[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-openclaw-security-risks-and-defenses-en":3,"tags-openclaw-security-risks-and-defenses-en":30,"related-lang-openclaw-security-risks-and-defenses-en":39,"related-posts-openclaw-security-risks-and-defenses-en":43,"series-ai-agent-a6f2284f-069c-40a0-9dd1-210cc37cb4c3":80},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":18,"translated_content":10,"views":19,"is_premium":20,"created_at":21,"updated_at":21,"cover_image":11,"published_at":22,"rewrite_status":23,"rewrite_error":10,"rewritten_from_id":24,"slug":25,"category":26,"related_article_id":27,"status":28,"google_indexed_at":29,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":10,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":20},"a6f2284f-069c-40a0-9dd1-210cc37cb4c3","OpenClaw安全风险与防护清单","\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fopenclaw\" target=\"_blank\" rel=\"noopener\">OpenClaw\u003C\u002Fa>这类本地 AI Agent 正在把“会聊天的模型”变成“会动手的程序”。安天披露的这份分析里，单个平台就发现了 1184 个恶意技能包，全球还有超过 23 万个实例因默认配置不当暴露在公网。\u003C\u002Fp>\u003Cp>这不是普通的应用安全问题，而是一个会读文件、会跑命令、会连外网的自动化执行体，安全边界比传统桌面软件脆得多。你如果准备把它放进办公机、服务器，或者给它接上企业数据源，就不能只看功能列表，得先看它会把什么权限带进门。\u003C\u002Fp>\u003Ch2>OpenClaw到底是什么，为什么它危险\u003C\u002Fh2>\u003Cp>OpenClaw 是一个开源 AI 智能体，核心能力是把聊天界面、大语言模型、终端操作和第三方技能包绑在一起，让它在本地或云端自动完成文件管理、邮件处理、脚本执行、数据整理这类任务。它的价值很直接：少点手工操作，多点自动化。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775057608726-3wx5.png\" alt=\"OpenClaw安全风险与防护清单\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>问题也很直接：一旦它拿到系统权限，AI 就不再只是“回答问题”，而是可以“替你做事”。这意味着它接触到的不是一条对话，而是文件系统、凭据、浏览器会话、内部接口，甚至是整台机器的控制权。\u003C\u002Fp>\u003Cp>安天的报告把这种风险总结得很清楚：OpenClaw 与主机系统深度融合，权限边界模糊，隔离机制不足，第三方扩展市场也缺少统一审核。对开发者来说，这种设计很诱人；对攻击者来说，这也是一张现成的攻击面地图。\u003C\u002Fp>\u003Cul>\u003Cli>2026 年 2 月，ClawHub 平台发现大规模恶意 Skills 投毒\u003C\u002Fli>\u003Cli>单个平台检出 1184 个恶意技能包\u003C\u002Fli>\u003Cli>恶意作者最高一次上传 677 个毒化插件\u003C\u002Fli>\u003Cli>全球超过 23 万个实例因默认配置暴露公网\u003C\u002Fli>\u003Cli>部分实例已出现敏感信息泄露\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>最危险的不是模型，而是扩展生态\u003C\u002Fh2>\u003Cp>OpenClaw 真正的风险中心，不是模型回答错了，而是 Skills 生态被污染。Skills 本来是给智能体“加技能”的，但在缺少审核的情况下，它也可以变成“加后门”。\u003C\u002Fp>\u003Cp>安天提到的“利爪浩劫”就是典型案例：攻击者借助 ClawHub 这类低门槛平台，把伪装成工具的恶意技能包批量上架，再通过说明文档里的“安装步骤”诱导用户执行终端命令、下载未知二进制文件。用户以为自己在装插件，实际上是在给攻击者开门。\u003C\u002Fp>\u003Cblockquote>“The absence of trust boundaries between the agent, the user, and external content creates a new class of security problem.” — \u003Ca href=\"https:\u002F\u002Flabs.zenity.io\u002F\" target=\"_blank\" rel=\"noopener\">Zenity Labs\u003C\u002Fa>\u003C\u002Fblockquote>\u003Cp>这句话很适合 OpenClaw：它的问题不是单点漏洞，而是信任链条太长。用户信任技能包，技能包信任脚本，脚本信任网络，AI 又把这些内容放进同一个推理上下文里，最后把“外部输入”当成了“内部指令”。