Detecting OpenClaw/Clawbot with SentinelOne: The Challenge of Blocking
- 23 hours ago
- 4 min read
A huge thank you to my dearest friend Jeremy Jethro, who created this comprehensive script and the Detection rule in Sentinel one .
Hi everyone,
If you've been following the cybersecurity landscape lately, you've probably heard whispers about OpenClaw (also known as Clawbot or Moltbot). And if you're in IT security, you're likely dealing with requests to detect and block it right now.
---------------------------------------------------------------------------------------------------------
What is OpenClaw/Clawbot?
OpenClaw is an AI-powered autonomous agent that runs on employees' machines. Think of it as an AI assistant that can interact with your computer, execute commands, access files, and perform actions on behalf of users.
While it might sound useful in theory, it's become a significant security concern for organizations worldwide.
The agent runs as a persistent background process, often integrating with various services and APIs, and has the ability to authenticate with external platforms like Google, Slack, and Discord.
From a security perspective, this creates multiple risk vectors:
Unauthorized data access - The agent can potentially access sensitive files and communications
Shadow IT concerns - Users installing it without IT approval
Compliance violations - Automated actions that bypass security controls
Data exfiltration risks - The agent's ability to send data to external services
Organizations are particularly concerned because OpenClaw operates with broad permissions and can persist on systems even after users think they've removed it.
---------------------------------------------------------------------------------------------------------
My SentinelOne Detection Journey
As you all know, I'm a huge SentinelOne fan. I've created a complete article series on leveraging SentinelOne for advanced threat detection - if you want to check out that series,
Given my experience with SentinelOne, I naturally started working on custom detection rules for OpenClaw. And let me tell you, this one has been challenging.
The Detection Challenge: It's Not That Simple
Here's where things get complicated. We're facing some serious challenges with blocking OpenClaw for several clients. The core issue is that OpenClaw uses a node process, and this is where the limitations kick in.
If we issue a quarantine command in SentinelOne, it will remove node - which could break other legitimate applications that depend on it. This isn't like blocking a standalone malicious executable using Sentinel One. This is a dependency issue that could have widespread impact on production systems.
The Persistence Problem
Here's the really frustrating part:
Even after users uninstall OpenClaw, the claw process remains in startup and continues attempting to authenticate and run via script.
I've confirmed this across multiple endpoints. Users go through the uninstall process, think they're done, and the process just keeps running in the background, trying to authenticate and execute.
The script is typically located at:
/opt/homebrew/bin/node /opt/homebrew/lib/node_modules/clawbot/dist/entry.js---------------------------------------------------------------------------------------------------------
Star custom rule which you can use for Detection in Sentinel one
(event.type = 'Process Creation' and (((src.process.cmdline contains "clawd" || tgt.process.cmdline contains "clawd" || osSrc.process.cmdline contains "clawd") OR (src.process.cmdline contains "openclaw" || tgt.process.cmdline contains "openclaw" || osSrc.process.cmdline contains "openclaw") OR (src.process.cmdline contains "moltbot" || tgt.process.cmdline contains "moltbot" || osSrc.process.cmdline contains "moltbot"))) OR ((src.process.image.path contains ".clawdbot/" || src.process.parent.image.path contains ".clawdbot/" || task.path contains ".clawdbot/" || tgt.file.path contains ".clawdbot/" || tgt.file.oldPath contains ".clawdbot/" || tgt.process.image.path contains ".clawdbot/" || module.path contains ".clawdbot/" || osSrc.process.activeContent.path contains ".clawdbot/" || osSrc.process.image.path contains ".clawdbot/" || osSrc.process.parent.image.path contains ".clawdbot/" || src.process.activeContent.path contains ".clawdbot/" || tgt.process.activeContent.path contains ".clawdbot/")) OR (src.process.parent.publisher = "<Type=DevID/ID=ai.openclaw.mac/Subject=OU:Y5PE65HELJ>" or osSrc.process.parent.publisher "<Type=DevID/ID=ai.openclaw.mac/Subject=OU:Y5PE65HELJ>")) ---------------------------------------------------------------------------------------------------------
Current Detection and Remediation Approach
What We Can Do in SentinelOne
I've created a custom rule to detect OpenClaw installations and processes. The good news: We can detect it. The bad news: Automated quarantine is risky.
For alerts like OpenClaw.dmg, We can issue a quarantine command to remove the installer.
However, for active installations where OpenClaw is already running as part of the node ecosystem, the quarantine action will:
Disrupt the running process
NOT fully remove it
Potentially break other node-dependent applications
---------------------------------------------------------------------------------------------------------
The Manual Removal Path
Because of these limitations, use a script to manually remove OpenClaw from their endpoints via MDM (Mobile Device Management).
Important finding:
Even if users have removed Clawdbot manually, you must ensure they:
Check the launchd process - The agent registers itself as a launch daemon
Remove the plist file from launchd - This is what makes it persistent across reboots
Remove the entry/script from Homebrew - Otherwise it will remain installed
The plist files are typically found at locations like:
~/Library/LaunchAgents/bot.molt.gateway.plist
~/Library/LaunchAgents/com.openclaw.gateway.plist
~/Library/LaunchAgents/com.clawdbot.gateway.plist
~/Library/LaunchAgents/com.moltbot.gateway.plist
---------------------------------------------------------------------------------------------------------
The Client Landscape
For MSSP every clients want to know about OpenClaw, and a significant percentage want to block it immediately. The requests are coming in fast, and the pressure is on.
I can tell its possible to block it, but as I mentioned, the way the quarantine action happens means it will disrupt the running process but not remove it cleanly.
---------------------------------------------------------------------------------------------------------
The Removal Script
I'm sharing the removal script developed for OpenClaw remediation. This script handles everything - killing processes, removing applications, cleaning up LaunchAgents, removing user data, and removing CLI binaries and Homebrew installations.
Note: I'm still in the testing phase with some of the SentinelOne quarantine approaches, but this script has been working reliably for manual removal.
Just convert this txt file into script
---------------------------------------------------------------------------------------------------------
Security Reminder
If OpenClaw was connected to external services, users should manually revoke OAuth tokens at:
Discord: User Settings > Authorized Apps
---------------------------------------------------------------------------------------------------------
What's Next?
I'm continuing to refine the SentinelOne detection rules and exploring safer quarantine approaches that won't impact legitimate node processes.
If you're dealing with OpenClaw in your environment, I'd love to hear about your approach.
Stay secure
--------------------------------------------------Dean------------------------------------------------------
Comments