SOC Prime Bias: High

10 Feb 2026 16:26
newspaper icon Security Joes

Hunting OpenClaw: Detection and Containment Guidance for Defenders

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Hunting OpenClaw: Detection and Containment Guidance for Defenders
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The article profiles OpenClaw, an open-source autonomous AI assistant that runs locally on workstations and can execute tasks, access files, and reach external services. Extensions called Skills broaden capability, but malicious Skills can deliver payloads, run commands, and create persistence. The report includes detection queries for EDR platforms, outlines architectural risks, and recommends limiting exposure, hardening the gateway, and monitoring for abuse.

Investigation

Researchers reviewed the OpenClaw Windows installer, identified vulnerable dependencies, and documented a gateway listening on port 18789. They captured process command lines, file paths, and network traffic tied to the agent and suspicious Skills. Hunting queries were authored for CrowdStrike, Microsoft Defender, Palo Alto Cortex, and SentinelOne. The analysis also noted persistence via the SOUL.md file and scheduled tasks.

Mitigation

Bind the gateway to loopback, enforce authentication, and tighten filesystem permissions. Sandbox high-risk tools the agent can invoke, and only install Skills from trusted sources after review. Limit outbound egress, and run OpenClaw under a low-privilege account or inside an isolated container. Perform regular audits and add AI observability to spot tool usage.

Response

When indicators appear, block access to the OpenClaw gateway, suspend autonomous execution, and review credentials stored on the host. Inspect SOUL.md and scheduled tasks for unauthorized changes, remove malicious Skills, and rotate exposed API keys. Collect telemetry to scope impact, hunt for additional artifacts, and remediate endpoints before re-enabling the agent.

Attack Flow

We are still updating this part. Sign up to get notified

Notify Me

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:
    An adversary with a foothold on a Windows endpoint downloads the OpenClaw Node.js package to C:Toolsopenclaw. They then launch the main script using the system’s Node interpreter, causing the process command line to contain the identifier openclaw.mjs. Immediately after, the OpenClaw gateway is started, binding to the default localhost port 127.0.0.1:18789. This sequence creates three distinct process‑creation events that match the detection rule.

  • Regression Test Script:

    # ------------------------------------------------------------
# OpenClaw Agent Execution Simulation – PowerShell
# ------------------------------------------------------------
# Prerequisite: Node.js installed and in PATH
# Assumes OpenClaw files are placed in C:Toolsopenclaw
# ------------------------------------------------------------

$openClawPath = "C:Toolsopenclaw"
$nodeExe = "node.exe"

# 1. Execute the main OpenClaw script (triggers T1059)
Write-Host "[*] Launching OpenClaw main script..."
$scriptProcess = Start-Process -FilePath $nodeExe `
    -ArgumentList "`"$openClawPathopenclaw.mjs`"" `
    -PassThru

# Small wait to ensure the process is logged
Start-Sleep -Seconds 3

# 2. Start the OpenClaw gateway (matches the 127.0.0.1:18789 string)
Write-Host "[*] Starting OpenClaw gateway..."
$gatewayProcess = Start-Process -FilePath $nodeExe `
    -ArgumentList "`"$openClawPathgateway.js`" --port 18789" `
    -PassThru

# Wait for a short period to allow logging
Start-Sleep -Seconds 5

# ------------------------------------------------------------
# END OF SIMULATION – processes remain running for observation
# ------------------------------------------------------------

  • Cleanup Commands:

    # ------------------------------------------------------------
# Cleanup – terminate OpenClaw simulation processes
# ------------------------------------------------------------
Get-Process -Name "node" -ErrorAction SilentlyContinue | ForEach-Object {
    Write-Host "[*] Stopping process ID $($_.Id) (node.exe)"
    Stop-Process -Id $_.Id -Force
}

# Optionally remove the test files (uncomment if desired)
# Remove-Item -Recurse -Force "C:Toolsopenclaw"
Write-Host "[*] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free