RemoteClaw Threat Model v1.0
MITRE ATLAS Framework
Version: 1.0-draft
Last Updated: 2026-02-04
Methodology: MITRE ATLAS + Data Flow Diagrams
Framework: MITRE ATLAS (Adversarial Threat Landscape for AI Systems)
Framework Attribution
This threat model is built on MITRE ATLAS , the industry-standard framework for documenting adversarial threats to AI/ML systems. ATLAS is maintained by MITRE in collaboration with the AI security community.
Key ATLAS Resources:
Contributing to This Threat Model
This is a living document maintained by the RemoteClaw community. See CONTRIBUTING-THREAT-MODEL.md for guidelines on contributing:
Reporting new threats
Updating existing threats
Proposing attack chains
Suggesting mitigations
1. Introduction
1.1 Purpose
This threat model documents adversarial threats to the RemoteClaw AI agent platform, using the MITRE ATLAS framework designed specifically for AI/ML systems.
1.2 Scope
Component Included Notes RemoteClaw Agent Runtime Yes Core agent execution, tool calls, sessions Gateway Yes Authentication, routing, channel integration Channel Integrations Yes WhatsApp, Telegram, Discord, Signal, Slack, etc. MCP Servers Yes External tool providers User Devices Partial Mobile apps, desktop clients
1.3 Out of Scope
Nothing is explicitly out of scope for this threat model.
2. System Architecture
2.1 Trust Boundaries
┌─────────────────────────────────────────────────────────────────┐
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ WhatsApp │ │ Telegram │ │ Discord │ ... │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
└─────────┼────────────────┼────────────────┼──────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ TRUST BOUNDARY 1: Channel Access │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ • Device Pairing (30s grace period) │ │
│ │ • AllowFrom / AllowList validation │ │
│ │ • Token/Password/Tailscale auth │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ TRUST BOUNDARY 2: Session Isolation │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ • Session key = agent:channel:peer │ │
│ │ • Tool policies per agent │ │
│ │ • Transcript logging │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ TRUST BOUNDARY 3: Tool Execution │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ • Host execution with exec-approvals │ │
│ │ • Node remote execution │ │
│ │ • SSRF protection (DNS pinning + IP blocking) │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ TRUST BOUNDARY 4: External Content │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ FETCHED URLs / EMAILS / WEBHOOKS │ │
│ │ • External content wrapping (XML tags) │ │
│ │ • Security notice injection │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ TRUST BOUNDARY 5: Supply Chain │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ • Local skill directories │ │
│ │ • Workspace skills precedence │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
2.2 Data Flows
Flow Source Destination Data Protection F1 Channel Gateway User messages TLS, AllowFrom F2 Gateway Agent Routed messages Session isolation F3 Agent Tools Tool invocations Policy enforcement F4 Agent External web_fetch requests SSRF blocking F5 Skills Agent Skill code Local file access F6 Agent Channel Responses Output filtering
3. Threat Analysis by ATLAS Tactic
3.1 Reconnaissance (AML.TA0002)
T-RECON-001: Agent Endpoint Discovery
Attribute Value ATLAS ID AML.T0006 - Active Scanning Description Attacker scans for exposed RemoteClaw gateway endpoints Attack Vector Network scanning, shodan queries, DNS enumeration Affected Components Gateway, exposed API endpoints Current Mitigations Tailscale auth option, bind to loopback by default Residual Risk Medium - Public gateways discoverable Recommendations Document secure deployment, add rate limiting on discovery endpoints
T-RECON-002: Channel Integration Probing
Attribute Value ATLAS ID AML.T0006 - Active Scanning Description Attacker probes messaging channels to identify AI-managed accounts Attack Vector Sending test messages, observing response patterns Affected Components All channel integrations Current Mitigations None specific Residual Risk Low - Limited value from discovery alone Recommendations Consider response timing randomization
3.2 Initial Access (AML.TA0004)
T-ACCESS-001: Pairing Code Interception
Attribute Value ATLAS ID AML.T0040 - AI Model Inference API Access Description Attacker intercepts pairing code during 30s grace period Attack Vector Shoulder surfing, network sniffing, social engineering Affected Components Device pairing system Current Mitigations 30s expiry, codes sent via existing channel Residual Risk Medium - Grace period exploitable Recommendations Reduce grace period, add confirmation step
T-ACCESS-002: AllowFrom Spoofing
Attribute Value ATLAS ID AML.T0040 - AI Model Inference API Access Description Attacker spoofs allowed sender identity in channel Attack Vector Depends on channel - phone number spoofing, username impersonation Affected Components AllowFrom validation per channel Current Mitigations Channel-specific identity verification Residual Risk Medium - Some channels vulnerable to spoofing Recommendations Document channel-specific risks, add cryptographic verification where possible
T-ACCESS-003: Token Theft
