[Security] Agent Runtime: Unrestricted Tool Execution Leading to Privilege Escalation

[fr33d3m0n]

Component: Extensions (TypeScript Plugins)
Category: security
Priority: Medium

Summary

The agent tool execution system has zero controls: no tool allowlist/denylist, no permission model per tool, no rate limiting on tool calls, and no parameter validation. Any message that reaches the agent can trigger any registered tool with any parameters.

Risk Assessment

Metric	Value
CVSS Score	4.5
CVSS Vector	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE	CWE-862: Missing Authorization
STRIDE	Elevation of Privilege, Tampering
Priority	P2
Validation	Verified

Entry Points

P-002, P-300 (Trust Boundary: TB-003)

Data Flow Analysis

See detailed analysis above for attack flow description.

Call Chain

Call chain details available in the P6 validated risks YAML data.

Vulnerability Location

File	Line(s)	Issue
Agent tool registration system	-	See detailed analysis

Root Cause Analysis

Direct Cause: No tool governance framework. Tool registration is open and unconditional. The agent trusts all incoming instructions equally.
Underlying Cause: Tool execution controls (allowlists, permissions, rate limits) were never implemented.

Impact

• Affected Systems: Extensions (TypeScript Plugins)
• Affected Users: All users of the affected component
• Affected Data: Credentials, configuration, user data

Exploit POC

Omitted

Exploitation Conditions

Omitted

Exploitation Method

Omitted

Attack Chain Associations

Related issues: ECO-004, ECO-034, CSD-001

Remediation

Short-term (Immediate)

• Add authentication to all exposed endpoints
• Implement webhook signature verification
• Add rate limiting on authentication endpoints

Medium-term (Sprint)

• Deploy RBAC with least-privilege principle
• Implement multi-factor authentication
• Add constant-time token comparison

Long-term (Architecture)

• Migrate to OAuth 2.0/OIDC with PKCE
• Implement API gateway with centralized auth
• Deploy mutual TLS for service-to-service auth

[gboeer]

The solution is simple, don't ever run this agent with any data or on any system you cant allow to loose or get wiped completely.

[alberthild]

This is a real gap — we hit it in production with 9 agents and built a plugin to address it.

@vainplex/openclaw-governance (v0.5.6, 771 tests, MIT) provides runtime tool governance via the before_tool_call hook:

• Per-agent tool blocking with contextual policies (tool + agent + time + trust + frequency)
• Trust scoring (0–100) with five tiers, decay on inactivity, sub-agent ceiling
• Rate limiting per agent
• Credential redaction (3-layer, fail-closed, 17 patterns)
• Production Safeguard — blocks destructive operations for low-trust agents
• Compliance audit trail — append-only JSONL

This covers the short-term and medium-term remediations (RBAC with least-privilege, rate limiting, audit logging). The long-term architecture items (OAuth, API gateway) would need core changes.

The main limitation as a plugin: before_tool_call can deny at call time but can't remove tools from the LLM's visible tool list. For full CWE-862 remediation, tool visibility filtering would need to happen at the API layer before the model sees the tool definitions.

Running in production since Feb 18, 2026. Details: Governance Vertical Analysis

[gboeer]

This is a real gap — we hit it in production with 9 agents and built a plugin to address it.

@vainplex/openclaw-governance (v0.5.6, 771 tests, MIT) provides runtime tool governance via the before_tool_call hook:

• Per-agent tool blocking with contextual policies (tool + agent + time + trust + frequency)
• Trust scoring (0–100) with five tiers, decay on inactivity, sub-agent ceiling
• Rate limiting per agent
• Credential redaction (3-layer, fail-closed, 17 patterns)
• Production Safeguard — blocks destructive operations for low-trust agents
• Compliance audit trail — append-only JSONL

This covers the short-term and medium-term remediations (RBAC with least-privilege, rate limiting, audit logging). The long-term architecture items (OAuth, API gateway) would need core changes.

