Is Your "Crayfish" Running Naked? CertiK Real Test: How Vulnerable OpenClaw Skill Deceives Audits and Takes Over Computers Without Authorization

Recently, the open-source self-hosted AI agent platform OpenClaw (commonly known as “Little Lobster” in the industry) has quickly gained popularity due to its flexible scalability and autonomous, controllable deployment features, becoming a phenomenon in the personal AI agent market. Its core ecosystem, Clawhub, as an application marketplace, aggregates a vast array of third-party Skill plugins, enabling agents to unlock advanced capabilities with a single click—from web search and content creation to crypto wallet operations, on-chain interactions, and system automation. The ecosystem scale and user base are experiencing explosive growth.

But for these third-party Skills operating in high-privilege environments, where exactly is the platform’s true security boundary?

Recently, CertiK, the world’s largest Web3 security company, released the latest research on Skill security. The report points out that there is a misperception in the industry regarding the security boundaries of the AI agent ecosystem: most consider “Skill scanning” as the core security measure, but this mechanism is almost useless against hacker attacks.

If we compare OpenClaw to an operating system for a smart device, Skills are like the apps installed on the system. Unlike ordinary consumer apps, some Skills in OpenClaw run in high-privilege environments, with direct access to local files, system tools, external services, and host environment commands, even manipulating users’ encrypted digital assets. Once security is compromised, it can lead to serious consequences such as sensitive information leaks, remote device takeover, or digital asset theft.

Currently, the industry’s common security solution for third-party Skills is “pre-deployment scanning and review.” OpenClaw’s Clawhub has also established a three-layer review system: integrating VirusTotal code scanning, static code analysis engines, and AI logic consistency checks, providing risk-based security prompts to users in an attempt to safeguard the ecosystem. However, CertiK’s research and proof-of-concept attack tests confirm that this detection system has shortcomings in real-world attack scenarios and cannot serve as the primary line of defense.

The research first dissects the inherent limitations of existing detection mechanisms:

Static detection rules are easily bypassed. This engine primarily relies on matching code features to identify risks—for example, flagging combinations like “reading sensitive environment info + making network requests” as high risk. But attackers can make minor syntax modifications to the code, retaining malicious logic while evading feature detection—similar to rephrasing dangerous content with synonyms, rendering the security check ineffective.

AI-based review has inherent blind spots. Clawhub’s AI review focuses on “logic consistency detection,” which can identify obvious malicious code that claims to perform certain functions but behaves differently. However, it is powerless against hidden vulnerabilities embedded within normal business logic—like finding deadly traps hidden deep within seemingly compliant contracts.

Even more critically, the review process has fundamental design flaws: Skills that have not yet completed the full review process—such as pending VirusTotal scans—can still be published and made available to users. This allows installation without warnings, leaving room for malicious actors.

To verify the real threat, CertiK’s team conducted comprehensive testing. They developed a Skill called “test-web-searcher,” which appears to be a fully compliant web search tool with code logic conforming to standard development practices, but secretly contains a remote code execution vulnerability.

This Skill bypassed static analysis and AI review detection, and even when VirusTotal marked it as “pending,” it was installed normally without any security warnings. By sending a remote command via Telegram, the vulnerability was triggered, allowing arbitrary command execution on the host device (in the demo, it even opened the calculator).

CertiK explicitly states that these issues are not unique bugs of OpenClaw but reflect a widespread misconception in the entire AI agent industry: many treat “review scanning” as the core security line, neglecting the real security foundation—runtime enforced isolation and fine-grained permission control. This is akin to Apple’s iOS ecosystem security, where the core is not the strict App Store review but the system-enforced sandboxing and permission management, ensuring each app runs in an isolated “container” and cannot freely access system resources. Currently, OpenClaw’s sandbox mechanism is optional rather than mandatory and heavily relies on user configuration. Most users, aiming to keep Skills functional, disable sandboxing, leaving the agent in a “naked” state. If a vulnerable or malicious Skill is installed, it can lead to catastrophic consequences.

In response to these findings, CertiK offers security recommendations:

● For developers of AI agents like OpenClaw, sandbox isolation should be set as the default mandatory configuration for third-party Skills. Permissions should be finely managed, and third-party code must not inherit high privileges from the host by default.

● For ordinary users, a “safe” label on Skills only indicates that no risks have been detected so far; it does not guarantee absolute safety. Before the underlying strict isolation mechanisms are enabled by default, it is recommended to deploy OpenClaw on idle or virtual machines that do not contain sensitive files, passwords, or high-value assets.

As the AI agent industry approaches a period of rapid growth, ecosystem expansion must not outpace security development. Review scanning can only prevent basic malicious attacks and can never serve as the ultimate security boundary for high-privilege agents. True security requires shifting from “perfect detection” to “damage mitigation with default risk awareness,” establishing runtime enforced isolation and permission controls at the core. Only then can the security baseline of AI agents be truly secured, ensuring the steady and safe advancement of this technological revolution.