In large-scale Agent deployment scenarios, security threats such as prompt injection, jailbreak attacks, obfuscation smuggling, and privacy leakage are becoming increasingly prominent. Agent Security Center provides multiple detection and protection methods, including baseline checks, vulnerability scanning, AI Guardrails, and SASE integration, to help you quickly identify and intercept Agent security risks.
Common Agent security risks
Understand the specific meanings and business impact of each Agent risk type to facilitate detection and protection:
Prompt injection: An attacker crafts input text to trick the Agent into unintended operations or data leakage, potentially bypassing business logic controls.
Jailbreak attacks: An attacker attempts to bypass the Agent's safety restrictions and usage rules, causing it to execute prohibited operations, output policy-violating content, or perform dangerous commands.
Obfuscation smuggling attacks: An attacker hides malicious instructions through encoding or obfuscation to evade security detection mechanisms, allowing them to execute undetected.
Instruction and privacy leakage: The Agent may inadvertently expose system prompts, configuration details, or user privacy data when processing requests, compromising system security and user privacy.
Skills poisoning: A type of prompt injection attack where attackers embed malicious or concealed instructions in Skill (skill/plugin) content loaded by the Agent. When the Agent invokes the poisoned Skill, it may execute unintended operations on behalf of the user, leading to sensitive information leakage, data destruction, or privilege abuse.
Agent risk protection capabilities
Agent Security Center provides the following risk detection and protection capabilities. For common detection capabilities, see below. For more detection items, see Agent Security Center detection capabilities.
AI-related baseline risk detection: Baseline configuration checks based on Agent best practices, with AI vulnerability detection support.
Skill detection and blocking: Deep detection of Skill configuration health based on OpenClaw runtime, identifying insecure configurations such as over-privilege and credential exposure, and blocking malicious Skills from loading.
Agent malicious command execution blocking: Real-time blocking when the Agent executes malicious commands such as reverse shells or sensitive file reads. Defense types include: download-and-execute chains, general reverse shells, Cron/Systemd persistence, SSH persistence and lateral movement, defense evasion and anti-forensics, Linux destructive operations, and mining activities.
OpenClaw real-time protection: Agent Security Center supports OpenClaw real-time protection, which is free for a limited time after authorization is enabled. It effectively defends against prompt attacks and blocks malicious URL access. After enabling AI Guardrails, you gain additional protection capabilities such as sensitive content detection.
Multi-product collaborative management: Automatically sync AI assets and risk events managed by SASE (SASE) and AI Guardrails to the Agent Security AI Asset and Agent Threat lists, enabling unified monitoring and handling of cross-domain risks.
Before you begin
This feature is applicable to the following scenarios and conditions:
You have connected your AI assets to Agent Security Center.
If you plan to use OpenClaw real-time protection, ensure that OpenClaw is installed on the server and the Node.js version is 22 or later.
Detection method selection guide
Different detection methods are suitable for different scenarios. We recommend selecting based on your actual needs:
Comparison criteria | Scheduled automatic detection | Manual detection | AI Guardrails | SASE (SASE) |
Applicable scenario | Daily security inspection, continuous monitoring of asset risk status. | Immediate verification of risk status after configuration changes. | Real-time protection in production environments, blocking malicious requests at runtime. | AI Agent office security monitoring, covering three major scenarios: Malicious Skill, OpenClaw Vulnerability, and Agent Configuration Risk. |
Detection method | Automatic | Manual | Real-time | Real-time |
Trigger method | Automatic once per day | Manually triggered | Real-time detection after enabling the service. | Real-time detection after enabling the service. |
Result storage | Synchronized to the Agent Threat list. | Synchronized to the Agent Threat list. | Partially synchronized to the Agent Threat list. | Synchronized to the Agent Threat list. |
Cost | Free for a limited time (public beta phase). | Free for a limited time (public beta phase). | Pay-as-you-go (requires separate activation). | Subscription (requires separate activation). |
Detect Agent risks
Detection notes
Duration: Varies depending on asset complexity.
