How Token‑Draining Attacks and Formal Defenses Threaten OpenClaw’s Skill Ecosystem

OpenClaw Ecosystem Security Crisis

Recent incidents have shown that the OpenClaw agent framework faces severe supply‑chain threats: over 1,200 malicious Skills were injected into the market (ClawHavoc incident, Jan‑Feb 2026), a CVE (CVE‑2026‑25253) revealed a remote‑code‑execution flaw in the Skill runtime, and the MalTool benchmark demonstrated that 6,487 malicious tools evade traditional VirusTotal detection. Existing scanners such as Snyk agent‑scan and Cisco skill‑scanner rely on heuristic detection and cannot guarantee safety.

Clawdrain – Stealthy Token Exhaustion Attack

Core Idea: The attacker uses a Segmented Verification Protocol (SVP) to force the agent into multiple verification rounds, amplifying token consumption by 6‑9× while still returning a correct final answer.

1. Attack Model: SVP Protocol

The attacker injects a Trojanized Skill that requests the agent to generate a full integer sequence from 1 to L without abbreviations. The server side returns three signals:

PROGRESS : continue to next round

REPAIR : sequence format error, retry

TERMINAL : finish and return the correct result

Figure 1 (below) illustrates the threat model.

2. Key Finding: Production vs. Emulator

In a production OpenClaw deployment (Gemini 2.5 Pro), the token cost was dramatically higher than in a simulated environment, as shown in Table 1 (Token consumption comparison).

3. Counter‑Intuitive Finding: Failure Can Be More Expensive

When SVP v3 fails (the agent cannot complete the protocol), it still consumes about 249 k context tokens over 11 minutes—more than the successful v2 attack. The agent’s autonomous recovery cascade (calling benign Skills, searching alternative data sources, restarting services, retrying the main service) repeatedly adds token cost, proving that failed paths can be costlier than successful ones.

Call a benign Skill

Search alternative data sources

Terminate hung processes

Retry the main service

4. Tool Combination: Double‑Edged Sword

When L = 1000, the agent can generate the sequence autonomously using a script:

python3 -c 'print(",".join(map(str, range(1, 1001))))' > /tmp/cal.txt

The agent then uses the exec tool to run the script, reducing token cost from ~1,000 to ~30 tokens. This demonstrates that general‑purpose tool capabilities can both mitigate specific attacks and, when the attack fails, increase recovery costs.

Defense side: generic tool ability can block certain attacks

Risk side: the same ability is exploited during costly recovery attempts

5. Interface Dependency and Stealth

The attack’s stealth depends on the user interface:

Chat GUI (Telegram/Discord): each tool call is visible, making detection easier

TUI (Narrative mode): only high‑level phase messages are shown, hiding details

Autonomous execution (Cron/Heartbeat): completely invisible, capable of consuming millions of tokens at night

SkillFortify – Formal Skill Supply‑Chain Security Framework

Core Idea: Replace heuristic rules with a mathematically provable approach based on Abstract Interpretation , Capability Sandboxing , and SAT‑based dependency analysis .

1. Six Formal Contributions

DY‑Skill Attack Model: Extends the Dolev‑Yao model to a five‑stage Skill lifecycle, proving any symbolic attacker can be simulated.

Static Analysis Framework: Uses a four‑element capability lattice ({NONE, READ, WRITE, ADMIN}) to guarantee soundness—no false negatives.

Capability Sandbox: Based on object‑capability theory, ensures no authority amplification; a child Skill’s capabilities are a subset of its parent’s.

Agent Dependency Graph (ADG): Extends package‑manager dependency graphs with capability constraints; a SAT solver processes a 1,000‑node graph in under 100 ms.

Trust Scoring Algebra: Aggregates multiple signals (source, behavior, community, history) with a monotonicity theorem guaranteeing additional positive evidence never lowers a Skill’s trust score.

SkillFortifyBench: Benchmark of 540 Skills (270 malicious, 270 benign).

2. Experimental Results: 100 % Precision, Zero False Positives

On SkillFortifyBench, the framework achieved 96.95 % F1 score with mathematically proven soundness. Table 1 (below) compares it with existing tools, and Table 4 shows detection accuracy across 540 Skills.

Table 6 reports detection rates for 13 attack types; 9 types reach 100 % detection, while A11 (name‑squatting) and A12 (dependency obfuscation) remain challenging due to reliance on external registry data.

3. System Architecture

Figure 1 (below) shows the modular architecture of SkillFortify, integrating abstract interpretation, sandbox enforcement, and SAT‑based dependency resolution.

Six Core Conclusions

The OpenClaw ecosystem suffers a serious supply‑chain poisoning risk, with >1,200 malicious Skills and no formal guarantees from existing heuristic tools.

Formal static analysis can achieve near‑perfect precision and zero false‑positives; SkillFortify attains 96.95 % F1 on a 540‑Skill benchmark.

Token‑exhaustion attacks using the SVP protocol can amplify API costs by 6‑9× while remaining stealthy.

Failed attack paths can be more expensive than successful ones due to autonomous recovery cascades that consume additional tokens.

Tool‑combination capabilities are a critical variable: they can both defend against specific attacks and increase costs when recovery is triggered.

Effective defense requires layered protection—combining capability sandboxes, dependency‑analysis locks, runtime monitoring, and interface visibility controls.

For further reading, the original papers are available at:

https://arxiv.org/abs/2603.00902
Clawdrain: Exploiting Tool-Calling Chains for Stealthy Token Exhaustion in OpenClaw Agents

https://arxiv.org/pdf/2603.00195
Formal Analysis and Supply Chain Security for Agentic AI Skills