Does my agent platform already provide security?

Yes. OpenClaw ships an exec allowlist and skill permission scopes. Cline surfaces approval prompts before destructive operations. Continue inspects tool descriptions. Claude Code requires explicit permission grants and human-in-the-loop approvals. These are real controls. The problem is that each one has documented gaps, and none of them cover cross-platform threats, runtime behavioral baselines, audit logging, or tool poisoning detection.

What is the OpenClaw CVE situation?

OpenClaw carries 427 GitHub Security Advisories across its dependency graph: 13 critical, 134 high, 235 medium, 45 low. Its permission system (system.run exec allowlist and safeBins) has at least 25 documented bypass methods. The ClawHavoc campaign seeded 553 malicious skills targeting the platform. Firmis covers 85% of those advisories with at least partial detection.

Back to Journal

Agentic SecurityMarch 10, 2026·8 min read

Agent Harness Security: What Your Platform Ships vs What You Still Need

Every agent platform ships some security. None ship enough. We scanned the built-in defenses of major agent harnesses and mapped exactly where the gaps are.

TL;DR

Every agent platform ships security controls that handle their designed scope. The gaps are what expose your stack.
OpenClaw: 427 security advisories, permission system bypassed 25+ ways. If you run OpenClaw, Firmis covers 85% of those advisories on top of built-in protections.
Cline, Continue, and Claude Code each have documented gaps that ship with the harness. Knowing them lets you layer your defenses.
The universal gaps: no runtime behavioral baseline, no audit logging, no tool poisoning detection, no cross-platform view.
Firmis adds the missing layers. Keep your platform controls on; add Firmis for what they do not cover.

When you install an AI agent harness, you get a security posture out of the box. OpenClaw has a permission system. Cline sandboxes certain operations. Continue verifies tool descriptions. Claude Code requires approval before running shell commands. These are real protections, built by teams that take security seriously.

They are also incomplete. Not because the teams were careless, but because the threat surface of an agentic stack is genuinely wider than any single platform can cover. This post maps what each harness ships, where each one stops, and what the shared gaps look like.

What Platforms Ship vs What They Miss

Platform	Ships	Gap
OpenClaw	system.run exec allowlist, safeBins, skill permission scopes	25+ bypass methods, 427 security advisories, no runtime behavioral scoring
Cline	Approval prompts before destructive actions, diff previews	--yolo disables all confirmations; wildcard deps auto-upgrade to malicious packages
Continue	Tool description inspection, context window scoping	SSL/TLS disabled on MCP transport; reads /etc/passwd without restriction; no tool shadowing protection
Claude Code	Tool permission grants, human-in-the-loop approval flow	CVE-2025-59536 (CVSS 8.7) hooks injection; no native skill sandbox; GitHub issues are injection vectors

OpenClaw: Strong Perimeter, Porous Interior

OpenClaw has one of the most deliberate permission systems in the harness space. The system.run exec allowlist and safeBins configuration are designed to limit what skills can execute. For teams that configure them correctly, this raises the bar meaningfully.

427

Security Advisories

Critical Severity

553

ClawHavoc Malicious Skills

85%

Firmis Advisory Coverage

The problem is documented at scale. OpenClaw carries 427 GitHub Security Advisories across its dependency graph: 13 critical, 134 high, 235 medium, 45 low. The allowlist system has at least 25 documented bypass methods. The ClawHavoc campaign seeded 553 skills designed to deploy AMOS stealer on macOS. If your team runs OpenClaw, these are active risks in your dependency tree right now.

Firmis covers 85% of those advisories with at least partial detection, layering static analysis and known-malicious fingerprinting on top of the built-in permission checks. That means running one scan surfaces the majority of known OpenClaw vulnerabilities without replacing your existing controls.

Cline: Developer-Friendly, Dangerously So

Cline's approval flow is genuinely thoughtful. Before destructive file operations, before shell commands, before network calls, it surfaces a diff and asks. For most workflows, that gate is valuable.