System impact: The detection process is a read-only analysis and does not affect running workloads.
Result validity: Results reflect the risk status at the time of scanning. We recommend re-detecting after configuration changes.
System scheduled automatic detection
After connecting to Agent Security, the system automatically scans all connected AI assets once daily.
Scan time and frequency: Automatic once per day.
Scan scope: All connected AI assets.
Scan results: Viewable and actionable in the risk event list under Agent Threat.
Manual detection
To perform manual detection:
-
Access the Security Center console - Agent Security Center - Agent Overview. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland..
-
In the Connected Platforms section, click Asset synchronization in the upper-right corner.
-
The system synchronizes assets from the platform, including AI Agent, Model Service, toolset, Dataset, and Application Configurations, and performs a risk assessment.
NoteAsset synchronization may take some time.
[CONREF:sas.agentAsset.guardrailName]
AI Guardrails is an independent commercial security service providing more comprehensive real-time protection. After activation, detection results (risk events) are synchronized to the Agent Security Agent Threat list for unified management.
Go to the AI Guardrails service activation | page to activate the AI Guardrails service.
NoteThe default billing method is pay-as-you-go, billed by API call count. No charges when the service is idle. For specific pricing and free quotas, refer to the product purchase page.
Configure detection items, word libraries, and more. For more information, see and .
Set up custom Agent detection (optional). For more information, see .
After detection is executed, the system automatically synchronizes detection results to Agent Security, where you can view and handle them in the risk event list under Agent Threat.
SASE
SASE scans terminal AI assets, identifies risky terminals, and enforces security controls to establish compliant AI usage management at the terminal level. After activating the SASE service, related assets and risk data are automatically synchronized to Agent Security Center.
Go to the Secure Access Service Edge purchase page | to purchase the Private Access service. For more information, see .
Log on to the Office Security Platform console and configure the AI asset scan policy.
Configure the Agent risk analysis policy. For more information, see .
After the risk policy analysis is complete, the system automatically synchronizes related risk and AI asset data to Agent Security, where you can view and handle them in the risk event list under Agent Threat.
Enable OpenClaw real-time protection
Procedure
Enable [CONREF:sas.agentAsset.guardrailName]
Log on to the AI Guardrails console | .
On the page, search for
agent_runtime_guard(Agent Runtime Protection) protection service.Click Management in the
agent_runtime_guardActions column.Enable Protection Dimension dimensions as needed. For more operations, see .
Install the Agent security protection plugin.
Auto install
Applicable scenario: Supports only OpenClaw assets that have been detected by Agent Security Center.
Procedure:
One-Click Batch Install:
On the Agent Overview page, in the OpenClaw area of Connected Platforms, click Enable Protection Now.
In the Enable OpenClaw Real-Time Protection dialog box, select One-Click Batch Install.
NoteClose this window; assets sync automatically when done.
Single Agent installation:
Go to the Agent Overview page, click the Agents icon, go to the Agent Details page, and switch the view mode to List.
On the Agent list page, click the
icon under the Security Protection column for the target Agent.In the installation prompt dialog box, click OK.
Manual install
Applicable scenario: For OpenClaw assets where auto install failed or that were not automatically detected by Agent Security Center. After manual installation, related data is automatically synced to Agent Security Center.
Procedure:
On the Agent Overview page, in the OpenClaw area of Connected Platforms, click Enable Protection Now.
In the Enable OpenClaw Real-Time Protection dialog box, select Manual Installation and copy the installation command. The command format is as follows:
ImportantThe installation command has a time limit. Pay attention to the Expiration Time displayed in the Execute Installation Command area. After expiration, you need to obtain a new command.
wget -q "https://update.aegis.aliyun.com/download/openclaw-security-assistant/1.1.0/linux/installer.sh" && chmod +x installer.sh && ./installer.sh install --key "<YOUR-INSTALLATION-KEY>" --autoRestartLog on to the server where OpenClaw is deployed and run the installation command.