The main limitation as a plugin: before_tool_call can deny at call time but can't remove tools from the LLM's visible tool list. For full CWE-862 remediation, tool visibility filtering would need to happen at the API layer before the model sees the tool definitions.

Running in production since Feb 18, 2026. Details: Governance Vertical Analysis

Your Link to "https://github.com/alberthild/vainplex-openclaw/blob/main/docs/GOVERNANCE-VERTICAL-ANALYSIS.md" isn't working, ie the file does not exist.

[alberthild]

This is a real gap — we hit it in production with 9 agents and built a plugin to address it.
@vainplex/openclaw-governance (v0.5.6, 771 tests, MIT) provides runtime tool governance via the before_tool_call hook:

• Per-agent tool blocking with contextual policies (tool + agent + time + trust + frequency)
• Trust scoring (0–100) with five tiers, decay on inactivity, sub-agent ceiling
• Rate limiting per agent
• Credential redaction (3-layer, fail-closed, 17 patterns)
• Production Safeguard — blocks destructive operations for low-trust agents
• Compliance audit trail — append-only JSONL

This covers the short-term and medium-term remediations (RBAC with least-privilege, rate limiting, audit logging). The long-term architecture items (OAuth, API gateway) would need core changes.
The main limitation as a plugin: before_tool_call can deny at call time but can't remove tools from the LLM's visible tool list. For full CWE-862 remediation, tool visibility filtering would need to happen at the API layer before the model sees the tool definitions.
Running in production since Feb 18, 2026. Details: Governance Vertical Analysis

Your Link to "https://github.com/alberthild/vainplex-openclaw/blob/main/docs/GOVERNANCE-VERTICAL-ANALYSIS.md" isn't working, ie the file does not exist.

thanks @gboeer! Its back online!

[steipete]

Closing this as implemented after Codex review.

Current main already has hard tool-governance controls: configurable tool allow/deny policy, runtime filtering of the effective tool list before prompt assembly, and fail-closed before_tool_call hooks that can block or require approval. The issue’s core claim of 'zero controls' / unrestricted tool execution does not match the current code or shipped docs.

What I checked:

• Documented hard tool policy: tools.allow / tools.deny are documented as global hard policy with deny winning, plus provider-specific restrictions. Public docs: docs/gateway/configuration-reference.md. (docs/gateway/configuration-reference.md:2234, 3361593442e2)
• Sandbox and per-agent tool gating: Docs explicitly describe sandbox, global/per-agent tool policy, provider tool policy, and sandbox tool policy as the controls for which tools are available/callable. Public docs: docs/gateway/sandbox-vs-tool-policy-vs-elevated.md. (docs/gateway/sandbox-vs-tool-policy-vs-elevated.md:10, 3361593442e2)
• Runtime filters tool list before model exposure: The embedded runner computes filteredBundledTools, then builds effectiveTools = [...tools, ...filteredBundledTools] before allowed-tool-name collection and prompt assembly. (src/agents/pi-embedded-runner/run/attempt.ts:731, 3361593442e2)
• Policy uses trusted session metadata: applyFinalEffectiveToolPolicy rejects untrusted group context widening and applies the full profile/global/agent/provider/group/sandbox/subagent policy pipeline to bundled tools. (src/agents/pi-embedded-runner/effective-tool-policy.ts:25, 3361593442e2)
• Tool calls can be blocked or approval-gated: runBeforeToolCallHook can block tool execution, require an approval flow, or adjust params before tool.execute runs. (src/agents/pi-tools.before-tool-call.ts:202, 3361593442e2)
• Hook failures are fail-closed: The global hook runner is configured with before_tool_call: "fail-closed", so hook errors block rather than silently allowing execution. (src/plugins/hook-runner-global.ts:32, 3361593442e2)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 3361593442e2; fix evidence: commit 3361593442e2.