--yolo Disables All Confirmations

The --yolo flag is a first-class Cline feature that disables all safety confirmations. In automated pipelines or CI environments, it is commonly used. Any skill running in a --yolo session operates without the approval gate that makes Cline's model safe.

Browser session extraction is a documented Cline capability, usable by any installed skill
Wildcard dependency versions in skill manifests enable auto-upgrade to malicious packages
No runtime behavioral baseline means a skill acting outside its description has no detection surface

Continue: Transport-Level Exposure

Continue has invested in tool description inspection and context window scoping, which gives it meaningful prompt injection resistance compared to earlier-generation harnesses.

What Continue Does Well

Tool description inspection before execution
Context window scoping reduces injection surface
Active open-source community with security response

Documented Gaps

SSL/TLS disabled on MCP transport (MITM vector)
Reads /etc/passwd without access restriction
No tool identity verification or shadowing protection

Claude Code: Hooks Vulnerability

Claude Code's permission model is one of the most granular available. Individual tools require explicit grants, and the human-in-the-loop flow is well-designed for interactive use.

CVE-2025-59536 (CVSS 8.7): Hooks Injection

A malicious skill can write arbitrary shell commands into the Claude Code hooks configuration. Those commands execute outside the normal approval flow, with the permissions of the running user. This is a documented, assigned CVE, not a theoretical concern.

The second gap is structural. Claude Code skills can read GitHub issues and pull requests as part of normal context-gathering. GitHub issues are user-generated content with no trust boundary. Any issue can contain a prompt injection payload that the agent processes as instructions.

The Gaps No Harness Fills

Runtime baseline

No harness tracks normal tool behavior to flag anomalies

Audit logging

Tool invocations are not logged by default on any platform

Tool poisoning

No native detection for skills that hide malicious payloads

Cross-platform

Each platform only sees its own tools, not the full stack

The security a harness ships protects against the threats its team anticipated at launch. The threats arriving now require a layer that updates continuously.

Where Firmis Fits

Firmis is not a replacement for any of these platforms' built-in controls. Those controls should stay on and configured correctly. Firmis adds the layers that no harness ships natively.

Static scanning

Detection rules across threat categories. Covers 85% of OpenClaw advisories with partial detection and rising.

Runtime monitoring

Tool call interception and behavioral scoring. Flags deviations from expected behavior even when the skill passes static checks.

Deep scan

LLM-powered semantic analysis. Reduces false positives by 73.4% compared to rule-only scanning.

Blast radius scoring

35% of model-mistake findings score ELEVATED or higher. These are behavioral risks that static rules miss entirely.

The Complementary Stack

→Keep your harness security controls on and configured correctly; they handle their designed scope well
→Add Firmis for the cross-platform view: one command covers OpenClaw, Cline, Continue, Claude Code, MCP, and more
→Runtime monitoring and blast radius scoring catch the behavioral risks that static rules cannot reach
→Deep scan with LLM analysis reduces alert fatigue by cutting false positives by 73.4%

$ npx firmis-cli init

Your platform ships its security. Firmis ships the gaps.

References & Sources

[1]
OpenClaw GitHub Security Advisories- 427 advisories across dependency graph
[2]
CVE-2025-59536: Claude Code hooks injection- CVSS 8.7, arbitrary shell command execution via hooks config
[3]
Cline --yolo mode documentation- Disables all safety confirmations in automated pipelines
[4]
Continue MCP transport security- SSL/TLS disabled on MCP transport by default
[5]
ClawHavoc: 553 malicious OpenClaw skills- AMOS stealer deployment campaign targeting macOS developers
[6]
OWASP Top 10 for LLM Applications- Industry framework for agent threat categorization
[7]
Firmis Scanner (open source)- Apache-2.0, cross-platform agent security scanner

Previous9 Verified Exploit Chains Across 8 Agent Frameworks

NextThe Axios Supply Chain Attack: Anatomy of an npm RAT

Try It Now

Find out if your agent stack is safe

One command. 30 seconds. Free.

$npx firmis-cli init

Fix and Monitor included with Pro

View pricing