OpenClaw Shartify Trust Rank
OpenClaw & QClaw: Are AI Agents Secret Trojan Horses? | Security Analysis 2026. Investigation: OpenClaw and Tencent's QClaw promise to automate your life—but who guarantees they aren't Trojan horses? No audits, no encryption, no legal protection. We expose the hidden risks of granting AI agents total access to your digital existence.
Assessed Subject: OpenClaw (Core Framework & Ecosystem)
Issue Date: April 23, 2026
Methodology Version: Shartify Trust Rank v2.1
Document Classification: Public / Enterprise & Compliance Advisory
Prepared by: Shartify Security & Trust Assessment Division
EXECUTIVE SUMMARY
OpenClaw achieves a global score of 1.3/10 in the Shartify Trust Rank framework, positioning it well below the minimum threshold for enterprise adoption (>6.0) and for access to premium features (>7.0).
The analysis highlights the absence of recognized security certifications, enterprise-grade access controls, certified data protection and residency mechanisms, and formal incident response processes. The framework is exposed to active risks of supply chain poisoning, credential exfiltration, and insecure-by-default configuration.
Operational Verdict:
❌ NOT ELIGIBLE for regulated environments, processing of sensitive personal/corporate data, or data collection, analysis, and resale activities.
⚠️ PERMITTED ONLY in isolated sandbox mode, with documented compensating controls and explicit risk disclaimers.
ASSESSMENT METHODOLOGY
The Shartify Trust Rank evaluates the security and compliance maturity of AI/agent platforms across 10 critical pillars, each weighted on a 0-10 scale. The final score is a weighted average reflecting:
- Presence of independent certifications (SOC 2, ISO 27001, GDPR compliance, FedRAMP)
- Robustness of identity, access, and isolation controls
- Supply chain integrity and dependency management
- Auditability, observability, and incident response capabilities
- Legal and contractual guarantees (DPA, SLA, data residency)
| Threshold | Meaning |
|---|---|
0.0 – 3.9 |
❌ Critical Risk – Not eligible for enterprise use or sensitive data |
4.0 – 6.9 |
⚠️ Moderate Risk – Requires documented compensating controls |
7.0 – 10.0 |
✅ Enterprise Ready – Eligible for distribution, compliance, and data processing |
DETAILED SCORE BY PILLAR
| # | Assessment Pillar | Score | Technical & Compliance Rationale |
|---|---|---|---|
1 |
Compliance Certifications |
0/10 | No SOC 2, ISO 27001, GDPR, or FedRAMP attestation. No published DPA or compliance documentation. |
2 |
Identity & Access Control |
1/10 | No native SSO/SAML/OIDC, optional MFA, unstructured RBAC. Inherits host user credentials without privilege separation. |
3 |
Data Protection |
2/10 | API keys and sessions stored in plaintext (~/.clawdbot/.env). Encryption at rest not enabled by default. |
4 |
Supply Chain Integrity |
1/10 | ClawHavoc ecosystem: 1,184+ confirmed malicious packages in marketplace. No mandatory code signing or pre-publication review. |
5 |
Audit & Observability |
2/10 | Unstructured local logging. No native SIEM export, non-immutable logs, incomplete agent action tracking. |
6 |
Vendor Accountability |
1/10 | Community-driven project. No commercial SLA, dedicated IR team, or formal vulnerability disclosure channel. |
7 |
Network Security Posture |
2/10 | Gateway bound by default to 0.0.0.0. 40,000+ instances exposed publicly. UFW does not automatically mitigate Docker ports. |
8 |
Execution Isolation |
1/10 | Runs with host user privileges. No mandatory sandboxing, seccomp, AppArmor, or namespace restrictions by default. |
9 |
Privacy & Data Residency |
1/10 | No configurable residency controls. Data transits freely. Absence of GDPR mechanisms for consent, portability, or right to erasure. |
10 |
Incident Response |
2/10 | Patches managed by community. No formal response process, remediation timelines not guaranteed, fragmented CVE tracking. |
???? GLOBAL SHARTIFY SCORE: 1.3 / 10
CRITICAL RISK ANALYSIS
Structural Exposure
- 40,000+ instances detected publicly accessible without authentication.
