OpenClaw — OWASP ASI Threat Data Flow

Purpose-built DFD tracing message lifecycle from external input through tool execution, with trust boundaries and OWASP Agentic Top 10 (2026) categories mapped to their attack zones.

v1.0 — February 2026
Phase I Threat Model
MAESTRO + OWASP ASI
TB-1 TB-2 TB-3 TB-4 TB-5 👤 External Users WhatsApp · Telegram · Discord · Signal · Slack · iMessage … 🗓️ Cron Scheduler cron/jobs.json · heartbeat · autonomous 🖥️ Control Plane CLI · macOS App · Control UI · Dashboard 📱 Peripheral Nodes macOS · iOS · Android · Headless 🤖 LLM Providers Anthropic · OpenAI · Google OpenRouter · Local (Ollama) Responses may contain injected instructions Channel Adapters Normalize → internal format · No content sanitization · No instruction/data separation WhatsApp (Baileys) · Telegram (grammY) · Discord · Slack · Signal · iMessage · Google Chat · WebChat · TUI · Plugin |Adapter| ⚡ WebSocket Server :18789 · JSON protocol 🧠 Agent Router Bindings · routing 🔀 Protocol Router req/res · events 🛡️ Auth & Pairing Token · password · pair 📋 Session Store sessions.json GATEWAY T2 |WS| Scheduled |WS| |WS| TB-6 AGENT RUNTIME T3 🔄 Context Assembly 5 input streams converge here → assembled into LLM prompt ① System Prompt ② Memory ③ History ④ Skills/Plugins ⑤ User Message 🧠 Memory Search BM25 + vector · SQLite 🔌 Skills · Plugins · Hooks ClawHub · Lobster · lifecycle 🔑 Auth Profiles auth-profiles.json · plaintext 🔄 AgentSession createAgentSession() 🎯 Model Registry Resolve · failover chain 🔀 Multi-Agent Delegation Agent → Sub-Agent routing No formal trust model 📜 SessionManager JSONL transcripts Compaction · tree HTTPS API Tool Execution Surface Agent process permissions · No sandbox · No command allowlist · Direct host OS access ⚙️ exec Shell 📂 read ✏️ write/edit 🌍 browser 💬 message cross-ch 🔍 web_search 🖼️ image Tool calls Exfil path 🎨 Canvas Host :18793 A2UI v0.8 · WKWebView HTTP from Gateway 💾 Persistence Layer openclaw.json · sessions.json · *.jsonl · workspace/ · auth-profiles.json · memory/*.sqlite · cron/jobs.json File-based · no encryption at rest · ~/.openclaw/ ASI01 ASI02 ASI03 ASI03 ASI04 ASI05 ASI06 ASI07 ASI08 ASI09 ASI10 Chain α: Full RCE

Component Zones & Trust Boundaries

External / Untrusted (T0)
Channel Adapters (T1)
Gateway Core (T2)
Gateway Services (T2)
Agent Runtime (T3)
Extensions — Memory / Skills / Plugins (T5)
Tool Surface / Peripherals (T4+)
Persistence Layer (T6)
── ──  Critical trust boundary (TB-1/3/5)
── ──  High trust boundary (TB-2/4/6)
Chain α highlight (Critical RCE path)
Exfiltration / lateral path

OWASP ASI Top 10 — Mapped to Attack Zones

ASI01Agent Goal Hijack — User message → Context Assembly
ASI02Tool Misuse — Agent → Tool Surface boundary (TB-5)
ASI03Identity & Privilege — Auth Profiles + Multi-Agent delegation
ASI04Supply Chain — Skills/Plugins/ClawHub injection (T5)
ASI05Unexpected Code Exec — exec tool (shell, no sandbox)
ASI06Memory Poisoning — Memory Search → Context Assembly
ASI07Insecure Inter-Agent — Multi-Agent delegation chain
ASI08Cascading Failures — Gateway SPOF (WS Server)
ASI09Human-Agent Trust — message tool cross-channel sends
ASI10Rogue Agents — Cron scheduler (autonomous, no HITL)