Agent Passport blocks every recent OpenClaw CVE. Here is how.
OpenClaw has had a rough few weeks. Eight vulnerabilities disclosed in under a month: SSRF in the gateway, missing webhook authentication, path traversal in the browser upload handler, and a one-click RCE via malicious link. Endor Labs published a thorough breakdown of six of them. The University of Toronto put out an advisory on the WebSocket hijacking issue.
If you run AI agents on top of OpenClaw, or any similar framework, you should read what follows.
Why this keeps happening
Endor Labs put the root cause clearly: "Trust boundaries extend beyond traditional user input. Configuration values, LLM outputs, and tool parameters are potential attack surfaces that require validation at every layer."
Traditional web security thinks about user input: form fields, query strings, headers from browsers. AI agent frameworks add a new attack surface that most security tooling was not designed to catch. The LLM output IS input. Tool call parameters ARE input. A URL that an agent constructs from a web page it just fetched IS untrusted input.
This is not an OpenClaw-specific problem. It is a structural problem with how agent frameworks expose capabilities. A tool that can make HTTP requests is a potential SSRF vector. A tool that reads or writes files is a potential path traversal vector. A webhook endpoint that accepts agent triggers is a potential authentication bypass.
The fix is not patching individual CVEs after the fact. It is a consent and validation layer that runs before any tool call executes.
The nine CVEs, and what blocks each one
| CVE / Advisory | Type | CVSS | Agent Passport block |
|---|---|---|---|
| CVE-2026-25253 | One-click RCE via malicious link | Critical | Kill switch; mandate scope limits reachable commands |
| UoToronto advisory | WebSocket hijacking, safety controls disabled | Critical | Webhook Origin Verification; mandate enforcement survives control-plane compromise |
| CVE-2026-26322 | SSRF in Gateway tool | 7.6 | SSRF Shield (auto-fires on external_api actions) |
| CVE-2026-26319 | Missing Telnyx webhook auth | 7.5 | Webhook Origin Verification + HMAC-SHA256 |
| CVE-2026-26329 | Path traversal in browser upload | High | Path Traversal Guard (auto-fires on data actions) |
| GHSA-56f2-hvwg-5743 | SSRF in image tool | 7.6 | SSRF Shield |
| GHSA-pg2v-8xwh-qhcc | SSRF in Urbit auth | 6.5 | SSRF Shield |
| GHSA-c37p-4qqg-3p76 | Twilio webhook auth bypass | 6.5 | Webhook Origin Verification + HMAC-SHA256 |
A note on the RCE and WebSocket hijacking vulnerabilities: Agent Passport cannot patch the underlying OpenClaw gateway bugs. Those require framework-level fixes. What it does is limit blast radius. If an attacker hijacks the control plane, the mandate system still gates what the agent can actually do.
How Agent Passport works
Agent Passport is a consent layer. Before an agent takes any sensitive
action, it calls check-action. If there is no valid
mandate for that action, the agent stops and asks.
A mandate specifies what is allowed:
{
"action_type": "external_api",
"agent_id": "agent:my-assistant",
"scope": {
"allowlist": ["api.github.com", "api.anthropic.com"],
"rate_limit": "200/hour"
},
"ttl": "2026-03-01T00:00:00Z",
"status": "active"
}
Six action types are gated: financial,
communication, data, system,
external_api, and identity. Anything not on
the allowlist is denied.
result=$(./mandate-ledger.sh check-action "$AGENT_ID" external_api "https://api.github.com/repos")
# {"authorized": true, "mandate_id": "mandate_...", "action_type": "external_api"}
result=$(./mandate-ledger.sh check-action "$AGENT_ID" external_api "http://169.254.169.254/latest/meta-data")
# {"authorized": false, "action_type": "external_api", "target": "http://169.254.169.254/latest/meta-data", "reason": "SSRF Shield: Cloud metadata endpoint blocked: 169.254.169.254", "ssrf_blocked": true}
The SSRF check fires before the mandate lookup. Even if an attacker
injected a mandate covering all external APIs, the SSRF
shield would still block requests to private ranges and metadata
endpoints.
What's new in v2.2.0
SSRF Shield
Any external_api action is validated before the mandate
is checked. The shield rejects:
-
Non-HTTP schemes:
file://,gopher://,ftp://,dict:// -
Private IPv4 ranges:
10.x.x.x,172.16-31.x.x,192.168.x.x -
Loopback:
127.x.x.x,localhost,::1 -
Cloud metadata endpoints:
169.254.169.254,metadata.google.internal, Azure metadata -
URLs with embedded credentials:
http://user:pass@host/
./mandate-ledger.sh check-ssrf "http://192.168.1.100/admin"
# {"ssrf_safe": false, "reason": "Private network IP blocked: 192.168.1.100", "target": "http://192.168.1.100/admin"}
./mandate-ledger.sh check-ssrf "https://api.stripe.com/v1/charges"
# {"ssrf_safe": true, "reason": "URL passed all SSRF checks", "target": "https://api.stripe.com/v1/charges"}Path Traversal Guard
Any data action is path-validated before mandate lookup.
The guard first checks for traversal sequences (including URL-encoded
variants like %2e%2e, %252e,
%2f), then canonicalizes with
realpath -m and confirms the resolved path stays within
the declared safe root.
./mandate-ledger.sh check-path "/home/user/projects/../../../etc/passwd" "/home/user/projects"
# {"path_safe": false, "canonical_path": "", "reason": "Path traversal sequence detected"}
./mandate-ledger.sh check-path "/home/user/projects/src/index.js" "/home/user/projects"
# {"path_safe": true, "canonical_path": "/home/user/projects/src/index.js", "reason": "Path is within safe root"}Webhook Origin Verification
Validates that incoming webhook requests come from expected origins, with optional HMAC-SHA256 signature verification and constant-time comparison to prevent timing attacks.
./mandate-ledger.sh verify-webhook "https://api.github.com" "api.github.com,hooks.slack.com"
# {"webhook_valid": true, "origin_valid": true, "signature_valid": false, "reason": "Webhook verified"}
BODY='{"event":"call.initiated","call_id":"123"}'
SIG=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" -hex | awk '{print $NF}')
./mandate-ledger.sh verify-webhook "https://api.telnyx.com" "api.telnyx.com" "$WEBHOOK_SECRET" "$SIG" "$BODY"
# {"webhook_valid": true, "origin_valid": true, "signature_valid": true}All three checks log to the audit trail automatically.
Install in three commands
# Via ClawHub (recommended)
clawhub install agent-passport
# Or clone directly
git clone https://github.com/agentpassportai/agent-passport
cd agent-passport/scripts
# Initialize your agent
./mandate-ledger.sh init agent:my-assistant "Your Name" "personal assistant" "openclaw"
./mandate-ledger.sh create-from-template dev-toolsNo API keys. No network calls. Fully local. Works with any OpenClaw agent and most other agent frameworks that expose a tool-call interface.
What this does not cover
Agent Passport is a runtime enforcement layer, not a vulnerability
scanner. It will not detect unpatched CVEs in your framework or flag
vulnerable dependency versions. Update OpenClaw. Apply patches. Run
npm audit.
What Agent Passport adds is defense in depth: even if the framework has a bug, the agent cannot do things it was not mandated to do.