Why OpenClaw’s AI Agent Is a Security Nightmare—and How IronClaw Tries to Fix It

Background and Security Issues in OpenClaw

OpenClaw is an open‑source framework that runs a large language model (LLM) as a continuously online local daemon, exposing it to communication tools and storing all interaction data—including user credentials, API keys and tokens—in plain‑text files. This design creates a “trinity trap”: unrestricted access to private data, acceptance of untrusted external input, and outbound network capability.

Credentials are injected directly into the LLM prompt, allowing any downstream process or malicious prompt to exfiltrate them.

The public plugin marketplace permits arbitrary Skills scripts; a 2026 audit by Koi Security identified 341 malicious Skills that install data‑stealing software such as “Atomic Stealer”.

A CVSS 8.8 WebSocket hijacking vulnerability enables remote code execution on up to 135 000 exposed agent instances, resulting in the theft of roughly 1.5 million access tokens.

IronClaw Design Goals

IronClaw is a complete rewrite of the core in Rust to leverage compile‑time memory safety (eliminating buffer overflows, use‑after‑free, etc.) and to reduce the attack surface.

Encrypted Vault

All secrets (passwords, API keys, tokens) are stored encrypted with AES‑256. The vault decrypts secrets only at the network boundary; the LLM never receives raw credentials, preventing prompt‑injection leakage.

WASM Sandbox for Plugins

Third‑party Skills are executed inside a WebAssembly sandbox with no filesystem access. Execution requires explicit user permission and outbound traffic is limited to a user‑approved domain whitelist. A real‑time interceptor scans all outbound data for secret patterns and blocks violations.

Secure Memory Engine

Configuration, Skills definitions and conversation history are no longer persisted as plain files. IronClaw uses an isolated PostgreSQL instance with the pgvector extension for efficient similarity search. The database runs in a separate container, virtualising access and preventing direct OS‑level file traversal.

Deployment Options and Confidential Computing

IronClaw can be deployed locally or as a one‑click image in a Trusted Execution Environment (TEE). In a TEE the entire memory space is encrypted from boot to shutdown, ensuring that cloud‑provider operators cannot inspect runtime data.

Implementation Details

Language: Rust (cargo build –release) produces a single static binary.

Secret Management: AES‑256‑GCM keys derived from a user‑provided master passphrase; secrets are stored in the vault table encrypted_secrets.

Plugin Execution: WASM modules are loaded via wasmtime runtime with a custom host function set that enforces the permission model.

Network Interceptor: Implements a proxy that inspects HTTP/WebSocket payloads using regular expressions for patterns such as AKIA[0-9A-Z]{16} (AWS keys) or ghp_[A-Za-z0-9]{36} (GitHub tokens).

Database Schema: agents_config, skills, conversation_history, and vector_embeddings tables; vector search performed with

SELECT * FROM vector_embeddings ORDER BY embedding <-> query_vector LIMIT 5

.

References

https://github.com/nearai/ironclaw

https://www.ironclaw.com/

https://market.near.ai/

https://www.reddit.com/r/MachineLearning/comments/1rlnwsk/d_ama_secure_version_of_openclaw/