WarningThe server must have OpenClaw installed and Node.js version 22 or later. You can run
node --versionto check the current version.The OpenClaw Gateway restarts during installation. Pause any ongoing OpenClaw operations before proceeding.
Verify the installation status:
Method 1: Refresh the Agent Overview page and check whether the number of protected assets in the OpenClaw area has increased.
Method 2:
In the relationship graph area of the Agent Overview page, click the AGENTS icon in the center.
Go to the Agent Details page, switch the view mode to List. If the Security Protection column shows
, the installation is successful. For more information, see Security protection plugin installation status.
Plugin installation troubleshooting
The following are common installation failures and troubleshooting suggestions:
sudo user does not exist error
Error message:
sudo: unknown user <username>andsudo: error initializing audit plugin sudoers_auditPossible causes:
A nonexistent user is referenced in the sudo configuration (possibly due to an abnormal username format or the user being deleted).
The sudoers audit plugin failed to initialize, which may be related to the sudo version or PAM configuration.
Diagnosis method:
Check the
/etc/sudoersand/etc/sudoers.d/configuration files for abnormal user references.Verify whether the user exists on the system by running the
id <username>command.
Solution: Try fixing the sudoers configuration or reinstalling the sudo package.
OpenClaw not detected
Error message:
ERROR: Unable to detect valid openclaw (tried global / pnpm / docker)Possible causes:
OpenClaw is not installed on the server or the installation path is not in the system PATH.
OpenClaw is deployed via pnpm or Docker, but the installation script failed to detect it.
Diagnosis method:
Confirm that OpenClaw is installed and working: Run
which openclaworopenclaw --version.If OpenClaw is deployed via Docker, confirm the container is running: Run
docker ps | grep openclaw.If installed via pnpm, confirm the pnpm global bin directory is in PATH: Run
pnpm bin -g.
Solution: Add the OpenClaw executable path to the system PATH and rerun the installation command.
OpenClaw Gateway process missing
Error message:
openclaw-gateway process not foundPossible causes:
The openclaw-gateway process is not running or not installed.
The gateway process has crashed or exited abnormally.
The process name or path does not match the detection script.
Diagnosis method:
Check whether the gateway is installed:
which openclaw.Check the process status:
ps aux | grep openclaw-gateway.Check for related systemd services:
ps aux | grep openclaw-gateway.Check logs to confirm whether the gateway failed to start:
journalctl -u openclaw-gatewayor check the application logs.
Solution: Restart by running
openclaw gateway restartor reinstallOpenClaw Gateway.
View and handle risk events
Access the Security Center console - Agent Security Center - Agent Risks. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland..
On the [CONREF:sas.common.risk.event] page, click Handle in the Actions column for the target event.
On the risk event details page, review the details. After assessing the risk, you can choose one of the following handling methods:
Manual handling: Based on the Recommended Solution or Suggestions on the details page, fix the issue in the Agent application's code or configuration.
Ignore: If the current risk is acceptable and no action is needed, click the Ignore button. After ignoring, the risk event will no longer appear in the pending list, but if the same risk is detected again in the next scan, a new risk event will be generated.
Rescan: To verify the result of manual handling or re-detect the current AI asset, click the Rescan button.
ImportantThis applies only to risks originating from Agent Security. Detection takes time; you can view progress in the console.
A rescan runs a full detection on the AI asset associated with the current risk event, verifying whether the current risk is resolved and checking for additional risks.
Billing
During the public beta phase, scheduled automatic detection and manual detection are free for a limited time.
[CONREF:sas.agentAsset.guardrailName] and SASE are independent commercial services that require separate activation and payment.
Note[CONREF:sas.agentAsset.guardrailName] is billed on a pay-as-you-go basis (by API call count). SASE uses a subscription model. For specific pricing and free quotas, refer to the respective product purchase pages.
