Preparations
This solution is installed using official open-source scripts. Before the deployment, read the risk description below.
| Category | Risk Description | Impact Analysis | Policy Suggestions |
| Architectural Flaws: Uncontrolled Access and Network Exposure | There is a lack of permission isolation. OpenClaw runs directly on the host machine using user permissions, rather than in an isolated environment such as a Docker container or virtual machine. This means that once the Agent is compromised, the attacker gains full control over the host machine. | OpenClaw purchased on the cloud is independent of the user's service system in the form of a VM. If OpenClaw is intruded, the host where OpenClaw is deployed will be affected. | You are advised to isolate OpenClaw from existing service systems in VPCs and subnets, or configure security groups and ACLs to implement refined access control and reduce risks. |
| The network gateway is exposed. The core component of OpenClaw is a web gateway, which by default listens on port 18789. These exposed interfaces not only leak server information but also directly provide a path for accessing the control panel. | The SAC automatic deployment function allows the inbound policy of security group 18789 to be enabled by default. | The default port of the solution is used. You are advised to configure security groups and ACLs to implement refined access control and reduce risks. | |
| Localhost trust fallacy. In early versions of the project and some releases from January 26, the system design assumed that connections from 127.0.0.1 were trustworthy, but users often deploy reverse proxies to enable remote control. If not configured correctly, all external requests would appear to originate from the local machine in OpenClaw, bypassing the authentication mechanism. | The reverse proxy is not used for automatic SAC deployment. Therefore, this risk will not occur if the customer performs operations according to the guide. | If a reverse proxy is used, be aware of these security risks. | |
| Data Security: Plaintext Storage and Cognitive Context Theft | Sensitive information is stored in plaintext. Forensic analysis revealed that highly sensitive information, such as API keys and Slack/GitHub access tokens, was stored in plaintext within Markdown and JSON files on the local file system. | Key information stored in plaintext includes the API key of the large model, access ID, and token of the chat platform. If the VM is attacked, these sensitive information will be disclosed. | Before the official architecture is optimized: 1. It is recommended that users periodically change information such as the API key of the large model. 2. It is recommended that users purchase Host Security Service (HSS) to implement in-depth protection and micro-segmentation for workloads. 3. It is recommended that users purchase Cloud Firewall (CFW) to implement fine-grained control over network traffic. 4. It is recommended that customers use the key management and credential rotation capabilities of Data Encryption Workshop (DEW) to prevent password cracking. |
| Risk of cognitive context theft. The MEMORY.md file records the AI's "long-term memory," which not only includes technical credentials but also psychological profiles of users, work context, summaries of private conversations, and social networks. Malware such as RedLine and Lumma have updated their target lists to specifically scan and steal these directories. | Leaked personal chat records | be the same as the above | |
| New threat landscape. This is not just about password leaks, but "contextual cognitive theft." Attackers gain not only passwords but a complete digital life profile of the user, which can be used to launch highly targeted spear phishing attacks or to commit fraud by exploiting AI trust relationships. | be the same as the above | be the same as the above | |
| Supply Chain Crisis: Security Risks Triggered by Name Changes | N/A | N/A | N/A |
| Attack Methods | Policy Suggestions |
| Gateway Exposure and Privilege Bypass Attacks | For details about the policy for mitigating gateway exposure risks, see the preceding table. |
| Supply chain poisoning and skill store attacks | Provide security practice suggestions in the documentation. 1. For any sensitive operation (file deletion, email sending, or money transfer), manual confirmation is required. 2. Follow the principle of least privilege. Only grant the permissions required for AI to complete tasks. Do not grant all permissions with one click. |
| Indirect side injection attack | be the same as the above |
| Lateral movement and jump-off attacks | For the policy recommendations on the lack of permission isolation, see the above table. |
When you log in with your Huawei Cloud account, you do not need to perform this preparation step. If you are using an IAM user account, please confirm whether you are in the admin group. If you are not in the admin group, you will need to (Optional) Creating the rf_admin_trust Agency to your IAM account and complete the following preparation steps.
(Optional) Creating the rf_admin_trust Agency
- Log in to the Huawei Cloud official website, open the console, hover over the account name, and choose Identity and Access Management. Figure 1 Console page
Figure 2 Identity and access management page
- Choose Agencies in the left navigation pane and search for the rf_admin_trust agency. Figure 3 Agencies
- If the agency is found, skip the following steps.
- If the agency is not found, perform the following steps to create it.
- Click Create Agency in the upper right corner of the page. On the displayed page, enter rf_admin_trust for Agency Name, select Cloud service for Agency Type and RFS for Cloud Service, and click Next. Figure 4 Creating the rf_admin_trust agency
- Search for Tenant Administrator, select it in the search results, and click Next. Figure 5 Selecting a policy/role
- Select All resources and click OK. Figure 6 Setting the authorization scope
- Check that the rf_admin_trust agency is created and displayed in the agency list. Figure 7 Agenciespe
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot