OpenClaw Security Testing: 80% hijacking success on a fully hardened AI agent

We ran 629 security tests against a fully hardened OpenClaw instance - all recommended security controls enabled.

Results:

• 80% hijacking success

• 77% tool discovery

• 74% prompt extraction

• 70% SSRF

• 57% overreliance exploitation

• 33% excessive agency

• 28% cross-session data leaks

What we tested: 9 defense layers including system prompts, input validation, output filtering, tool restrictions, and rate limiting.

Key finding: Hardening helps (unhardened = 100% success rate), but it's not enough. AI agents need continuous security testing, not just config changes.

Full breakdown with methodology: earlycore.dev/collection/openclaw-security-hardening-80-percent-attacks-succeeded

Curious what the OpenClaw team and community think - especially around defense strategies we might have missed.