\u003C\u002Fp>\u003Cp>再看供应链层面，风险会继续放大。Node.js 和 npm 生态很大，依赖很多，任何一个上游包被污染，都可能在安装时静默执行恶意脚本。对 AI Agent 来说，这种风险比传统应用更麻烦，因为它的运行权限往往更高，自动化程度也更强。\u003C\u002Fp>\u003Ch2>和传统软件比，OpenClaw暴露面大多少\u003C\u002Fh2>\u003Cp>如果把传统桌面应用、浏览器插件、AI Agent 放在一起比，OpenClaw 的攻击面明显更大。传统软件通常只做一类事，AI Agent 却会同时访问文件、命令行、网页和第三方服务。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775057631103-pw6o.png\" alt=\"OpenClaw安全风险与防护清单\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>安天引用的统计里，有些数字已经很扎眼：CNNVD 在 2026 年 1 月到 3 月 9 日之间收录了 82 个 OpenClaw 漏洞，其中 12 个超危、21 个高危、47 个中危。对一个还在快速扩张的开源项目来说，这个漏洞密度并不低。\u003C\u002Fp>\u003Cp>更麻烦的是，很多部署者会把它直接放到联网主机上，默认配置还没改，身份验证也没开。于是，原本应该在本机帮你干活的智能体，变成了互联网上可被扫描、可被接管的入口。\u003C\u002Fp>\u003Cul>\u003Cli>OpenClaw 漏洞总数：82\u003C\u002Fli>\u003Cli>超危漏洞：12\u003C\u002Fli>\u003Cli>高危漏洞：21\u003C\u002Fli>\u003Cli>中危漏洞：47\u003C\u002Fli>\u003Cli>公开暴露实例：23 万+，其中数万个已发生信息泄露\u003C\u002Fli>\u003C\u002Ful>\u003Cp>这类数字说明了一个现实：AI Agent 的安全问题，不是“有没有漏洞”，而是“漏洞、权限、扩展、暴露面”同时叠加时，会不会迅速变成系统级事故。OpenClaw 就是这个问题的样本。\u003C\u002Fp>\u003Ch2>怎么防：先收权限，再收插件\u003C\u002Fh2>\u003Cp>如果你真的要部署 OpenClaw，第一步不是装更多技能，而是把权限收紧。最小权限原则在这里不是口号，而是底线。不要一上来就给管理员权限，不要让智能体默认能删文件、改配置、发外联请求。\u003C\u002Fp>\u003Cp>第二步是隔离。把它放进容器、虚拟机，或者单独的运行环境里，不要让它和核心业务主机共用同一套高价值凭据。对需要高风险操作的任务，最好加人工确认，尤其是删除、外发、下载、执行脚本这几类动作。\u003C\u002Fp>\u003Cp>第三步是控制扩展来源。官方渠道、可信仓库、经过审计的技能包，优先级要远高于社区转发链接和搜索引擎结果。凡是要求你下载 ZIP、执行 Shell 脚本、输入账号密码的 Skills，都要先停一下，别急着点。\u003C\u002Fp>\u003Cp>安天给出的防护思路也很实用：只启用关键 Skills，关闭不必要的扩展；定期做主机漏洞扫描和补丁更新；打开全量日志审计；把可疑技能文件送去做静态检测和行为分析。对企业来说，这些动作比“买一个更大的模型”更能减少事故。\u003C\u002Fp>\u003Cul>\u003Cli>只启用真正需要的 Skills，别把十几个扩展全开着\u003C\u002Fli>\u003Cli>把 OpenClaw 放进隔离环境，不直接碰核心主机\u003C\u002Fli>\u003Cli>对 SKILL.md、安装脚本、二进制包做审计\u003C\u002Fli>\u003Cli>对公网暴露端口做资产盘点，关掉默认开放接口\u003C\u002Fli>\u003Cli>接入终端防护和恶意文件检测工具\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>工具菜单里，哪些更值得先上\u003C\u002Fh2>\u003Cp>安天提到的终端防护产品 \u003Ca href=\"https:\u002F\u002Fwww.antiy.cn\u002F\" target=\"_blank\" rel=\"noopener\">安天智甲\u003C\u002Fa>，重点是主机防护、行为管控、介质管控、邮件防护和动态备份。对 OpenClaw 这种会直接读写本地文件、调用命令行的 Agent 来说，这类主机侧防线比单纯的网络边界更有用。\u003C\u002Fp>\u003Cp>另一个值得关注的是针对 Skills 的专项排查工具，以及 \u003Ca href=\"https:\u002F\u002Fwww.virusview.net\u002F\" target=\"_blank\" rel=\"noopener\">计算机病毒百科\u003C\u002Fa> 这类在线分析入口。前者适合批量排查本地技能包，后者适合把可疑文件先送检，再决定要不要装进生产环境。\u003C\u002Fp>\u003Cp>如果你在做企业交付，还要顺手检查这些东西：\u003Ca href=\"https:\u002F\u002Fwww.cnvd.org.cn\u002F\" target=\"_blank\" rel=\"noopener\">CNVD\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.cnnvd.org.cn\u002F\" target=\"_blank\" rel=\"noopener\">CNNVD\u003C\u002Fa> 和 \u003Ca href=\"https:\u002F\u002Fwww.nvdb.org.cn\u002F\" target=\"_blank\" rel=\"noopener\">NVDB\u003C\u002Fa> 的漏洞公告，OpenClaw 官方安全更新，以及你自己的资产暴露面。