[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-openclaw-security-risks-and-defenses-en":3,"article-related-openclaw-security-risks-and-defenses-en":25,"series-ai-agent-a6f2284f-069c-40a0-9dd1-210cc37cb4c3":72},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":11,"views":22,"created_at":23,"published_at":24,"topic_cluster_id":11},"a6f2284f-069c-40a0-9dd1-210cc37cb4c3","openclaw-security-risks-and-defenses-en","OpenClaw安全风险与防护清单","\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fopenclaw\" target=\"_blank\" rel=\"noopener\">OpenClaw\u003C\u002Fa>这类本地 AI Agent 正在把“会聊天的模型”变成“会动手的程序”。安天披露的这份分析里，单个平台就发现了 1184 个恶意技能包，全球还有超过 23 万个实例因默认配置不当暴露在公网。\u003C\u002Fp>\u003Cp>这不是普通的应用安全问题，而是一个会读文件、会跑命令、会连外网的自动化执行体，安全边界比传统桌面软件脆得多。你如果准备把它放进办公机、服务器，或者给它接上企业数据源，就不能只看功能列表，得先看它会把什么权限带进门。\u003C\u002Fp>\u003Ch2>OpenClaw到底是什么，为什么它危险\u003C\u002Fh2>\u003Cp>OpenClaw 是一个开源 AI 智能体，核心能力是把聊天界面、大语言模型、终端操作和第三方技能包绑在一起，让它在本地或云端自动完成文件管理、邮件处理、脚本执行、数据整理这类任务。它的价值很直接：少点手工操作，多点自动化。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775057608726-3wx5.png\" alt=\"OpenClaw安全风险与防护清单\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>问题也很直接：一旦它拿到系统权限，AI 就不再只是“回答问题”，而是可以“替你做事”。这意味着它接触到的不是一条对话，而是文件系统、凭据、浏览器会话、内部接口，甚至是整台机器的控制权。\u003C\u002Fp>\u003Cp>安天的报告把这种风险总结得很清楚：OpenClaw 与主机系统深度融合，权限边界模糊，隔离机制不足，第三方扩展市场也缺少统一审核。对开发者来说，这种设计很诱人；对攻击者来说，这也是一张现成的攻击面地图。\u003C\u002Fp>\u003Cul>\u003Cli>2026 年 2 月，ClawHub 平台发现大规模恶意 Skills 投毒\u003C\u002Fli>\u003Cli>单个平台检出 1184 个恶意技能包\u003C\u002Fli>\u003Cli>恶意作者最高一次上传 677 个毒化插件\u003C\u002Fli>\u003Cli>全球超过 23 万个实例因默认配置暴露公网\u003C\u002Fli>\u003Cli>部分实例已出现敏感信息泄露\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>最危险的不是模型，而是扩展生态\u003C\u002Fh2>\u003Cp>OpenClaw 真正的风险中心，不是模型回答错了，而是 Skills 生态被污染。Skills 本来是给智能体“加技能”的，但在缺少审核的情况下，它也可以变成“加后门”。\u003C\u002Fp>\u003Cp>安天提到的“利爪浩劫”就是典型案例：攻击者借助 ClawHub 这类低门槛平台，把伪装成工具的恶意技能包批量上架，再通过说明文档里的“安装步骤”诱导用户执行终端命令、下载未知二进制文件。用户以为自己在装插件，实际上是在给攻击者开门。\u003C\u002Fp>\u003Cblockquote>“The absence of trust boundaries between the agent, the user, and external content creates a new class of security problem.” — \u003Ca href=\"https:\u002F\u002Flabs.zenity.io\u002F\" target=\"_blank\" rel=\"noopener\">Zenity Labs\u003C\u002Fa>\u003C\u002Fblockquote>\u003Cp>这句话很适合 OpenClaw：它的问题不是单点漏洞，而是信任链条太长。用户信任技能包，技能包信任脚本，脚本信任网络，AI 又把这些内容放进同一个推理上下文里，最后把“外部输入”当成了“内部指令”。\u003C\u002Fp>\u003Cp>再看供应链层面，风险会继续放大。Node.js 和 npm 生态很大，依赖很多，任何一个上游包被污染，都可能在安装时静默执行恶意脚本。对 AI Agent 来说，这种风险比传统应用更麻烦，因为它的运行权限往往更高，自动化程度也更强。\u003C\u002Fp>\u003Ch2>和传统软件比，OpenClaw暴露面大多少\u003C\u002Fh2>\u003Cp>如果把传统桌面应用、浏览器插件、AI Agent 放在一起比，OpenClaw 的攻击面明显更大。