When OpenClaw patched the ClawJacked vulnerability within 24 hours of disclosure, they acted swiftly. If you're running AI agents—whether OpenClaw, AutoGPT, LangChain agents, or custom implementations—you must assume the next vulnerability is already out there, unpatched.
The ClawJacked flaw allowed malicious websites to hijack local AI agents via WebSocket connections. Once compromised, these agents could execute tasks across your enterprise tools with the permissions they'd been granted. The risk extended beyond the agent itself to every system the agent could access.
This checklist provides a framework for auditing AI agent security, ensuring you're prepared before your framework becomes part of a vulnerability disclosure.
What This Checklist Covers
This security audit template is for self-hosted AI agent frameworks. Use it to:
- Identify network-accessible attack surfaces in your agent deployment
- Validate authentication and authorization controls
- Establish monitoring for agent behavior anomalies
- Document third-party skill/plugin security posture
This isn't about ticking compliance boxes. It's about answering: "If an attacker gains control of this agent, what can they do, and how would we know?"
Prerequisites
Before running this audit:
- Inventory your agents: Document every AI agent instance, its hosting environment, and its integration points.
- Map permissions: List what each agent can access (APIs, databases, file systems, cloud resources).
- Identify the runtime: Know whether you're running agents locally, in containers, or as cloud services.
- Access to logs: Ensure you can review agent activity logs, WebSocket connections, and API calls.
You'll need administrative access to the agent framework and read access to your network security tools.
The Security Audit Checklist
Network Exposure Assessment
## AI Agent Network Security Audit
### Agent Instance: [Name/ID]
### Framework: [OpenClaw/LangChain/Custom]
### Audit Date: [YYYY-MM-DD]
### Auditor: [Name]
---
## 1. Network-Accessible Interfaces
- [ ] Document all listening ports and protocols
- Port number: ____
- Protocol (HTTP/WebSocket/gRPC): ____
- Bound to localhost only? YES / NO
- If exposed: Firewall rules documented? YES / NO
- [ ] WebSocket connections require authentication? YES / NO
- Authentication method: ____
- Token rotation interval: ____
- Session timeout configured: ____ minutes
- [ ] Origin validation implemented for web-facing interfaces? YES / NO
- Allowed origins documented: ____
- Wildcard origins in use: YES / NO [If YES, flag for remediation]
- [ ] Rate limiting configured on agent API endpoints? YES / NO
- Request limit: ____ per minute
- Enforcement mechanism: ____
**Red flags:**
- WebSocket listeners bound to 0.0.0.0 without authentication
- Missing CORS/origin controls on web-accessible endpoints
- No rate limiting on agent invocation endpoints
---
## 2. Authentication & Authorization
- [ ] Agent requires authentication before accepting tasks? YES / NO
- Method (API key/OAuth/mTLS): ____
- Credentials stored in: ____
- Rotation schedule: ____
- [ ] Separate credentials for each integrated service? YES / NO
- List services with shared credentials: ____
- [ ] Agent runs with least-privilege service account? YES / NO
- Service account name: ____
- Permissions review date: ____
- Can agent modify its own permissions? YES / NO [If YES, flag]
- [ ] Third-party skills/plugins require approval before installation? YES / NO
- Approval process documented: YES / NO
- Code review required: YES / NO
**Red flags:**
- Agent running with admin/root privileges
- Single API key grants access to all enterprise integrations
- No vetting process for marketplace skills
---
## 3. Execution Environment Controls
- [ ] Agent runs in isolated environment (container/VM/sandbox)? YES / NO
- Isolation technology: ____
- Host filesystem accessible: YES / NO
- Network isolation configured: YES / NO
- [ ] Outbound connections restricted to approved destinations? YES / NO
- Allowlist documented: YES / NO
- DNS resolution monitored: YES / NO
- [ ] Agent can execute arbitrary code/scripts? YES / NO
- If YES, execution sandbox configured: YES / NO
- Allowed interpreters/runtimes: ____
- [ ] Resource limits enforced (CPU/memory/disk)? YES / NO
- Limits documented: ____
**Red flags:**
- Unrestricted outbound network access
- No resource limits (enables DoS via agent compromise)
- Direct filesystem access to sensitive directories
---
## 4. Activity Monitoring & Logging
- [ ] All agent actions logged with timestamps? YES / NO
- Log destination: ____
- Retention period: ____ days
- Logs include: user context / task details / API calls / data accessed
- [ ] Alerting configured for suspicious patterns? YES / NO
- Alert on:
- [ ] Unusual API call volume
- [ ] Access to sensitive resources outside business hours
- [ ] Failed authentication attempts
- [ ] New skill/plugin installations
- [ ] Privilege escalation attempts
- [ ] Logs aggregated in SIEM/security monitoring tool? YES / NO
- Tool: ____
- Correlation rules configured: YES / NO
- [ ] Regular log review schedule established? YES / NO
- Frequency: ____
- Responsible team: ____
**Red flags:**
- No logging of agent API calls to enterprise systems
- Logs stored only on agent host (vulnerable to tampering)
- No alerting on anomalous behavior
---
## 5. Dependency & Supply Chain
- [ ] Agent framework version documented? YES / NO
- Version: ____
- Latest stable version: ____
- Patch management process: ____
- [ ] All third-party skills/plugins inventoried? YES / NO
- Source: [Official marketplace / GitHub / Custom]
- Last security review: ____
- Update mechanism: ____
- [ ] Dependency vulnerability scanning enabled? YES / NO
- Tool: ____
- Scan frequency: ____
- Critical vulnerability SLA: ____ hours
- [ ] Skills downloaded only from trusted sources? YES / NO
- Trusted sources documented: ____
- Code signing verification: YES / NO
**Red flags:**
- Running outdated framework version with known CVEs
- Skills installed from unverified sources
- No automated vulnerability scanning
---
## Risk Summary
**Critical Issues Found:** ____
**High-Risk Items:** ____
**Medium-Risk Items:** ____
**Immediate Actions Required:**
1. ____
2. ____
3. ____
**Remediation Owner:** ____
**Target Completion:** ____
---
## Sign-off
Auditor Signature: _________________ Date: _______
Security Lead Review: _________________ Date: _______
How to Customize This Checklist
For containerized deployments: Add sections on container image provenance, registry access controls, and Kubernetes network policies if applicable.
For cloud-hosted agents: Include cloud IAM role audits, VPC/security group configurations, and cloud-native monitoring integrations.
For compliance requirements: If you're subject to PCI DSS v4.0.1, map agent access to cardholder data environments and add quarterly reviews per Requirement 11.3.1. For SOC 2 Type II, document this audit process in your system description and run it as part of your continuous monitoring program.
For high-risk integrations: If your agent accesses production databases, payment systems, or customer PII, add data access logging requirements and consider implementing break-glass procedures for agent credential revocation.
Validation Steps
After completing the checklist:
- Test your alerting: Simulate suspicious agent behavior (unusual API call patterns, off-hours access) and verify alerts fire within your defined SLA.
- Attempt unauthorized access: From an external network, try to connect to agent interfaces—you should be blocked or required to authenticate.
- Review with your team: Walk through findings with security engineering and the teams that deployed the agents.
- Set a re-audit schedule: AI agent frameworks update frequently—plan to re-run this audit quarterly or after any framework version upgrade.
The ClawJacked vulnerability was patched in 24 hours. Your audit cycle needs to be faster than the time between disclosure and exploitation. Treat this checklist as a living document—update it every time you learn about a new AI agent attack vector.
