openclaw/docs/security/threat-model.md

6.3 KiB

title summary permalink
Threat Model Security threat analysis for Moltbot's attack surfaces and mitigations. /security/threat-model/

Threat Model

This document describes Moltbot's security threat model, attack surfaces, and implemented mitigations.

System Overview

Moltbot is a personal AI assistant that:

  • Connects to messaging platforms (WhatsApp, Telegram, Discord, Slack, Signal, iMessage)
  • Executes shell commands on the host machine
  • Can control browsers via automation tools
  • Stores configuration, credentials, and session data locally

Threat Actors

External Attackers

  • Network-based: Attackers who can reach the gateway over the network
  • Message-based: Malicious users who can send messages through connected channels
  • Supply chain: Compromised dependencies or plugins

Malicious Message Senders

  • Authorized users who attempt to abuse the system
  • Attackers who gain access to an authorized user's account
  • Prompt injection attempts through message content

Local Attackers

  • Users with local access to the machine
  • Malware running on the same machine

Attack Surfaces

1. Messaging Channels

Risk: Unauthorized command execution via messaging platforms.

Attack vectors:

  • Sending messages to the bot without authorization
  • Impersonating authorized users
  • Prompt injection attacks embedded in messages
  • Exploiting channel-specific authentication weaknesses

Mitigations:

  • Pairing codes with 80-bit entropy (16 chars, 32-char alphabet)
  • Per-channel allowlists for authorized senders
  • Rate limiting on pairing attempts (10/min)
  • HMAC-signed pairing stores to detect tampering
  • Prompt injection detection with tiered severity (critical/high/medium/low)
  • Prompt boundary markers ([USER_INPUT_START]/[USER_INPUT_END])

2. Shell Command Execution

Risk: Arbitrary code execution, system compromise, data exfiltration.

Attack vectors:

  • Direct malicious commands from authorized users
  • Prompt injection leading to command execution
  • Shell metacharacter injection
  • Path traversal in command arguments

Mitigations:

  • Command execution blocklist (critical/high/medium severity)
  • Critical patterns always blocked: rm -rf /, dd if=/dev/zero of=/dev/sda, mkfs, fork bombs
  • High severity blocked by default: sudo, passwd, iptables, user management
  • Allowlist-based execution for untrusted contexts
  • Shell command parsing and analysis before execution
  • Safe bins list for common utilities with restricted arguments
  • One-time-use nonces for exec approval tokens (replay protection)

3. Gateway API

Risk: Unauthorized access to bot functionality, denial of service.

Attack vectors:

  • Unauthenticated access to exposed gateway
  • Brute-force attacks on authentication
  • Rate-based denial of service
  • Session hijacking

Mitigations:

  • Security warning at startup for non-loopback binding without auth
  • Token or password authentication for remote access
  • Rate limiting with token bucket algorithm:
    • Unauthenticated: 60 requests/min
    • Channel messages: 200/min per channel
    • Burst support (2x multiplier)
  • Exponential backoff after authentication failures (1s base, 60s max)
  • Per-client tracking (separate buckets per IP/session)

4. Local File Storage

Risk: Credential theft, session hijacking, configuration tampering.

Attack vectors:

  • Reading unencrypted credentials from disk
  • Modifying configuration files
  • Tampering with pairing stores
  • Session file manipulation

Mitigations:

  • Secrets stored in system keychain (macOS Keychain, Linux Secret Service)
  • Fallback to AES-256-GCM encrypted files with PBKDF2 key derivation
  • Machine-derived encryption keys for file fallback
  • HMAC signatures on pairing stores
  • File permissions set to 0o600 (owner read/write only)

5. Browser Automation

Risk: Session theft, credential capture, unintended actions.

Attack vectors:

  • Accessing sensitive pages without consent
  • Capturing authentication cookies
  • Executing JavaScript with elevated privileges
  • Taking screenshots of sensitive content

Mitigations:

  • Browser actions require explicit user session
  • No automatic credential capture
  • User-initiated browser automation only

6. Plugin/Extension System

Risk: Malicious or vulnerable plugins executing arbitrary code.

Attack vectors:

  • Malicious plugins with broad permissions
  • Vulnerable plugins with security flaws
  • Dependency confusion attacks

Mitigations:

  • Plugins run in the same trust context as the main process
  • Plugin installation requires explicit user action
  • Plugins installed from npm with standard security practices

Residual Risks

Accepted Risks

  1. Local administrator access: System assumes local admin is trusted
  2. Authorized user abuse: Rate limits but cannot prevent all abuse
  3. LLM prompt injection: Detection is heuristic-based, not foolproof
  4. Supply chain: Depends on npm ecosystem security

Known Limitations

  1. No sandboxing: Commands execute in the main process context
  2. Single-user model: Not designed for multi-tenant use
  3. Trust on first use: Initial setup requires manual verification

Security Properties

Confidentiality

  • Credentials protected by system keychain or encryption
  • Message content not logged by default
  • Session data isolated per agent

Integrity

  • Pairing stores signed with HMAC
  • Configuration files protected by file permissions
  • One-time nonces prevent replay attacks

Availability

  • Rate limiting prevents resource exhaustion
  • Exponential backoff limits brute-force impact
  • Graceful degradation on provider failures

Security Controls Summary

Control Implementation Status
Prompt injection detection src/gateway/chat-sanitize.ts Active
Command blocklist src/infra/exec-blocklist.ts Active
Secrets encryption src/infra/secrets-manager.ts Active
Gateway rate limiting src/gateway/rate-limit.ts Active
Pairing hardening src/pairing/pairing-store.ts Active
Approval nonces src/infra/exec-approvals.ts Active

Incident Response

If you discover a security vulnerability:

  1. Do not disclose publicly until patched
  2. Report via GitHub security advisories
  3. Provide reproduction steps and impact assessment

Version History

  • 2026-01-27: Initial threat model for Phase 1 security hardening