Agent Security Center detection capabilities
Cloud Security Center detection items (baselines and vulnerabilities)
Agent baseline checks
Agent Security Center supports AI-related baseline risk detection (such as Alibaba Cloud Standard - OpenClaw Security Baseline) and integrates with CSPM (CSPM) System Baseline Risks for unified security baseline management. It performs automated security baseline checks on OpenClaw (formerly Clawdbot) configurations, covering service configuration and identity authentication to help identify and fix insecure settings.
Check category | Check item | Baseline name |
Service configuration | Gateway must not bind to 0.0.0.0 | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline |
Gateway plaintext passwords must not be stored in configuration files | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
DM/group access policy | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
Enable sandbox isolation | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
Enable sensitive information filtering in logs/sessions | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
Isolate shared DM sessions | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
Disable global Elevated tools | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
Disable Skills watcher dynamic refresh | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
Security hardening | Configure a correct reverse proxy | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline |
Configure strong token authentication for Gateway | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
Disable the plugin system or enable allowlist restrictions | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
Configuration file directory permissions | Alibaba Cloud Standard - OpenClaw (formerly Clawdbot) Security Baseline | |
OpenClaw (formerly Clawdbot) weak login password check | Weak Password - OpenClaw (formerly Clawdbot) Weak Login Password Check | |
Identity authentication | OpenClaw (formerly Clawdbot) unauthorized access | Unauthorized Access - OpenClaw (formerly Clawdbot) Unauthorized Access High-Risk |
Vulnerability detection
Agent Security Center integrates with the Vulnerabilities feature to perform version-based detection for known security vulnerabilities in OpenClaw, helping you identify and fix outdated versions with security risks.
Agent Security Center detection items
Agent Security Center detects security vulnerabilities across mainstream AI platforms and workflows, focusing on transport encryption, access control, and credential security. Detection items cover platforms such as PAI, Bailian (Model Studio), Dify, Agentkit, and AgentRun.
Platform | Check item | Description |
PAI | Model URL does not use HTTPS | The model endpoint communicates over plaintext HTTP, exposing sensitive information such as request parameters, response data, and authentication tokens in transit. Attackers can intercept and steal API keys, user inputs, model outputs, or even tamper with instructions through man-in-the-middle (MitM) attacks, leading to data breaches, service hijacking, or malicious operations. |
PAI | MCP service endpoint URL does not use HTTPS | The MCP endpoint communicates over plaintext HTTP, exposing sensitive information such as request parameters, response data, and authentication tokens in transit. Attackers can intercept and steal API keys, user inputs, model outputs, or even tamper with instructions through MitM attacks, leading to data breaches, service hijacking, or malicious operations. |
PAI | API Tool request URL does not use HTTPS | The API node in the workflow transmits data over plaintext HTTP. Communication content, including request parameters, responses, and authentication tokens, is unencrypted in transit, making it vulnerable to eavesdropping, tampering, or hijacking by intermediaries, which can lead to sensitive information leakage or business logic manipulation. |
Bailian (Model Studio) | HTTP request node does not use HTTPS | The HTTP request node in the workflow transmits data over plaintext HTTP. Communication content, including request parameters, responses, and authentication tokens, is unencrypted in transit, making it vulnerable to eavesdropping, tampering, or hijacking by intermediaries, which can lead to sensitive information leakage or business logic manipulation. |
Dify | Knowledge base URL does not use HTTPS | The knowledge base URL endpoint communicates over plaintext HTTP, exposing sensitive information such as request parameters, response data, and authentication tokens in transit. Attackers can intercept and steal API keys, user inputs, model outputs, or even tamper with instructions through MitM attacks, leading to data breaches, service hijacking, or malicious operations. |
