Skip to content

Comments

Add credential, supply chain, and TOCTOU threat entries from security audit#7

Open
abdelsfane wants to merge 1 commit intoopenclaw:mainfrom
opena2a-org:security/threat-model-credential-supply-chain
Open

Add credential, supply chain, and TOCTOU threat entries from security audit#7
abdelsfane wants to merge 1 commit intoopenclaw:mainfrom
opena2a-org:security/threat-model-credential-supply-chain

Conversation

@abdelsfane
Copy link

@abdelsfane abdelsfane commented Feb 19, 2026

Summary

Adds 8 new threat entries to the threat model based on a code-level security audit of the OpenClaw codebase. 6 of the 8 findings have already been fixed via merged PRs.

New Threats

ID Name Risk Status
T-ACCESS-007 Gateway config leaking credentials via WebSocket Critical FIXED (PR #9858)
T-ACCESS-008 Timing side-channel in hook token auth Medium FIXED (PR #10527)
T-ACCESS-009 World-readable WhatsApp session credentials Medium FIXED (PR #10529)
T-ACCESS-010 SSRF via OpenResponses API (no fetchWithSsrfGuard) High Unfixed
T-EXEC-007 A2UI path traversal via TOCTOU Medium FIXED (PR #10525)
T-EXEC-008 npm lifecycle script execution during plugin install Critical FIXED (PR #10528)
T-EXEC-009 No static analysis for skill code content High FIXED (PR #9806)
T-IMPACT-006 No rate limiting anywhere in gateway High Unfixed

New Attack Chains

  • CVE-2026-25253 to Full Credential Theft — WebSocket hijack -> config.get -> all credentials in plaintext (mitigated by PR #9858)
  • ClawHavoc Lifecycle Script Attack — Malicious ClawHub skill with npm lifecycle scripts -> Atomic Stealer (mitigated by PR #10528)
  • SSRF to Cloud Metadata Theft — Crafted input_image URL via OpenResponses -> cloud metadata (169.254.169.254) -> exfiltrate (unmitigated)

Also Includes

  • Risk matrix entries for all 8 new threats with priority levels
  • recently_fixed section in recommendations tracking the 6 merged security PRs
  • Updated ATLAS technique mappings (AML.T0040, AML.T0010.001, AML.T0043, AML.T0031)
  • New key_security_files entries for audited paths (openresponses-http.ts, a2ui.ts, install.ts, auth-store.ts)
  • Updated R-004 recommendation to reference T-IMPACT-006 alongside T-IMPACT-002
  • New R-011 recommendation for applying fetchWithSsrfGuard to OpenResponses

Context

These findings come from the same security research that produced PRs #9806, #9858, #10525, #10527, #10528, and #10529 (all merged to main). Two of those fixes were adopted by maintainers into shared utility modules (safeEqualSecret and installPackageDir).

The two remaining unfixed gaps (SSRF in OpenResponses, gateway-wide rate limiting) are documented here so the community is aware and can prioritize.

References

@abdelsfane
Add credential, supply chain, and TOCTOU threat entries from security…
2bdcecd 
… audit

Add 8 new threat entries based on code-level security analysis:

- T-ACCESS-007: Gateway config leaking credentials via WebSocket (FIXED, PR #9858)
- T-ACCESS-008: Timing side-channel in hook token auth (FIXED, PR #10527)
- T-ACCESS-009: World-readable WhatsApp session credentials (FIXED, PR #10529)
- T-ACCESS-010: SSRF via OpenResponses API (unfixed)
- T-EXEC-007: A2UI path traversal via TOCTOU (FIXED, PR #10525)
- T-EXEC-008: npm lifecycle script execution during plugin install (FIXED, PR #10528)
- T-EXEC-009: No static analysis for skill code content (FIXED, PR #9806)
- T-IMPACT-006: No rate limiting anywhere in gateway (unfixed)

Also adds:
- 3 new attack chains (CVE-2026-25253 credential theft, ClawHavoc lifecycle,
  SSRF cloud metadata)
- Risk matrix entries for all new threats
- recently_fixed section in recommendations tracking 6 merged PRs
- Updated ATLAS technique mappings
- New key_security_files entries
@abdelsfane abdelsfane mentioned this pull request Feb 19, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abdelsfane