Phase I Research — February 2026

Threat Modeling OpenClaw (Moltbot) with OWASP ASI + CSA MAESTRO

One of the first practical applications of the OWASP Agentic Security Initiative Top 10 (2026) and CSA MAESTRO to a real production system. A full Phase I threat model of the OpenClaw self-hosted AI assistant platform — 10 threats, 5 attack chains, 6 trust boundaries, and a prioritized remediation roadmap.

↓ Access Phase I Research Explore Key Findings
3
Critical Threats
4
High Threats
3
Medium Threats
10/10
ASI Coverage
5
Attack Chains
6
Trust Boundaries
Deliverables Preview
What's inside Phase I research
Six professional deliverables including interactive diagrams, executive dashboards, and comprehensive documentation. Here's a redacted preview.
TB-1 TB-2 TB-3 ASI01 ASI06 ASI09
Preview — Full diagram in Phase I research
Interactive HTML · Threat DFD
OWASP ASI Threat Data Flow Diagram
Purpose-built DFD with all 10 ASI categories mapped to specific attack zones, 6 trust boundaries, and the critical RCE attack chain highlighted.
EXTERNAL CHANNELS GATEWAY AGENT RUNTIME PERIPHERALS
Preview — Full diagram in Phase I research
Interactive HTML · Architecture
7-Tier System Architecture Diagram
Full component decomposition from External (T0) through Persistence (T6) with 50+ components, data flows, and security annotations.
3 CRITICAL 4 HIGH 3 MEDIUM MAESTRO 6/6
Preview — Full dashboard in Phase I research
Interactive HTML · Dashboard
Executive Threat Dashboard
MAESTRO donut chart, ASI coverage bars, trust boundary risk map, full threat table, and remediation timeline visualization.
GATEWAY Control Plane Channels (10) Nodes (4) Tool Execution Canvas LLM Providers
Preview — Full diagram in Phase I research
Interactive HTML · Topology
Gateway Topology Diagram
Validated hub-spoke connectivity map showing all 3 client groups, downstream services, and protocol-labeled connections.
Research Brief
Phase I Threat Model Highlights
Executive overview: Architecture Decomposition, Trust Boundaries, MAESTRO + ASI Mapping, 10 Enumerated Threats, 5 Attack Chains, Remediation Roadmap, Coverage Matrix, Methodology & References.
Research Brief
Architecture Deep Dive
Comprehensive architecture narrative covering gateway services, agent runtime, tool surface, channel adapters, peripheral nodes, extensions, persistence layer, and security model.
Key Findings
What we discovered
A selection of the 10 enumerated threats. The full Phase I research includes detailed attack paths, impact analysis, and remediation for each.
Critical
OC-T01 · ASI01, ASI02
Agent Goal Hijack via Prompt Injection
A single crafted message through any channel can override the agent's system prompt and trigger arbitrary tool execution — including direct shell access.
Tampering Elevation TB-1 → TB-3
Critical
OC-T02 · ASI02, ASI05
Unrestricted Tool Execution Surface
The exec tool provides direct shell access with full process permissions. No sandboxing, no command allowlist, no output validation. Complete RCE in a single tool call.
Elevation TB-5 exec / shell
Critical
OC-T03 · ASI03, ASI02
Credential Exposure via Auth Profiles
API keys stored in plaintext, passed into LLM context sent to external providers, and persisted in unencrypted JSONL transcripts. Triple exposure surface.
Info Disclosure Spoofing TB-4 → TB-5
High
OC-T04 · ASI06
Memory & Context Poisoning
Adversarial content planted in SQLite memory stores gets retrieved by BM25+vector search and injected into agent context. Semantic similarity enables "sleeper" payloads.
Tampering TB-3 Persistent
High
OC-T05 · ASI04
Supply Chain via ClawHub Plugins
Malicious plugins execute with full agent permissions and can intercept all context through the Hooks Engine lifecycle. No code signing, no sandbox, no review gate.
Tampering Elevation ClawHub
High
OC-T07 · ASI08
Gateway Single Point of Failure
All communication flows through a single WebSocket server on :18789. Compromise grants complete control over routing, dispatch, and cron scheduling for the entire fleet.
DoS Spoofing TB-2 → TB-6
4 additional threats + 5 multi-stage attack chains in the full Phase I research
Methodology
Dual-framework approach
We combined CSA MAESTRO’s multi‑agent architecture layers with the OWASP ASI Top 10 to achieve coverage no single methodology provides alone.
🛡️
CSA MAESTRO (7‑Layer)
The CSA MAESTRO reference architecture for multi‑agent systems. Provides layered decomposition from foundation models through deployment infrastructure and ecosystem integrations.
7/7 Layers Architecture Multi‑Agent
🎯
OWASP ASI Top 10 (2026)
The brand-new Agentic Security Initiative framework from OWASP, purpose-built for autonomous AI systems. Covers agent-specific threats including prompt injection, tool misuse, memory poisoning, inter-agent trust, and rogue agent behavior.
10/10 Coverage Agentic-Specific First Application
⛓️
Attack Chain Analysis
Five multi-stage attack paths traced across trust boundaries, showing how individual vulnerabilities chain together into system-level compromise. Includes the critical Alpha chain: single message → full RCE.
5 Chains Multi-Stage Cross-Boundary
🗺️
Prioritized Remediation
10 remediation actions organized into P0 (30-day), P1 (90-day), and P2 (180-day) tiers. Each action is linked to specific threats, ASI categories, and effort estimates.
P0 / P1 / P2 Actionable Linked

Access the full Phase I research

Get immediate access to all 6 deliverables — interactive diagrams, executive dashboard, threat model report, and architecture documentation. Everything you need to understand how we approach agentic AI security.

  • OWASP ASI Threat Data Flow Diagram (interactive HTML)
  • 7-Tier System Architecture Diagram (interactive HTML)
  • Gateway Topology Diagram (interactive HTML)
  • Executive Threat Dashboard (interactive HTML)
  • Detailed Threat Browser (interactive HTML)
  • Learning Resources (concepts explainer videos)

Access Phase I Research

Free access — we'll email the research link.
No spam. We'll send the download link and occasional
research updates. Unsubscribe anytime.

Check your inbox

We've sent the download link to your email.
It should arrive within a few minutes.

About SecuraAI

SecuraAI is an AI security and governance firm specializing in threat modeling, red teaming, and safety evaluations for agentic AI systems. We operate at the intersection of classical application security and the emerging threat landscape unique to autonomous AI agents.

Our team are early contributors to the OWASP Agentic Security Initiative, CSA's Agentic Red Teaming and maintain active research programs in agent exploitation, red teaming, conversational AI safety, and multi-agent multi-modal trust.

📧 research@securaai.com 🌐 securaai.com 📍 US
SecuraAI
🛡️
Agentic Threat Modeling
MAESTRO 7-layer mapping + OWASP ASI Top 10 risk taxonomy for agent architectures
🎯
AI Security Red Teaming
Model, Application Gaurdrail and Agent-focused attacks: goal hijack, tool misuse, memory poisoning, and inter-agent abuse
🧪
AI Safety Evaluations
Domain specific safety testing for harmfulness, misdiagnosis, crisis escalation, hallucinations, bias, and policy adherence with scored evals
📋
Compliance & Governance
Controls mapping and evidence for NIST AI RMF and EU AI Act across agent workflows
🧭
Agentic Readiness Assessment
Readiness review for agent deployments: identity/permissions, tool access, memory, logging, and supply chain