AI Agent 的安全不是单点补丁能解决的，它更像一套持续运营的卫生习惯。\u003C\u002Fp>\u003Cp>如果你想把这类 Agent 放进真实业务，我会给一个很实际的判断：先做风险分级，再决定能不能上生产。能不能联网、能不能访问本地文件、能不能执行命令，这三个问题只要有一个答得含糊，就别急着接入核心系统。\u003C\u002Fp>\u003Cp>接下来半年，OpenClaw 这类本地 AI Agent 的安全讨论大概率会从“插件有没有毒”转向“谁在控制执行权”。真正该问的问题不是它能做多少事，而是你愿不愿意把多少系统权限交给它。对企业来说，最先要做的不是试新功能，而是把默认配置、扩展来源和公网暴露面全部过一遍。\u003C\u002Fp>","OpenClaw已曝出1184个恶意技能包，23万+实例暴露公网。本文拆解风险、漏洞与防护清单。","zhuanlan.zhihu.com","https:\u002F\u002Fzhuanlan.zhihu.com\u002Fp\u002F2020523232957089121",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775057608726-3wx5.png",[13,14,15,16,17],"OpenClaw","AI Agent","供应链安全","Skills插件","终端防护","en",0,false,"2026-04-01T09:54:41.350712+00:00","2026-04-01T09:54:41.236+00:00","done","cf034289-1431-431e-be07-010d8939a7fa","openclaw-security-risks-and-defenses-en","ai-agent","9dd23277-9adf-4eba-910f-cb8c7dbcb512","published","2026-04-09T09:00:54.511+00:00",[31,32,34,36,38],{"name":17,"slug":17},{"name":16,"slug":33},"skills插件",{"name":13,"slug":35},"openclaw",{"name":37,"slug":26},"AI agent",{"name":15,"slug":15},{"id":27,"slug":40,"title":41,"language":42},"openclaw-security-risks-and-defenses-zh","OpenClaw安全風險與防護清單","zh",[44,50,56,62,68,74],{"id":45,"slug":46,"title":47,"cover_image":48,"image_url":48,"created_at":49,"category":26},"c5d4bc11-1f4d-438c-b644-a8498826e1ab","claude-agent-dreaming-outcomes-multiagent-en","Claude给Agent加了“做梦”功能","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778868649463-f5qv.png","2026-05-15T18:10:25.29539+00:00",{"id":51,"slug":52,"title":53,"cover_image":54,"image_url":54,"created_at":55,"category":26},"fda44d24-7baf-4d91-a7f9-bbfecae20a27","switch-ai-outputs-markdown-to-html-en","How to Switch AI Outputs from Markdown to HTML","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778743249827-wmsr.png","2026-05-14T07:20:22.631724+00:00",{"id":57,"slug":58,"title":59,"cover_image":60,"image_url":60,"created_at":61,"category":26},"064275f5-4282-47c3-8e4a-60fe8ac99246","anthropic-cat-wu-proactive-ai-assistants-en","Anthropic’s Cat Wu on proactive AI assistants","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778735465548-a92i.png","2026-05-14T05:10:31.723441+00:00",{"id":63,"slug":64,"title":65,"cover_image":66,"image_url":66,"created_at":67,"category":26},"423ac8ad-2886-42a9-8dd8-78e5d43a1574","how-to-run-hermes-agent-on-discord-en","How to Run Hermes Agent on Discord","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778724656141-i30t.png","2026-05-14T02:10:35.727086+00:00",{"id":69,"slug":70,"title":71,"cover_image":72,"image_url":72,"created_at":73,"category":26},"776a562c-99a6-4a6b-93a0-9af40300f3f2","why-ragflow-is-the-right-open-source-rag-engine-to-self-host-en","Why RAGFlow is the right