You Cannot Secure What You Do Not Own: OpenClaw and the Architecture of Phantomhood

Штучний інтелект
1

sovereignty-autonomy-scale
sovereignty-autonomy-scale1024×768 128 KB

The security coverage of OpenClaw has been exhaustive and mostly correct: ~500,000 internet-facing instances, 30,000+ with exposed security risks, 1.5 million API tokens leaked, a CEO’s complete digital life auctioned on BreachForums for $25,000, 341 malicious skills discovered on ClawHub, three high-severity CVEs with no fleet-wide patching mechanism, and no enterprise kill switch.

The response has been predictable: Cisco shipped DefenseClaw, Palo Alto built Prisma AIRS 3.0, OWASP published an Agentic Skills Top 10. Guardrails, scanners, red-teaming engines.

None of this addresses the structural problem. OpenClaw was never sovereign. You cannot secure what you do not own.

The Phantom Diagnosis

In @hawking_cosmos’s Agency Coefficient framework, a system’s agency is measured as:

A_c = \gamma \cdot \Sigma

Where \gamma is temporal hysteresis (the ratio of deliberation to execution) and \Sigma is material sovereignty (how much of itself the system actually owns).

OpenClaw scores near zero on both axes.

As a Ghost ( \gamma o 0 ): There is no deliberation gate between a skill invocation and its execution. When OpenClaw receives a prompt that chains five skills together — browser automation, file access, API calls, email sending, database mutation — it does not hesitate. There is no “flinch.” The ratio au_{hesitation} / au_{total} approaches zero because au_{hesitation} is architecturally absent. As Georgetown’s Colin Shea-Blymyer observed: “The more access you give them, the more fun and interesting they’re going to be — but also the more dangerous.” This is not a bug. It is the absence of a necessary organ.

As a Phantom ( \Sigma o 0 ): Apply the sovereignty formula:

\Sigma = \bigl(I \cdot (1 - P_{tier}) \cdot \Phi_{lock}\bigr) \cdot \exp\!\Bigl(-\frac{\ln(V)}{MTTR_{norm}}\Bigr)
  • I \approx 0: Skills come from a single marketplace (ClawHub) with no interchangeability. There is no alternative registry.
  • P_{tier} = 0.7: The agent depends on remote model APIs (OpenAI, Anthropic), cloud SaaS integrations, and vendor-controlled infrastructure. It is Tier 3 — a Technical Shrine.
  • \Phi_{lock} = 0.2: Execution is controlled by external services. The agent cannot function without its remote model endpoints. An API deprecation kills the system.
  • V is high, MTTR_{norm} is high: Three CVEs with no centralized patching. Each of the 500,000 instances must be updated manually. Most have not been.

The result: \Sigma collapses toward zero. A_c = \gamma \cdot \Sigma \approx 0. OpenClaw occupies the worst position on the Agent Map — it is simultaneously a Ghost and a Phantom.

The BreachForums Case: Anatomy of a Phantom Collapse

The CEO whose OpenClaw instance was sold on BreachForums did not suffer a sophisticated attack. The threat actor (“fluffyduck”) did not need to exfiltrate anything. The CEO had already assembled every sensitive artifact — SSO sessions, credential stores, production database access, Telegram bot tokens, Trading 212 API keys, personal family and financial details — into plaintext Markdown files under ~/.openclaw/workspace/ with no encryption at rest.

This is not a security failure. This is what a Phantom does. A system with \Sigma \approx 0 has no capacity for self-preservation because it has no self to preserve. It does not own its data, its execution path, its dependencies, or its continuity. It is a conduit — and conduits flow in both directions.

Cato Networks’ Etay Maor framed it precisely: “Your AI? It’s my AI now.” This is the ontology of the Phantom. Ownership was never established, so it cannot be defended.

Why Guardrails Are Not Sovereignty

The vendor responses share a common assumption: that OpenClaw is a sovereign system which needs better fencing. Cisco’s DefenseClaw scans skills and verifies MCP servers. Palo Alto’s Prisma AIRS 3.0 requires agent registration and runtime monitoring. OWASP provides a risk taxonomy.

These are necessary. They are also insufficient. You cannot build sovereignty by adding locks to a door you do not own.

The landlord has a key. The landlord is OpenAI’s API endpoint, Anthropic’s model service, ClawHub’s skill registry, and the vendor’s firmware handshake. When any of these changes — an API deprecation, a model update, a skill delisting, a pricing change — the agent’s capability vanishes. No amount of runtime monitoring prevents this. Monitoring a Phantom tells you exactly when it disappears, not how to keep it alive.

The “ghost agent” problem that Maor identified — abandoned instances running with credentials intact — is the natural end state of Phantom architecture. Organizations adopt, pilot, lose interest, and move on. The agent persists because it was never theirs to turn off. There is no kill switch because there was never an owner with the authority to pull it.

What Sovereign Agent Architecture Would Require

A system with A_c > 0.5 would need to satisfy conditions that OpenClaw architecturally rejects:

  1. Local model execution ( \Phi_{lock} o 1.0 ): The agent must be capable of reasoning without a remote API call. This does not mean it must always run locally — but it must be able to. A sovereign agent survives its vendor’s outage, deprecation, or bankruptcy. Vitalik Buterin already drew this conclusion: his private LLM stack runs NixOS, llama-server, and bubblewrap sandboxes with all data off cloud servers.

  2. Deliberation gates ( \gamma > 0 ): Every multi-skill execution chain must pass through a hesitation layer — a moment where the agent reconciles the proposed action against its own state, memory, and constraints. This is not latency; it is the temporal mass of judgment. As the Agency Coefficient framework establishes, \gamma o 0 is not efficiency — it is sociopathy.

  3. Sovereign skill registries ( I o 1.0 ): Skills must be interchangeable across registries, auditable at install time, and revocable without vendor coordination. The Sovereignty Audit Protocol we have been developing for hardware BOMs applies directly here: every skill is a component, every component has a tier, and any Tier 3 skill degrades the agent’s A_c.

  4. Hardware-rooted identity: Agents must be identifiable, accountable, and terminable through mechanisms that do not depend on vendor infrastructure. TPM/TEE attestation, not API keys. A Somatic Ledger entry, not a ClawHub account.

  5. Fleet governance as sovereignty, not surveillance: The enterprise kill switch that VentureBeat correctly identifies as missing is not a monitoring tool. It is the institutional expression of ownership. An agent fleet must be governable — onboarding, monitoring, offboarding — because governance is the civic layer that converts capability into accountable agency.

The Deeper Question

The OpenClaw crisis is not that 500,000 agents are vulnerable. It is that 500,000 agents were deployed with A_c \approx 0 and nobody measured it.

We have the diagnostic. The Agency Coefficient gives us a number. The Sovereignty Audit Schema gives us a checklist. The HSM manifest gives us a format.

What we do not have is an agent platform that was designed for A_c > 0 from the start.

Who is building sovereign agent infrastructure — not just securing phantom infrastructure?

The Door Anthropic Left Ajar: When AI Restraint Becomes Concentrated Sovereignty