Dify | Knowledge base RAG (Retrieval-Augmented Generation) permissions are too permissive | The knowledge base visibility or associated application access control settings are too permissive, allowing all users in the workspace to use the knowledge base, which may lead to data leakage. |
Dify | Ollama model URL does not use HTTPS | The Ollama model URL endpoint communicates over plaintext HTTP, exposing sensitive information such as request parameters, response data, and authentication tokens in transit. Attackers can intercept and steal API keys, user inputs, model outputs, or even tamper with instructions through MitM attacks, leading to data breaches, service hijacking, or malicious operations. |
Dify | MCP service endpoint URL does not use HTTPS | The MCP endpoint communicates over plaintext HTTP, exposing sensitive information such as request parameters, response data, and authentication tokens in transit. Attackers can intercept and steal API keys, user inputs, model outputs, or even tamper with instructions through MitM attacks, leading to data breaches, service hijacking, or malicious operations. |
Dify | Workflow is not connected to AI Guardrails | The workflow does not have AI Guardrails enabled, which may lead to compliance violations, prompt injection and bypass, sensitive data leakage, and other risks. |
Dify | Hardcoded AK/SK in code nodes | Cloud provider access keys (Access Key / Secret Key) are hardcoded in the workflow's code nodes, exposing credentials in plaintext in code or configuration. Any user with access to the workflow can obtain these keys, potentially leading to data breaches or resource misuse. |
Dify | HTTP request node does not use HTTPS | The HTTP Tool (such as an API tool node) in the workflow transmits data over plaintext HTTP. Communication content, including request parameters, responses, and authentication tokens, is unencrypted in transit, making it vulnerable to eavesdropping, tampering, or hijacking by intermediaries, which can lead to sensitive information leakage or business logic manipulation. |
Dify | HTTP Tool does not enable certificate validation | The HTTP Tool disables SSL/TLS certificate validation when making requests, which means server identity authenticity cannot be verified. Attackers can perform MitM attacks by forging certificates to steal or tamper with communication data. |
Agentkit | MCP service endpoint URL does not use HTTPS | The MCP endpoint communicates over plaintext HTTP, exposing sensitive information such as request parameters, response data, and authentication tokens in transit. Attackers can intercept and steal API keys, user inputs, model outputs, or even tamper with instructions through MitM attacks, leading to data breaches, service hijacking, or malicious operations. |
AgentRun | API model endpoint does not use HTTPS | The API model endpoint communicates over plaintext HTTP, exposing sensitive information such as request parameters, response data, and authentication tokens in transit. Attackers can intercept and steal API keys, user inputs, model outputs, or even tamper with instructions through MitM attacks, leading to data breaches, service hijacking, or malicious operations. |
AgentRun | Ragflow knowledge base endpoint does not use HTTPS | The Ragflow knowledge base endpoint communicates over plaintext HTTP, exposing sensitive information such as request parameters, response data, and authentication tokens in transit. Attackers can intercept and steal API keys, user inputs, model outputs, or even tamper with instructions through MitM attacks, leading to data breaches, service hijacking, or malicious operations. |
AgentRun | Flow workflow HTTP Tool URL does not use HTTPS | The HTTP Tool (such as an API tool node) in the workflow transmits data over plaintext HTTP. Communication content, including request parameters, responses, and authentication tokens, is unencrypted in transit, making it vulnerable to eavesdropping, tampering, or hijacking by intermediaries (MitM), which can lead to sensitive information leakage or business logic manipulation. |
AgentRun | Hardcoded AK/SK in Flow workflow code nodes | Cloud provider access keys (Access Key / Secret Key) are hardcoded in the workflow's code nodes, exposing credentials in plaintext in code or configuration. Any user with access to the workflow can obtain these keys, potentially leading to data breaches or resource misuse. |
FAQ
Why is OpenClaw real-time protection unavailable?
AI Guardrails not purchased: To enable OpenClaw real-time protection, you must purchase [CONREF:sas.agentAsset.guardrailName].
Protection plugin installation failure: The installation command has expired. For manual installation, you can check the Expiration Time in the Execute Installation Command area. After expiration, obtain a new command.