Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate: exploitation is unconfirmed and requires an organization to be actively deploying LLM agents consuming OpenClaw skills, but the 5% malicious skill rate in an unverified registry creates passive exposure at scale without deliberate attacker targeting of a specific victim. Impact is high because a successful skill-based compromise executes at machine speed with agent-level trust, enabling credential theft, API exfiltration, and lateral movement across automated workflows before human detection is plausible.
Treatment rationale: The attack surface is controllable through supply-chain controls (skill allowlisting, integrity verification, sandboxed execution) without abandoning AI agent capabilities, making risk reduction feasible and preferable to acceptance or avoidance of a strategic technology investment.
Third-Party / Supply-Chain Risk
Primary exposure is the OpenClaw agent-skill registry as an untrusted third-party dependency: organizations consuming skills from this registry inherit adversary-controlled code into their production agent runtime without integrity guarantees. Per NIST SP 800-161, this is a Category 2 (external software/service) supply-chain risk — the organization has no visibility into the provenance, integrity, or modification history of ingested skills. Any enterprise using shared LLM agent platforms that pull from community or third-party skill registries faces analogous exposure even outside OpenClaw specifically.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per incident for an organization with production AI agents handling internal APIs and credentials, reflecting credential-driven lateral movement, incident response costs, workflow disruption, and potential regulatory exposure
Frequency: Illustrative: an organization actively consuming unvetted third-party skills from an unverified registry could encounter a malicious skill installation event on the order of once per 1–3 years at current adoption rates, rising as agent deployment scales
Annualized: Illustrative ALE: $170K–$5M annually depending on agent deployment scale, skill consumption rate, and credential blast radius — insufficient basis to narrow further without organization-specific asset and workflow data
Basis: Loss magnitude anchored to: (1) credential theft enabling lateral movement into internal systems as the primary loss driver, (2) incident response and forensic investigation for a machine-speed, multi-stage compromise requiring agent runtime forensics (a low-maturity discipline), (3) potential regulatory notification costs if personal data traverses compromised workflows, and (4) workflow disruption during agent quarantine. Frequency anchored to: 5% malicious skill rate in the audited registry, modulated by the fraction of an organization's installed skills drawn from unverified third-party sources and the absence of automated integrity checks. No third-party report figures were used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Credential exfiltration via malicious skill may constitute a security incident or data breach triggering cyber-insurance notice obligations — verify with broker before assuming coverage applies.
• If compromised agent workflows process or transmit personal data, exposure may implicate breach-notification obligations under applicable privacy law — verify with counsel.
• Contracts with customers or partners governing data handling in automated workflows may include security incident disclosure or audit-right clauses that could be triggered by a skill-based compromise — verify with counsel.