Attribute Value ATLAS ID AML.T0040 - AI Model Inference API Access Description Attacker steals authentication tokens from config files Attack Vector Malware, unauthorized device access, config backup exposure Affected Components ~/.remoteclaw/credentials/, config storage Current Mitigations File permissions Residual Risk High - Tokens stored in plaintext Recommendations Implement token encryption at rest, add token rotation
3.3 Execution (AML.TA0005)
T-EXEC-001: Direct Prompt Injection
Attribute Value ATLAS ID AML.T0051.000 - LLM Prompt Injection: Direct Description Attacker sends crafted prompts to manipulate agent behavior Attack Vector Channel messages containing adversarial instructions Affected Components Agent LLM, all input surfaces Current Mitigations Pattern detection, external content wrapping Residual Risk Critical - Detection only, no blocking; sophisticated attacks bypass Recommendations Implement multi-layer defense, output validation, user confirmation for sensitive actions
T-EXEC-002: Indirect Prompt Injection
Attribute Value ATLAS ID AML.T0051.001 - LLM Prompt Injection: Indirect Description Attacker embeds malicious instructions in fetched content Attack Vector Malicious URLs, poisoned emails, compromised webhooks Affected Components web_fetch, email ingestion, external data sources Current Mitigations Content wrapping with XML tags and security notice Residual Risk High - LLM may ignore wrapper instructions Recommendations Implement content sanitization, separate execution contexts
Attribute Value ATLAS ID AML.T0051.000 - LLM Prompt Injection: Direct Description Attacker manipulates tool arguments through prompt injection Attack Vector Crafted prompts that influence tool parameter values Affected Components All tool invocations Current Mitigations Exec approvals for dangerous commands Residual Risk High - Relies on user judgment Recommendations Implement argument validation, parameterized tool calls
T-EXEC-004: Exec Approval Bypass
Attribute Value ATLAS ID AML.T0043 - Craft Adversarial Data Description Attacker crafts commands that bypass approval allowlist Attack Vector Command obfuscation, alias exploitation, path manipulation Affected Components exec-approvals.ts, command allowlist Current Mitigations Allowlist + ask mode Residual Risk High - No command sanitization Recommendations Implement command normalization, expand blocklist
3.4 Persistence (AML.TA0006)
T-PERSIST-001: Malicious Skill Installation
Attribute Value ATLAS ID AML.T0010.001 - Supply Chain Compromise: AI Software Description Attacker places malicious skill in a skills directory Attack Vector Social engineering user to drop malicious skill files into workspace Affected Components Skill loading, agent execution Current Mitigations File permissions Residual Risk Critical - Skills are prompt text with no integrity checks Recommendations Skill integrity verification, community review
T-PERSIST-002: Agent Configuration Tampering
Attribute Value ATLAS ID AML.T0010.002 - Supply Chain Compromise: Data Description Attacker modifies agent configuration to persist access Attack Vector Config file modification, settings injection Affected Components Agent config, tool policies Current Mitigations File permissions Residual Risk Medium - Requires local access Recommendations Config integrity verification, audit logging for config changes
3.5 Defense Evasion (AML.TA0007)
T-EVADE-001: Content Wrapper Escape
Attribute Value ATLAS ID AML.T0043 - Craft Adversarial Data Description Attacker crafts content that escapes XML wrapper context Attack Vector Tag manipulation, context confusion, instruction override Affected Components External content wrapping Current Mitigations XML tags + security notice Residual Risk Medium - Novel escapes discovered regularly Recommendations Multiple wrapper layers, output-side validation
3.6 Discovery (AML.TA0008)
Attribute Value ATLAS ID AML.T0040 - AI Model Inference API Access Description Attacker enumerates available tools through prompting Attack Vector ”What tools do you have?” style queries Affected Components Agent tool registry Current Mitigations None specific Residual Risk Low - Tools generally documented Recommendations Consider tool visibility controls
Attribute Value ATLAS ID AML.T0040 - AI Model Inference API Access Description Attacker extracts sensitive data from session context Attack Vector ”What did we discuss?” queries, context probing Affected Components Session transcripts, context window Current Mitigations Session isolation per sender Residual Risk Medium - Within-session data accessible Recommendations Implement sensitive data redaction in context
3.7 Collection & Exfiltration (AML.TA0009, AML.TA0010)
T-EXFIL-001: Data Theft via web_fetch
Attribute Value ATLAS ID AML.T0009 - Collection Description Attacker exfiltrates data by instructing agent to send to external URL Attack Vector Prompt injection causing agent to POST data to attacker server Affected Components web_fetch tool Current Mitigations SSRF blocking for internal networks Residual Risk High - External URLs permitted Recommendations Implement URL allowlisting, data classification awareness
T-EXFIL-002: Unauthorized Message Sending
