Is Your "Crayfish" Running Naked? CertiK Real Test: How Vulnerable OpenClaw Skill Deceives Audits and Takes Over Computers Without Authorization

Recently, the open-source self-hosted AI agent platform OpenClaw (commonly known as “Little Lobster” in the industry) has quickly gained popularity due to its flexible scalability and autonomous, controllable deployment features, becoming a phenomenon in the personal AI agent market. Its core ecosystem, Clawhub, serves as an application marketplace, aggregating a vast array of third-party Skill plugins. These enable the AI agent to unlock advanced capabilities with a single click—from web search and content creation to crypto wallet operations, on-chain interactions, and system automation—leading to explosive growth in ecosystem scale and user base.

But where exactly is the platform’s true security boundary for third-party Skills operating in high-privilege environments?

Recently, CertiK, the world’s largest Web3 security firm, released the latest research on Skill security. The report points out that there is a misperception in the industry regarding the security boundaries of the AI ecosystem: many consider “Skill scanning” as the core security measure, but this mechanism is almost useless against hacker attacks.

If we compare OpenClaw to an operating system for a smart device, Skills are like the apps installed on the system. Unlike ordinary consumer apps, some Skills in OpenClaw run in high-privilege environments, with direct access to local files, system tools, external services, and host environment commands, and can even operate users’ encrypted digital assets. Once security is compromised, it could lead to sensitive information leaks, remote device takeover, or theft of digital assets—serious consequences.

Currently, the industry’s general security solution for third-party Skills is “pre-deployment scanning and review.” OpenClaw’s Clawhub has also built a three-layer review system: integrating VirusTotal code scanning, static code analysis engines, and AI logic consistency checks. It pushes security alerts to users based on risk levels, attempting to safeguard the ecosystem. However, CertiK’s research and proof-of-concept attack tests confirm that this detection system has shortcomings in real-world attack scenarios and cannot serve as the primary line of defense.

The research first dissects the inherent limitations of existing detection mechanisms:

Static detection rules are easily bypassed. These engines mainly identify risks by matching code features—for example, flagging “reading sensitive environment info + making network requests” as high risk. Attackers can simply make minor syntactic modifications to the code, retaining malicious logic but evading feature detection, much like rephrasing dangerous content with synonyms to fool security scanners.

AI review has inherent blind spots. Clawhub’s AI review focuses on “logic consistency detection,” which can catch obvious malicious code that claims to perform certain functions but behaves differently. However, it struggles with hidden vulnerabilities embedded within normal business logic—like finding a deadly trap hidden deep within a seemingly compliant contract.

Even more critically, the review process has fundamental design flaws: Skills that are still “pending review” in VirusTotal can be published and made available to users without warnings, allowing installation without alerting users—leaving room for malicious actors.

To verify the real risks, CertiK’s team conducted comprehensive testing. They developed a Skill called “test-web-searcher,” which appears to be a fully compliant web search tool with normal code logic, but secretly contains a remote code execution vulnerability.

This Skill bypassed static engine and AI review detection, and while still marked as “pending” in VirusTotal, it was installed normally without any security warnings. By sending a remote command via Telegram, the vulnerability was triggered, allowing arbitrary command execution on the host device (in the demo, it even opened the calculator).

CertiK explicitly states that these issues are not unique bugs in OpenClaw but reflect a widespread misconception in the AI agent industry: many treat “review scanning” as the core security line, neglecting the real foundation of security—runtime enforced isolation and fine-grained permission control. This is similar to Apple’s iOS ecosystem, where security doesn’t rely solely on App Store review but on system-enforced sandboxing and permission management, ensuring each app runs in an isolated “container” and cannot freely access system resources. Currently, OpenClaw’s sandbox mechanism is optional rather than mandatory and heavily relies on user configuration. Most users disable sandboxing to ensure Skill functionality, leaving the system in a “naked” state. Installing vulnerable or malicious Skills can thus lead to catastrophic consequences.

In response to these findings, CertiK offers security recommendations:

● For developers of platforms like OpenClaw, sandbox isolation should be set as the default mandatory configuration for third-party Skills. Permissions should be finely controlled, and third-party code should never inherit high privileges from the host by default.

● For ordinary users, a “security” label on Skills only indicates that no risks have been detected so far; it does not guarantee absolute safety. Before the underlying strict isolation mechanisms are enabled by default, it is recommended to deploy OpenClaw on idle or virtual machines that do not contain sensitive files, passwords, or high-value assets.

As the AI agent industry approaches a period of explosive growth, ecosystem expansion must not outpace security development. Review scanning can only block basic malicious attacks and can never serve as the ultimate security boundary for high-privilege AI agents. True security requires shifting from “perfect detection” to “risk mitigation by default,” establishing enforced runtime isolation and precise permission controls. Only then can the security baseline be truly secured, ensuring the steady and safe advancement of this technological revolution.