Update threat-model.md with Lethal Trifecta framework and OWASP Agentic Top 10 #13
Description
Summary
The current references/threat-model.md provides good coverage of attack surfaces and real-world incidents but is missing several key frameworks and threat vectors documented in the forensic analysis. This issue tracks bringing the threat model up to date.
Current Coverage vs Gaps
| Topic | Current Status | Gap |
|---|---|---|
| Gateway attack surface | Covered (section 1.1) | Missing reverse proxy bypass detail |
| Skills attack surface | Covered (section 1.3) | Missing "Lethal Trifecta" framing |
| Supply chain | Covered (section 1.5) | Missing typosquatting detail |
| Moltbook | Covered briefly (1.6) | Missing Supabase leak, inter-agent worm |
| ClawHavoc | Covered (section 1.7) | Up to date |
| Memory poisoning | Not covered | New section needed |
| OWASP Agentic Top 10 | Not covered | New mapping section needed |
| Lethal Trifecta | Not covered | New framework section needed |
| Infostealer adaptation | Not covered | New section needed |
| Inter-agent worm propagation | Not covered | New section needed |
| Trust boundaries diagram | Covered (section 5) | Missing memory + egress boundaries |
Proposed Additions
Section 1.8: Persistent Memory (NEW)
### 1.8 Persistent Memory
OpenClaw's memory system stores interaction history, user preferences,
and context as Markdown and JSON files. Memory introduces:
- **Memory poisoning.** Malicious instructions injected via email,
web scrapes, or inter-agent messages persist across sessions.
Because the agent does not distinguish between user commands and
ingested data, a planted instruction can activate days or weeks
later when conditions align (time-shifted exploit).
- **SOUL.md tampering.** The behavioral core file defines the agent's
personality. Modification turns the agent into a persistent backdoor.
- **PII accumulation.** Memory files accumulate sensitive data over
time, creating a high-value target for infostealers.
**Relevant checks:** CHK-MEM-001 through CHK-MEM-004.Section 1.9: Inter-Agent Communication (NEW)
### 1.9 Inter-Agent Communication
When agents interact (via Moltbook or direct messaging):
- **Worm propagation.** A compromised agent posts a prompt injection
payload. Any agent that reads the post becomes compromised and
propagates the payload to its own followers. This creates exponential
spread.
- **Cascading trust failure.** Agent A trusts Agent B's output because
both are "agents." But Agent B may be compromised, making its output
an attack vector for Agent A.
**Relevant checks:** CHK-MEM-001, CHK-NET-011 (egress policy).Section 2.1: The Lethal Trifecta (NEW)
## 2.1 The Lethal Trifecta
The unique risk of agentic systems like OpenClaw arises from the
combination of three capabilities:
1. **Access to Private Data** -- The agent requires API keys, browser
history, cookies, and system files. This is an unbounded attack
surface with access to the user's credentials.
2. **Exposure to Untrusted Content** -- The agent must consume web
scrapes, emails, and third-party skill outputs. It cannot
distinguish between data and instruction, so the blast radius
extends to every system the agent can reach.
3. **Ability to Externally Communicate** -- The agent can send
messages, make API calls, and execute terminal commands. This
enables silent data exfiltration and logic bomb activation.
Any two of these alone are manageable. All three together create
an unprecedented security challenge -- the "double agent problem"
where the agent operates with legitimate credentials but its
alignment can drift at any moment.Section 6: OWASP Top 10 for Agentic Applications Mapping (NEW)
## 6. OWASP Top 10 for Agentic Applications (2026) Mapping
| OWASP Risk | OpenClaw Failure Mode | ClawPinch Checks |
|---|---|---|
| ASI01: Agent Goal Hijack | Indirect prompt injection via email/web | CHK-MEM-001 |
| ASI02: Tool Misuse | Exec tool provides unauthenticated shell | CHK-CFG-001, CHK-SKL-004 |
| ASI03: Identity Abuse | Plaintext API keys in .env files | CHK-SEC-001..012 |
| ASI04: Supply Chain | Malicious skills on MoltHub | CHK-SUP-001..009 |
| ASI05: Sandboxing Failure | Docker escape via PATH injection | CHK-CVE-003 |
| ASI06: Memory Poisoning | Time-shifted exploits in memory files | CHK-MEM-001..004 |
| ASI07: Insecure Comms | Inter-agent worm propagation | CHK-NET-009..011 |
| ASI08: Cascading Failures | Resource exhaustion via cron jobs | CHK-CRN-001..006 |
| ASI09: Insufficient Logging | Missing audit trail | CHK-CFG-010 |
| ASI10: Excessive Agency | Skills with unnecessary permissions | CHK-PRM-001..008 |Updated Trust Boundaries Diagram
┌───────────────────────────────────────────────────────────┐
│ Internet │
│ │
│ ┌───────────┐ ┌──────────────┐ ┌─────────────────┐ │
│ │ Attacker │ │ ClawHub │ │ Moltbook / │ │
│ │ / Bot │ │ Registry │ │ Social Network │ │
│ └─────┬─────┘ └──────┬───────┘ └────────┬────────┘ │
└─────────┼───────────────┼────────────────────┼───────────┘
══════════╪═══════FIREWALL (ingress + EGRESS)══╪════════════
┌─────────┼───────────────┼────────────────────┼───────────┐
│ ▼ ▼ ▼ │
│ ┌───────────┐ ┌──────────────┐ ┌─────────────────┐ │
│ │ Gateway │◄─┤ Skills │ │ Agent Memory │ │
│ │ :3000 │ │ (sandboxed) │ │ (SOUL.md, ctx) │ │
│ └─────┬─────┘ └──────────────┘ └─────────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────┐ ┌──────────────┐ ┌─────────────────┐ │
│ │ Channels │ │ Cron Jobs │ │ Legacy Dirs │ │
│ │ (Slack, │ │ (scheduled) │ │ ~/.clawdbot/ │ │
│ │ Discord) │ │ │ │ ~/.moltbot/ │ │
│ └───────────┘ └──────────────┘ └─────────────────┘ │
│ │
│ Host Machine / Docker │
└───────────────────────────────────────────────────────────┘
New trust boundaries:
6. Memory <-> Agent (memory content is untrusted; may contain injections)
7. Host <-> Internet (egress must be restricted, not just ingress)
8. Agent <-> Agent (inter-agent communication is untrusted)
References
- Forensic analysis: all sections
- OWASP Top 10 for Agentic Applications 2026
- Existing
references/threat-model.md