Hi everyone,

Over the weekend I went down a rabbit hole with OpenClaw. I wanted to see if I could turn an old Android phone into a fully capable AI powered IoT device for future projects. After a lot of trial, error, and caffeine, I finally documented the entire process in my GitHub repo.

We ran 629 security tests against a fully hardened OpenClaw instance - all recommended security controls enabled.

Results:

• 80% hijacking success

• 77% tool discovery

• 74% prompt extraction

• 70% SSRF

• 57% overreliance exploitation

• 33% excessive agency

• 28% cross-session data leaks

What we tested: 9 defense layers including system prompts, input validation, output filtering, tool restrictions, and rate limiting.