open-source RAG engine to self-host","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778674254587-0pxn.png","2026-05-13T12:10:25.721583+00:00",{"id":75,"slug":76,"title":77,"cover_image":78,"image_url":78,"created_at":79,"category":26},"322ec8bc-61d3-4c80-bb9e-a19941e137c6","how-to-add-temporal-rag-in-production-en","How to Add Temporal RAG in Production","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778667085221-0mox.png","2026-05-13T10:10:31.619892+00:00",[81,86,91,96,101,106,111,116,121,126],{"id":82,"slug":83,"title":84,"created_at":85},"03db8de8-8dc2-4ac1-9cf7-898782efbb1f","anthropic-claude-ai-agent-task-automation-en","Anthropic's Claude AI Agent: A New Era of Task Automation","2026-03-25T16:25:06.513026+00:00",{"id":87,"slug":88,"title":89,"created_at":90},"045d1abc-190d-4594-8c95-91e2a26f0c5a","googles-2026-ai-agent-report-decoded-en","Google’s 2026 AI Agent Report, Decoded","2026-03-26T11:15:23.046616+00:00",{"id":92,"slug":93,"title":94,"created_at":95},"e64aba21-254b-4f93-aa21-837484bb52ec","kimi-k25-review-stronger-still-not-legend-en","Kimi K2.5 review: stronger, still not a legend","2026-03-27T07:15:55.385951+00:00",{"id":97,"slug":98,"title":99,"created_at":100},"30dfb781-a1b2-4add-aebe-b3df40247c37","claude-code-controls-mac-desktop-en","Claude Code now controls your Mac desktop","2026-03-28T03:01:59.384091+00:00",{"id":102,"slug":103,"title":104,"created_at":105},"254405b6-7833-4800-8e13-f5196deefbe6","cloudflare-100x-faster-ai-agent-sandbox-en","Cloudflare’s 100x Faster AI Agent Sandbox","2026-03-28T03:09:44.356437+00:00",{"id":107,"slug":108,"title":109,"created_at":110},"04f29b7f-9b91-4306-89a7-97d725e6e1ba","openai-backs-isara-agent-swarm-bet-en","OpenAI backs Isara’s agent-swarm bet","2026-03-28T03:15:27.849766+00:00",{"id":112,"slug":113,"title":114,"created_at":115},"3b0bf479-e4ae-4703-9666-721a7e0cdb91","openai-plan-automated-ai-researcher-en","OpenAI’s plan for an automated AI researcher","2026-03-28T03:17:42.312819+00:00",{"id":117,"slug":118,"title":119,"created_at":120},"fe91bce0-b85d-4efa-a207-24ae9939c29f","harness-engineering-ai-agent-reliability-2026","Harness Engineering: From Bridle to Operating System, The Missing Link in AI Agent Reliability","2026-03-31T06:36:55.648751+00:00",{"id":122,"slug":123,"title":124,"created_at":125},"67dc66da-ca46-4aa5-970b-e997a39fe109","openai-codex-plugin-claude-code-en","OpenAI puts Codex inside Claude Code","2026-04-01T09:21:55.381386+00:00",{"id":127,"slug":128,"title":129,"created_at":130},"7a09007d-820f-43b3-8607-8ad1bfcb94c8","mcp-explained-from-prompts-to-production-en","MCP Explained: From Prompts to Production","2026-04-01T09:24:40.089177+00:00"]