传统软件通常只做一类事，AI Agent 却会同时访问文件、命令行、网页和第三方服务。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775057631103-pw6o.png\" alt=\"OpenClaw安全风险与防护清单\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>安天引用的统计里，有些数字已经很扎眼：CNNVD 在 2026 年 1 月到 3 月 9 日之间收录了 82 个 OpenClaw 漏洞，其中 12 个超危、21 个高危、47 个中危。对一个还在快速扩张的开源项目来说，这个漏洞密度并不低。\u003C\u002Fp>\u003Cp>更麻烦的是，很多部署者会把它直接放到联网主机上，默认配置还没改，身份验证也没开。于是，原本应该在本机帮你干活的智能体，变成了互联网上可被扫描、可被接管的入口。\u003C\u002Fp>\u003Cul>\u003Cli>OpenClaw 漏洞总数：82\u003C\u002Fli>\u003Cli>超危漏洞：12\u003C\u002Fli>\u003Cli>高危漏洞：21\u003C\u002Fli>\u003Cli>中危漏洞：47\u003C\u002Fli>\u003Cli>公开暴露实例：23 万+，其中数万个已发生信息泄露\u003C\u002Fli>\u003C\u002Ful>\u003Cp>这类数字说明了一个现实：AI Agent 的安全问题，不是“有没有漏洞”，而是“漏洞、权限、扩展、暴露面”同时叠加时，会不会迅速变成系统级事故。OpenClaw 就是这个问题的样本。\u003C\u002Fp>\u003Ch2>怎么防：先收权限，再收插件\u003C\u002Fh2>\u003Cp>如果你真的要部署 OpenClaw，第一步不是装更多技能，而是把权限收紧。最小权限原则在这里不是口号，而是底线。不要一上来就给管理员权限，不要让智能体默认能删文件、改配置、发外联请求。\u003C\u002Fp>\u003Cp>第二步是隔离。把它放进容器、虚拟机，或者单独的运行环境里，不要让它和核心业务主机共用同一套高价值凭据。对需要高风险操作的任务，最好加人工确认，尤其是删除、外发、下载、执行脚本这几类动作。\u003C\u002Fp>\u003Cp>第三步是控制扩展来源。官方渠道、可信仓库、经过审计的技能包，优先级要远高于社区转发链接和搜索引擎结果。凡是要求你下载 ZIP、执行 Shell 脚本、输入账号密码的 Skills，都要先停一下，别急着点。\u003C\u002Fp>\u003Cp>安天给出的防护思路也很实用：只启用关键 Skills，关闭不必要的扩展；定期做主机漏洞扫描和补丁更新；打开全量日志审计；把可疑技能文件送去做静态检测和行为分析。对企业来说，这些动作比“买一个更大的模型”更能减少事故。\u003C\u002Fp>\u003Cul>\u003Cli>只启用真正需要的 Skills，别把十几个扩展全开着\u003C\u002Fli>\u003Cli>把 OpenClaw 放进隔离环境，不直接碰核心主机\u003C\u002Fli>\u003Cli>对 SKILL.md、安装脚本、二进制包做审计\u003C\u002Fli>\u003Cli>对公网暴露端口做资产盘点，关掉默认开放接口\u003C\u002Fli>\u003Cli>接入终端防护和恶意文件检测工具\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>工具菜单里，哪些更值得先上\u003C\u002Fh2>\u003Cp>安天提到的终端防护产品 \u003Ca href=\"https:\u002F\u002Fwww.antiy.cn\u002F\" target=\"_blank\" rel=\"noopener\">安天智甲\u003C\u002Fa>，重点是主机防护、行为管控、介质管控、邮件防护和动态备份。对 OpenClaw 这种会直接读写本地文件、调用命令行的 Agent 来说，这类主机侧防线比单纯的网络边界更有用。\u003C\u002Fp>\u003Cp>另一个值得关注的是针对 Skills 的专项排查工具，以及 \u003Ca href=\"https:\u002F\u002Fwww.virusview.net\u002F\" target=\"_blank\" rel=\"noopener\">计算机病毒百科\u003C\u002Fa> 这类在线分析入口。前者适合批量排查本地技能包，后者适合把可疑文件先送检，再决定要不要装进生产环境。\u003C\u002Fp>\u003Cp>如果你在做企业交付，还要顺手检查这些东西：\u003Ca href=\"https:\u002F\u002Fwww.cnvd.org.cn\u002F\" target=\"_blank\" rel=\"noopener\">CNVD\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.cnnvd.org.cn\u002F\" target=\"_blank\" rel=\"noopener\">CNNVD\u003C\u002Fa> 和 \u003Ca href=\"https:\u002F\u002Fwww.nvdb.org.cn\u002F\" target=\"_blank\" rel=\"noopener\">NVDB\u003C\u002Fa> 的漏洞公告，OpenClaw 官方安全更新，以及你自己的资产暴露面。AI Agent 的安全不是单点补丁能解决的，它更像一套持续运营的卫生习惯。\u003C\u002Fp>\u003Cp>如果你想把这类 Agent 放进真实业务，我会给一个很实际的判断：先做风险分级，再决定能不能上生产。能不能联网、能不能访问本地文件、能不能执行命令，这三个问题只要有一个答得含糊，就别急着接入核心系统。