AgentSec

Securing the Future of AI Agents

Blogs & Insights

A2S Ecosystem Map

The AgentSec Ecosystem, Mapped

A 6-layer coordinate system for identity, delegation, action, enforcement, and audit-grade evidence.

AGENTSEC STACK (A2S)

Evidence Layer: Tracing, Audit & Replay

Enforcement Layer: Policy Gates, Approvals & Runtime Constraints

Action Layer: Tools, Execution & Side Effects

Orchestration Layer: Frameworks, Runtime & Interop

Cognition Layer: Model Robustness & Prompt Injection Defense

Identity Layer: Agent IDs, Delegation & Registry

TL;DR

AgentSec is not only “model safety”: it is end-to-end governance for agents that can take real-world actions.
A2S breaks agent security into 6 layers: Identity / Cognition / Orchestration / Action / Enforcement / Evidence.
Use the map to align architecture and vendor choices: what you’re protecting, where control runs, and what proof you can produce after the fact.

Read Blogs & Insights

CASCADE Risk Model

How Agent Risks Cascade

A2S maps what you build to defend agents. CASCADE maps what you're defending against—how a single failure propagates into irreversible damage.

Risk ≈ Likelihood × Blast Radius

Detection reduces likelihood; Governance bounds impact

Why "CASCADE"?

Agent security risks are not isolated bugs—they're propagation chains. Untrusted content enters context → shifts decisions → triggers tool calls → causes real consequences.

Each layer represents a stage in the attack chain. Tap or hover the cards below to learn more.

A — Amplification (Posture Gaps)

Pre-existing weaknesses that determine how far any failure can spread: excessive permissions, no budget limits, no approval gates, no isolation.

B — Breach (Untrusted Content Entry)

The attack surface where untrusted content enters the agent's context: email, web pages, documents, RAG results, MCP plugins, or agent memory.

C — Confusion (Decision Errors)

The agent's reasoning goes off track: hallucination, instruction-vs-data confusion, wrong parameters, or selecting the wrong tool entirely.

D — Detonation (Tool Execution)

The moment risk becomes real: the agent executes a tool call—send email, transfer funds, delete data, fire API requests.

E — Explosion (Irreversible Damage)

The end state: financial loss, data leakage, compliance penalties, and cross-system spread. Once reached, consequences cannot be rolled back.

OpenClaw Security Audit

OpenClaw Doctor

Security audit skill for OpenClaw installations. Detects malicious skills, exposed credentials, network misconfigurations, and more — in three phases.

$/openclaw-doctor

Run in Claude Code to audit your OpenClaw installation.

Three-Phase Workflow

Discovers your OpenClaw installation and enumerates all config files, skills, memory files, and environment files.

VERIFY

Runs 13 modular detection rules against discovered targets across 7 attack surfaces.

REPORT

Presents findings grouped by severity (CRITICAL → HIGH → WARNING → INFO) with evidence and specific fixes.

7 Attack Surfaces Covered

13 modular detection rules across every layer of your OpenClaw installation.