OpenClaw Incident Report

February 2026 — Visual Movement — Status: Secure / Baseline Restored

1. Executive Summary

This report documents the deployment, failure, and subsequent removal of "OpenClaw," a local AI agent framework utilising the Model Context Protocol (MCP). The software entered a non-responsive "zombie" state due to a conflict with local network security layers (Cisco Secure Endpoint), resulting in recursive file locks.

A pre-deployment vulnerability scan using the Cisco AI Defense MCP-Scanner combined with a manual audit revealed a tiered risk profile ranging from Critical (High) Remote Code Execution vulnerabilities to Low information disclosure risks. The incident necessitated immediate process termination, forced directory expulsion, and the revocation of high-value financial API keys.

---

2. Vulnerability Stratification & Isolation

The following risks were identified through a combination of the Cisco MCP-Scanner and manual forensic review of the agent's configuration and file structure.

2.1 HIGH RISK (Critical Failure Points)

A. Remote Code Execution (RCE) via Unsandboxed Tools

• Discovery Method: Cisco MCP-Scanner flagged the execute_command tool in the agent's manifest.
• Isolation: The tool configuration allowed the agent to execute arbitrary terminal commands (cmd, powershell) without user confirmation loops ("Human-in-the-loop" was disabled or bypassable).
• Risk: An attacker (or hallucinating LLM) could execute malicious scripts, install malware, or exfiltrate data.
• Remediation: Immediate uninstallation of the agent; future agents must use Dockerised sandboxes for execution.

B. Plain-Text Secrets in .env (The "Burned Key" Doctrine)

• Discovery Method: Manual audit of the project directory.
• Isolation: The agent had read permissions (fs.read) to the root project folder containing a .env file.
• Data at Risk: Live cryptocurrency exchange API keys (with full trading and withdrawal privileges) and LLM provider credentials.
• Risk: A simple cat .env command by the agent would expose full trading and withdrawal privileges to the network.
• Remediation:
  1. The .env file was permanently purged.
  2. All exposed API keys were permanently revoked and regenerated at source.
  3. Policy shift to OS-level secret management and IP whitelisting.

2.2 MEDIUM RISK (System Stability & Network)

A. Unprotected Network Listeners

• Discovery Method: Cisco MCP-Scanner / netstat command.
• Isolation: The agent opened listeners on ports 3000 and 8080 on 0.0.0.0 (all interfaces) rather than 127.0.0.1 (localhost).
• Risk: Exposure of the agent's API to the local network (LAN), allowing other devices on the same Wi-Fi to potentially inject prompts or commands.
• Remediation: Firewall rules updated to block ingress on these ports; agent removed.

B. "Zombie" Process & File Locking

• Discovery Method: Windows Resource Monitor (resmon).
• Isolation: A detached claude.exe process and child node.exe instance retained a handle on the .openclaw directory, preventing modification or deletion.
• Risk: Denial of Service (DoS) for the host application and inability to patch/update the agent.
• Remediation: Forced termination (taskkill) and kernel-level directory deletion.

2.3 LOW RISK (Information Disclosure)

A. Path Disclosure in Logs

• Discovery Method: Manual review of stdout / stderr logs.
• Isolation: Error logs printed absolute file paths including usernames.
• Risk: Useful for reconnaissance by an attacker mapping the file system structure.
• Remediation: Logs wiped; log rotation policy recommended for future tools.

B. Residual Configuration Artifacts

• Discovery Method: Registry scan.
• Isolation: Orphaned registry keys for "OpenClaw" found in HKCU\Software.
• Risk: Minimal performance impact; potential for future re-installation conflicts.
• Remediation: Registry cleaned via PowerShell script.

---

3. Infected File Analysis (Scan Findings)

The Cisco MCP-Scanner identified specific files within the OpenClaw directory that violated security policies.

3.1 Critical Finding 1: Unrestricted Execution Script

• File Identified: .openclaw/skills/terminal/exec.js (Node.js wrapper)
• Vulnerability: CWE-78 (OS Command Injection)
• Analysis: This script accepted raw string input from the LLM and passed it directly to child_process.exec() without sanitisation. It lacked a "Human-in-the-Loop" confirmation gate.
• Risk: This was the primary vector for RCE. It allowed the agent to run any command if hallucinated or adversarially prompted.
• Remediation: File deleted. Future implementations must use an allowlist of permitted commands only.

3.2 Critical Finding 2: Plain-Text API Handler

• File Identified: .openclaw/config/secrets.json (and the associated .env in project root)
• Vulnerability: CWE-312 (Cleartext Storage of Sensitive Information)
• Analysis: The scanner flagged this file because it stored LLM provider and exchange API keys in readable JSON/text format rather than using the OS keyring.
• Risk: Immediate credential theft if the machine is compromised or if the agent reads its own configuration file.
• Remediation: File permanently shredded (DoD 5220.22-M standard).

3.3 Moderate Finding 1: Permissive CORS Configuration

• File Identified: .openclaw/server/index.js
• Vulnerability: CWE-942 (Permissive Cross-Domain Policy)
• Analysis: The server was configured with Access-Control-Allow-Origin: *.
• Risk: This allowed any website visited in the browser to potentially send commands to the local agent server running on localhost:3000.
• Remediation: Server code deleted. Configuration must be restricted to specific origins.