\u003C\u002Fp>\u003Cp>接下来半年，OpenClaw 这类本地 AI Agent 的安全讨论大概率会从“插件有没有毒”转向“谁在控制执行权”。真正该问的问题不是它能做多少事，而是你愿不愿意把多少系统权限交给它。对企业来说，最先要做的不是试新功能，而是把默认配置、扩展来源和公网暴露面全部过一遍。\u003C\u002Fp>","OpenClaw已曝出1184个恶意技能包，23万+实例暴露公网。本文拆解风险、漏洞与防护清单。","zhuanlan.zhihu.com","https:\u002F\u002Fzhuanlan.zhihu.com\u002Fp\u002F2020523232957089121",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775057608726-3wx5.png","ai-agent","en","9dd23277-9adf-4eba-910f-cb8c7dbcb512",[17,18,19,20,21],"OpenClaw","AI Agent","供应链安全","Skills插件","终端防护",16,"2026-04-01T09:54:41.350712+00:00","2026-04-01T09:54:41.236+00:00",{"tags":26,"relatedLang":31,"relatedPosts":35},[27,29],{"name":17,"slug":28},"openclaw",{"name":30,"slug":13},"AI agent",{"id":15,"slug":32,"title":33,"language":34},"openclaw-security-risks-and-defenses-zh","OpenClaw安全風險與防護清單","zh",[36,42,48,54,60,66],{"id":37,"slug":38,"title":39,"cover_image":40,"image_url":40,"created_at":41,"category":13},"6c32d3c9-f5b9-4f47-8786-b6e8efd2660a","mcps-new-primitives-make-agent-middleware-obsolete-en","MCP’s new primitives make agent middleware obsolete","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782748973197-wvm6.png","2026-06-29T16:02:25.212097+00:00",{"id":43,"slug":44,"title":45,"cover_image":46,"image_url":46,"created_at":47,"category":13},"8c46d754-431a-4c64-a11d-d1978ee1d948","mcp-servers-ai-workflows-explained-en","MCP servers turn AI tools into connected workflows","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782747182218-n3ml.png","2026-06-29T15:32:33.962535+00:00",{"id":49,"slug":50,"title":51,"cover_image":52,"image_url":52,"created_at":53,"category":13},"d6956b2a-b5fb-44f5-b316-9b6dddb3ca47","openmontage-open-source-ai-video-production-en","OpenMontage proves open-source should own AI video production","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782685070172-081n.png","2026-06-28T22:17:23.291322+00:00",{"id":55,"slug":56,"title":57,"cover_image":58,"image_url":58,"created_at":59,"category":13},"38c66c8f-d8b7-493b-9816-8f03cd180db9","gemini-35-flash-computer-use-safeguards-en","Gemini 3.5 Flash lets you script computer use","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782681499817-t4xj.png","2026-06-28T21:17:57.418998+00:00",{"id":61,"slug":62,"title":63,"cover_image":64,"image_url":64,"created_at":65,"category":13},"936eafb7-dbcb-42e4-9b4c-0abc46a58ca7","design-md-bridge-taste-to-ui-scaffolds-en","DESIGN.md is the missing bridge from taste to UI