 0.96Factor sum 6.0/10Threat ×1.0Mitigation ×0.95
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.20
Dynamic Tool Use
0.80
Persistent Memory
0.60
Contextual Awareness
0.80
Dynamic Identity
0.70
Multi-Agent Interactions
0.30
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific LLMs or foundation models utilized are not detailed, though as a self-hosted tool it likely supports various local or API-based models. Risks include prompt injection bypassing local constraints and model reprogramming.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The exact data storage, vector database, or RAG mechanisms are unspecified. However, the agent processes highly sensitive personal data (emails, chat histories, calendars), making data exfiltration via prompt injection a severe threat.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates tool calling, gateway routing, and a skills ecosystem. The primary threat is tool misuse, where malicious inputs could trick the agent into sending unauthorized emails, deleting calendar events, or executing unintended workflows.

L4 · Deployment & Infrastructure✓ mapped

As a self-hosted application with a local dashboard, the deployment infrastructure is highly critical. Threats include host compromise if the local dashboard is exposed, privilege escalation, and insecure storage of API keys/session tokens for WhatsApp, Telegram, and Email.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — While onboarding and diagnostics commands are mentioned alongside a local dashboard, there is no evidence of robust, automated guardrails, real-time anomaly detection, or alignment monitoring.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Being an open-source, self-hosted personal assistant, it lacks formal compliance certifications (e.g., SOC2, ISO). Security controls, access management, and policy enforcement are left entirely to the end-user's configuration.

L7 · Agent Ecosystem✓ mapped

The agent features an 'ecosystem of skills and integrations'. This introduces supply-chain risks where compromised or malicious third-party skills could be loaded into the assistant, leading to unauthorized data access or remote code execution.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.