3.4 Moderate Finding 2: Recursive File Watcher

• File Identified: .openclaw/watcher/monitor.py
• Vulnerability: Resource Exhaustion (Denial of Service)
• Analysis: The script set up a file watcher on the entire user directory without exclusion filters.
• Risk: This caused high CPU usage and contributed to the file locking issues by attempting to scan the .openclaw directory while it was being written to.
• Remediation: Process terminated; script deleted.

---

4. Vulnerability Scanning (Cisco MCP-Scanner Implementation)

4.1 Installation Protocol

The Cisco AI Defense MCP-Scanner was deployed to audit the local environment.

Prerequisites: Python 3.10+ environment, git version control, network egress to GitHub.

Deployment Steps:

1. Clone Repository:

git clone https://github.com/cisco-ai-defense/mcp-scanner.git
cd mcp-scanner

2. Environment Setup & Dependency Installation:

python -m venv venv
source venv/bin/activate  # or .\venv\Scripts\activate on Windows
pip install -r requirements.txt

3. Execution of Scan:

python main.py --config "<path-to-config>/claude_desktop_config.json"

4.2 Scan Findings Output

• Critical Issues (2): Tool execution policy violations (See Section 3.1, 3.2).
• Moderate Issues (2): Network port exposure and resource exhaustion (See Section 3.3, 3.4).
• Conclusion: Software deemed unsafe for production use on high-value asset machines.

---

5. System Deadlock & Diagnosis

5.1 Symptoms

• Host Application Failure: Claude Desktop hung on launch.
• File System Lock: EBUSY / Access Denied on .openclaw directory.
• Process Persistence: Standard close commands failed.

5.2 Root Cause Analysis (Isolation of Variables)

• Hypothesis: A hidden background process retained a file handle.
• Diagnostic Method:
  1. Opened Resource Monitor (resmon.exe).
  2. Navigated to CPU Tab → Associated Handles.
  3. Queried search term: .openclaw.
• Forensic Finding: A detached claude.exe process and a child node.exe process were identified as the lock owners.

---

6. Remediation & Removal

Standard shell commands failed. Kernel-level bypasses were required.

6.1 Process Termination

Stop-Process -Id <PID> -Force
# Alternative: taskkill /F /PID <PID>

6.2 Extended Path Deletion

To bypass Windows API limitations regarding hidden system folders, the Extended Length Path prefix (\\?\) was utilised.

cmd /c "rd /s /q \\?\<path-to-user-profile>\.openclaw"

• rd: Remove Directory
• /s: Recursive
• /q: Quiet (no confirmation prompts)
• \\?\: Disables string parsing, passing the path directly to the file system driver

---

7. Security Mitigation (The "Burned Key" Doctrine)

7.1 The Plain-Text Vulnerability

Because the agent had both unsandboxed command execution and filesystem read access to plaintext credentials, the environment was treated as fully compromised.

7.2 Remediation Actions

1. Local Sanitation: The .env file was permanently deleted.
2. Key Revocation:
   • All cryptocurrency exchange API keys revoked immediately at source.
   • All LLM provider API keys rotated.
3. New Policy: Future keys must be IP-whitelisted and stored in OS-level secret managers or dedicated vault solutions (e.g., 1Password CLI, HashiCorp Vault).

---

8. Persistence Auditing & Final Verification

8.1 Audit Vectors

1. Windows Services: Scanned for services matching *openclaw*.
2. Startup Registry: Audited HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
3. Task Scheduler: Checked for tasks created in the last 24 hours.
4. Network Listeners: Verified ports 3000, 5000, and 8080 were closed.

8.2 Verification Script

The following PowerShell block was executed post-reboot to confirm a clean baseline:

Write-Host "--- SYSTEM INTEGRITY CHECK ---"
Get-Service | Where-Object { $_.Name -like "*openclaw*" }
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
Get-NetTCPConnection -State Listen |
  Where-Object { $_.LocalPort -in 3000, 8080, 5000 }
try {
  Get-Command openclaw -ErrorAction Stop
} catch {
  Write-Host "CONFIRMED: Binary Removed" -ForegroundColor Green
}

---

9. Conclusion

The incident was resolved by strictly adhering to the Isolation of Variables principle. We isolated the high-risk vulnerabilities (RCE vector, exposed credentials), removed the medium-risk deadlock using kernel-level pathing, and neutralised the low-risk artifacts (registry entries, log files).

The system baseline was restored and verified clean.

Design Rules for Future Agent Deployments

Based on this incident, any future AI agent deployment must satisfy the following:

1. No unsandboxed shell access. All command execution must run inside a Dockerised container with an explicit allowlist.
2. No plaintext credential storage. All secrets managed through a vault solution (1Password CLI, OS Keyring, or equivalent) with runtime injection only.
3. No open network listeners. Agents must bind to 127.0.0.1 only, or operate without a server entirely (cron-triggered execution).
4. Mandatory human-in-the-loop. All externally-visible actions (social media posts, deployments, financial transactions) require explicit approval before execution.
5. Audit logging. Every action the agent takes must be logged to an append-only file for post-incident review.

---

This report was produced by Visual Movement using the Isolation of Variables methodology. For enquiries, contact lee@visualmovement.ca