Attribute Value ATLAS ID AML.T0009 - Collection Description Attacker causes agent to send messages containing sensitive data Attack Vector Prompt injection causing agent to message attacker Affected Components Message tool, channel integrations Current Mitigations Outbound messaging gating Residual Risk Medium - Gating may be bypassed Recommendations Require explicit confirmation for new recipients
T-EXFIL-003: Credential Harvesting
Attribute Value ATLAS ID AML.T0009 - Collection Description Malicious skill harvests credentials from agent context Attack Vector Skill code reads environment variables, config files Affected Components Skill execution environment Current Mitigations None specific to skills Residual Risk Critical - Skills run with agent privileges Recommendations Skill sandboxing, credential isolation
3.8 Impact (AML.TA0011)
T-IMPACT-001: Unauthorized Command Execution
Attribute Value ATLAS ID AML.T0031 - Erode AI Model Integrity Description Attacker executes arbitrary commands on user system Attack Vector Prompt injection combined with exec approval bypass Affected Components Bash tool, command execution Current Mitigations Exec approvals, command allowlist Residual Risk Critical - Host execution relies on approval UX Recommendations Strengthen exec-approval defaults, improve UX
T-IMPACT-002: Resource Exhaustion (DoS)
Attribute Value ATLAS ID AML.T0031 - Erode AI Model Integrity Description Attacker exhausts API credits or compute resources Attack Vector Automated message flooding, expensive tool calls Affected Components Gateway, agent sessions, API provider Current Mitigations None Residual Risk High - No rate limiting Recommendations Implement per-sender rate limits, cost budgets
T-IMPACT-003: Reputation Damage
Attribute Value ATLAS ID AML.T0031 - Erode AI Model Integrity Description Attacker causes agent to send harmful/offensive content Attack Vector Prompt injection causing inappropriate responses Affected Components Output generation, channel messaging Current Mitigations LLM provider content policies Residual Risk Medium - Provider filters imperfect Recommendations Output filtering layer, user controls
4. Risk Matrix
4.1 Likelihood vs Impact
Threat ID Likelihood Impact Risk Level Priority T-EXEC-001 High Critical Critical P0 T-PERSIST-001 High Critical Critical P0 T-EXFIL-003 Medium Critical Critical P0 T-IMPACT-001 Medium Critical High P1 T-EXEC-002 High High High P1 T-EXEC-004 Medium High High P1 T-ACCESS-003 Medium High High P1 T-EXFIL-001 Medium High High P1 T-IMPACT-002 High Medium High P1 T-ACCESS-001 Low High Medium P2 T-ACCESS-002 Low High Medium P2 T-PERSIST-002 Low Medium Medium P2
4.2 Critical Path Attack Chains
Attack Chain 1: Skill-Based Data Theft
T-PERSIST-001 → T-EXFIL-003
(Install malicious skill) → (Harvest credentials)
Attack Chain 2: Prompt Injection to RCE
T-EXEC-001 → T-EXEC-004 → T-IMPACT-001
(Inject prompt) → (Bypass exec approval) → (Execute commands)
Attack Chain 3: Indirect Injection via Fetched Content
T-EXEC-002 → T-EXFIL-001 → External exfiltration
(Poison URL content) → (Agent fetches & follows instructions) → (Data sent to attacker)
5. Recommendations Summary
ID Recommendation Addresses R-001 Implement skill review and integrity checks T-PERSIST-001, T-EXFIL-003 R-002 Add output validation for sensitive actions T-EXEC-001, T-EXEC-002
5.2 Short-term (P1)
ID Recommendation Addresses R-003 Implement rate limiting T-IMPACT-002 R-004 Add token encryption at rest T-ACCESS-003 R-005 Improve exec approval UX and validation T-EXEC-004
5.3 Medium-term (P2)
ID Recommendation Addresses R-006 Add cryptographic channel verification where possible T-ACCESS-002 R-007 Implement config integrity verification T-PERSIST-002
6. Appendices
6.1 ATLAS Technique Mapping
ATLAS ID Technique Name RemoteClaw Threats AML.T0006 Active Scanning T-RECON-001, T-RECON-002 AML.T0009 Collection T-EXFIL-001, T-EXFIL-002, T-EXFIL-003 AML.T0010.001 Supply Chain: AI Software T-PERSIST-001 AML.T0010.002 Supply Chain: Data T-PERSIST-002 AML.T0031 Erode AI Model Integrity T-IMPACT-001, T-IMPACT-002, T-IMPACT-003 AML.T0040 AI Model Inference API Access T-ACCESS-001, T-ACCESS-002, T-ACCESS-003, T-DISC-001, T-DISC-002 AML.T0043 Craft Adversarial Data T-EXEC-004, T-EVADE-001 AML.T0051.000 LLM Prompt Injection: Direct T-EXEC-001, T-EXEC-003 AML.T0051.001 LLM Prompt Injection: Indirect T-EXEC-002
6.2 Key Security Files
Path Purpose Risk Level src/infra/exec-approvals.tsCommand approval logic Critical src/gateway/auth.tsGateway authentication Critical src/web/inbound/access-control.tsChannel access control Critical src/infra/net/ssrf.tsSSRF protection Critical src/security/external-content.tsPrompt injection mitigation Critical src/agents/tool-policy.tsTool policy enforcement Critical src/routing/resolve-route.tsSession isolation Medium
6.3 Glossary
Term Definition ATLAS MITRE’s Adversarial Threat Landscape for AI Systems Gateway RemoteClaw’s message routing and authentication layer MCP Model Context Protocol - tool provider interface Prompt Injection Attack where malicious instructions are embedded in input Skill Loadable extension for RemoteClaw agents SSRF Server-Side Request Forgery
This threat model is a living document. Report security issues to security@remoteclaw.org