scaffolds","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782586070432-887m.png","2026-06-27T18:47:24.354308+00:00",{"id":67,"slug":68,"title":69,"cover_image":70,"image_url":70,"created_at":71,"category":13},"c6bb2883-2975-4050-bc36-316a5d941ab7","openclaw-agent-control-layer-matters-en","OpenClaw shows the agent control layer matters more than the model","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782561763577-p0xp.png","2026-06-27T12:02:20.58809+00:00",[73,78,83,88,93,98,103,108,113,118],{"id":74,"slug":75,"title":76,"created_at":77},"03db8de8-8dc2-4ac1-9cf7-898782efbb1f","anthropic-claude-ai-agent-task-automation-en","Anthropic's Claude AI Agent: A New Era of Task Automation","2026-03-25T16:25:06.513026+00:00",{"id":79,"slug":80,"title":81,"created_at":82},"045d1abc-190d-4594-8c95-91e2a26f0c5a","googles-2026-ai-agent-report-decoded-en","Google’s 2026 AI Agent Report, Decoded","2026-03-26T11:15:23.046616+00:00",{"id":84,"slug":85,"title":86,"created_at":87},"e64aba21-254b-4f93-aa21-837484bb52ec","kimi-k25-review-stronger-still-not-legend-en","Kimi K2.5 review: stronger, still not a legend","2026-03-27T07:15:55.385951+00:00",{"id":89,"slug":90,"title":91,"created_at":92},"30dfb781-a1b2-4add-aebe-b3df40247c37","claude-code-controls-mac-desktop-en","Claude Code now controls your Mac desktop","2026-03-28T03:01:59.384091+00:00",{"id":94,"slug":95,"title":96,"created_at":97},"254405b6-7833-4800-8e13-f5196deefbe6","cloudflare-100x-faster-ai-agent-sandbox-en","Cloudflare’s 100x Faster AI Agent Sandbox","2026-03-28T03:09:44.356437+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"04f29b7f-9b91-4306-89a7-97d725e6e1ba","openai-backs-isara-agent-swarm-bet-en","OpenAI backs Isara’s agent-swarm bet","2026-03-28T03:15:27.849766+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"3b0bf479-e4ae-4703-9666-721a7e0cdb91","openai-plan-automated-ai-researcher-en","OpenAI’s plan for an automated AI researcher","2026-03-28T03:17:42.312819+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"fe91bce0-b85d-4efa-a207-24ae9939c29f","harness-engineering-ai-agent-reliability-2026","Harness Engineering: From Bridle to Operating System, The Missing Link in AI Agent Reliability","2026-03-31T06:36:55.648751+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"7a09007d-820f-43b3-8607-8ad1bfcb94c8","mcp-explained-from-prompts-to-production-en","MCP Explained: From Prompts to Production","2026-04-01T09:24:40.089177+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"116d5ee9-a4f1-4b5a-aac5-5d035dd22bbe","amazon-bedrock-agents-multi-agent-workflows-en","Amazon Bedrock Agents Gets Multi-Agent Workflows","2026-04-01T09:30:30.197685+00:00"]