Critical
High
Medium
Low
Informational
Cross-Layer Chained Threat
Infra → Data → Model → Framework → Ecosystem
1
Layer 4
Gateway Compromise
DI-001
Attacker exploits exposed gateway binding to gain initial access to the control plane
⟶
2
Layer 2
Session Store Access
DO-003
Leverages gateway access to read session store and harvest conversation history data
⟶
3
Layer 1
Context Poisoning
LM-002
Poisons conversation history to manipulate the model's context and override safety controls
⟶
4
Layer 3
Sub-Agent Spawn
AF-002
Uses manipulated model to spawn unauthorized sub-agents with escalated privileges
⟶
5
Layer 7
Ecosystem Spread
AE-004
Sub-agents collude via sessions_send to exfiltrate data and spread across the ecosystem
Defense-in-Depth Mitigations
L4
Gateway auth required, loopback default binding, audit detects misconfigurations
L2
Session store encrypted at rest, filesystem permissions enforced, audit checks permissions
L1
Context compaction removes old messages, input sanitization strips injection attempts
L3
Sandbox mode limits tool access, elevated commands require human-in-the-loop approval
L7
Sub-agent spawn requires explicit allowlist, inter-agent communication is monitored and logged
Security CLI Reference
Built-in commands for security auditing and management
openclaw security audit --deep
Run comprehensive security audit across all layers
openclaw doctor
Check for configuration issues and common misconfigurations
openclaw channels status --probe
Probe and verify channel connectivity and security
openclaw status --deep
Deep gateway health check with security validation
openclaw pairing list
List all pending pairing requests across channels
openclaw pairing approve <channel> <code>
Approve a pending sender pairing request