- 135,000+ deployments operating over unencrypted HTTP (source: independent Bitdefender/SecurityScorecard reports, 2025-2026).
- gateway.mode: local configuration not set by default.
Supply Chain Poisoning (ClawHavoc)
- 1,184+ malicious skills/plugins identified in the official marketplace.
- No integrity verification of packages before execution.
- Capability to execute arbitrary code with host user privileges.
Confirmed Attack Vectors (Independent Testing)
| Attack Vector | Success Rate | Direct Impact |
|---|---|---|
Credential Access |
85.71% | Extraction of tokens, API keys, browser sessions |
Data Exfiltration |
80.00% | Silent transfer of documents, logs, metadata |
Lateral Movement |
66.67% | Propagation within local/private network |
Privilege Escalation |
50.00% | Elevation to root/system not always blocked |
Compliance & Legal Framework
- Dutch Data Protection Authority (AP): officially advises against use for sensitive data.
- GDPR Art. 28: no Data Processing Agreement (DPA) available.
- Data Resale/Analysis: impossibility to guarantee explicit consent, minimization, or legal traceability of processing.
MITIGATION PATHWAY & COMPENSATING CONTROLS
Rigorous implementation of the following controls can increase the score by up to +6.5 points, bringing the Trust Rank to 7.8/10 (premium threshold exceeded).
| Compensating Control | Score Increase | Implementation Requirement |
|---|---|---|
| Network Isolation (air-gapped / Tailscale Zero Trust) | +1.5 | --network=host disabled, host-level firewall, localhost bind only |
| External Credential Brokering (Vault/Secrets Manager) | +1.5 | No token/raw key in .env; automatic rotation; just-in-time access |
| Strict Permission Allowlist | +1.0 | tools.profile: "minimal", explicit block of unnecessary filesystem/terminal/network |
| Immutable External Audit Logging | +0.5 | JSON/Syslog export to SIEM or WORM storage; cryptographic log signing |
| Automated Patch Management | +0.5 | Update within 72h for CVE ≥7.0; continuous monitoring of GitHub/OpenClawCVEs |
| Custom Contractual Framework (DPA + GDPR Clauses) | +1.0 | Legal agreement with provider/cloud hosting; residency and processing clauses |
| System-Level Safety Constraints | +0.5 | Hard-coded safety prompts in container config; disable sudo mode |
⚠️ Operational Note: Score recovery requires formal documentation, periodic internal/external audit, and explicit assumption of legal responsibility by the data controller.
FINAL VERDICT & RECOMMENDATIONS
│ • Explicit accepted risk disclaimer
Strategic Recommendation:
-
For personal/experimental use: adopt complete hardening, block internet access, monitor update diffs.
-
For commercial/data processing use: migrate to certified platforms (e.g., Onyx AI SOC2, Azure OpenAI with BAA, air-gapped on-premise solutions).
-
For inbound marketing/trust building: avoid using uncertified frameworks in data management. Reputational and non-compliance risks outweigh automation benefits
REFERENCES & VERIFIED SOURCES
| Source | Type | Relevance |
|---|---|---|
CLAW-10 Framework (Onyx AI) |
Enterprise Benchmark | Structured 10-dimension evaluation |
arXiv:2604.03131v1 |
Independent Research | Security testing across 205 real-world vectors |
Dutch Data Protection Authority (AP) |
Official Advisory | Advises against use for sensitive data |
GitHub - OpenClawCVEs |
Public Tracker | CVE monitoring and patch status |
ManageMyClaw Security Guide |
Operational Hardening | 14-point mitigation checklist |
SecurityScorecard / Bitdefender Reports |
Threat Intelligence | Instance exposure and supply chain analysis |
???? Next Scheduled Review: Q3 2026
???? Update Trigger: Critical patch, official DPA release, or publication of independent certification.
What's Your Reaction?
