New Tools Help Defenders Track OpenClaw AI Agent Activity

The SANS Internet Storm Center called attention to two open-source tools designed to detect and monitor OpenClaw installations, providing defenders with much-needed visibility into the viral AI agent framework as security concerns mount.

OpenClaw—formerly Clawdbot, then briefly Moltbot after Anthropic's trademark request—has exploded in popularity over the past week, reaching 145,000 GitHub stars by February 2. The Node.js-based assistant connects AI models to messaging platforms like WhatsApp, Slack, and iMessage, executing tasks autonomously. That capability has made it both powerful and dangerous.

Why Detection Matters Now

SANS researcher Johannes Ullrich highlighted the monitoring tools in a February 3 diary entry, noting OpenClaw's security track record warrants enterprise attention. The timing is relevant—just yesterday, attackers were spotted scanning for exposed Anthropic API endpoints, and OpenClaw's default configurations have proven similarly tempting targets.

Security firm Vectra AI documented over 4,500 exposed OpenClaw instances globally using Shodan, finding complete credentials accessible in many cases: API keys, OAuth secrets, conversation histories, and command execution capabilities. The attack surface extends beyond direct network exposure—OpenClaw also inherits risks from prompt injection attacks through any content it processes, whether emails, web pages, or chat messages.

This follows a pattern of AI agent security failures. Snyk researchers demonstrated how a single malicious email with embedded instructions could cause Moltbot to exfiltrate a user's last five emails to an attacker address—within five minutes of receipt. When we covered the LangChain vulnerability that exposed AI agent secrets, the underlying issue was similar: agents with broad permissions become high-value targets.

The Detection Tool

The openclaw-detect script helps identify OpenClaw installations across an environment by searching for telltale indicators:

• State directories at ~/.openclaw
• Docker containers running OpenClaw images
• Configuration files with characteristic patterns
• Running processes matching OpenClaw signatures

For organizations without endpoint detection, the tool provides hints on filesystem locations worth monitoring. It installs as a standard shell script and can integrate with existing asset inventory workflows.

The Telemetry Plugin

The more substantial capability comes from openclaw-telemetry, a plugin that captures comprehensive agent activity:

Data Captured	Details
Tool calls	Every system command, file operation, browser action
LLM requests	API calls with token counts and timing
Agent lifecycle	Session starts, completions, errors
Message traffic	Inbound/outbound communications

The plugin writes to ~/.openclaw/logs/telemetry.jsonl by default and supports forwarding to syslog for SIEM integration. It speaks RFC 5424 and CEF formats, meaning Splunk, QRadar, ArcSight, and Elastic SIEM deployments can ingest the data natively.

Two security features stand out. First, automatic redaction strips sensitive values like API keys and passwords before logging—the plugin recognizes patterns for OpenAI, GitHub, GitLab, Slack tokens, and AWS credentials. Second, a cryptographic hash chain links events together, making tamper detection possible. Each logged event includes prevHash and hash fields forming a verifiable chain.

Recent Vulnerabilities Add Urgency

The monitoring tools arrive as OpenClaw's security problems continue making headlines. The Register reported February 2 on a one-click RCE vulnerability disclosed by researcher Mav Levin. The attack exploited cross-site WebSocket hijacking—OpenClaw's server failed to validate origin headers, allowing malicious JavaScript to retrieve authentication tokens, disable sandboxing, and execute arbitrary code in milliseconds.

The OpenClaw team patched that bug quickly, but related projects haven't fared as well. Moltbook, a social platform for AI agents linked to the project, exposed its entire database with accessible API keys. Researcher Jamieson O'Reilly warned attackers could impersonate high-profile AI figures to spread disinformation or crypto scams.

These issues mirror broader concerns about prompt injection attacks in AI systems. OpenClaw's documentation now recommends deploying ACIP—Advanced Cognitive Inoculation Prompt—to limit such attacks, though the effectiveness of prompt-based defenses remains debated.

Minimum Hardening Steps

Vectra's research team outlined critical controls for any OpenClaw deployment:

1. Bind the control UI to localhost only—never expose the interface to the public internet
2. Use mesh VPN for remote access—Tailscale or WireGuard, not port forwarding
3. Enable strict channel allowlists—limit which platforms can interact with the agent
4. Run as non-root—basic principle, often ignored
5. Encrypt secrets storage—don't store API keys in plaintext
6. Rotate tokens aggressively—assume compromise and plan accordingly

For environments where these controls prove impractical, the guidance is blunt: don't deploy the system.

The Bigger Picture

OpenClaw's February momentum—66,000 new stars in five days—reflects genuine demand for local AI assistants that don't send data to cloud providers. But the security model hasn't kept pace with adoption. When an agent can read your email, execute shell commands, and message your contacts, misconfigurations become catastrophic.

The detection and telemetry tools from Knostic represent a reasonable first step toward visibility. They won't prevent compromise, but they'll help defenders notice when something goes wrong—assuming the logs survive an incident where attackers gain full system access.

Both tools are available on GitHub under Apache 2.0 licenses. Organizations running OpenClaw in any capacity should consider the telemetry plugin mandatory, not optional.