--- title: "Detecting, Blocking & Remediating OpenClaw using Jamf" slug: "detecting-blocking-remediating-openclaw-using-jamf" updated: 2026-03-24T12:59:47Z published: 2026-03-24T12:59:47Z --- > ## Documentation Index > Fetch the complete documentation index at: https://trusted.jamf.com/llms.txt > Use this file to discover all available pages before exploring further. # Detecting, Blocking & Remediating OpenClaw using Jamf ### Executive Summary Agentic AI tools such as [**OpenClaw**](https://openclaw.ai/) (previously known as Clawdbot and Moltbot) represent a new class of threat for organizations; blurring the lines between legitimate user activity and unsanctioned autonomous access to corporate systems. Employees may be attracted to OpenClaw's perceived convenience and personal assistant features such as email access, calendar scheduling and messaging without fully recognizing the risks involved in granting wholesale unregulated access to corporate data. Without advanced monitoring and analytics in place, IT and security teams may find it difficult to distinguish between legitimate human behavior and an OpenClaw agent acting on the user's behalf, with both accessing corporate resources through the same authenticated APIs and sessions. This advisory describes how to use Jamf Security Cloud, Jamf Protect, and Jamf Pro together to implement a layered defense against unauthorized OpenClaw usage on managed macOS devices. The controls span network-level blocking, binary execution prevention, endpoint detection analytics, SIEM telemetry, inventory-based detection, and automated removal. No single control is sufficient on its own. Jamf recommends deploying several of the methods below in combination for defense in depth. ### Jamf Security Cloud - Content Filtering & Blocking Jamf Security Cloud includes [**category-based content filtering**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Block_Policy_Available_Site_Categories.html) and network blocking capabilities to allow organizations to monitor and control access for categories of applications and websites. The following common domains relating to OpenClaw are now included in the **"Other generative AI"** content filtering category: - openclaw.ai - clawhub.ai - open-claw.me - molt.bot - openclaw.bot Organizations who wish to block access to OpenClaw and other tools in this category can [**Configure a Content Filtering Policy**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Configuring_your_Block_Policy.html) within the Policies section of Jamf Security Cloud: ![](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/OtherGenAI(1).jpg) > [!WARNING] > Note > > Blocking this category will mitigate the most popular one-line method of installation from the OpenClaw website, however advanced users can still use the instructions in the [GitHub repository](https://github.com/openclaw) to [install directly through npm](http://install directly through npm) or other package managers. As such, consider this control and block method in conjunction with the other visibility and remediation controls listed in this article. ### Jamf Protect - Custom Prevent Lists (OpenClaw Companion App) OpenClaw supports an [**optional companion app for macOS**](https://docs.openclaw.ai/platforms/macos) that exposes additional platform-based tools such as Camera and Screen Recording access to a local or remote OpenClaw gateway instance. As this companion app is a signed macOS binary, you can use [**Custom Prevent Lists in Jamf Protect**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Custom_Prevent_Lists.html) to block its runtime execution on managed devices. ![](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/ProtectBlock.jpg) To implement this block; within the Jamf Protect portal, navigate to **Threat Prevention > Custom Prevention Lists,** and click **Create Prevent List**. Give your new list a name such as *"Block OpenClaw Companion App"* and select *“Signing Information”* as the Prevent Type. Then, choose one of the following prevention methods (either one is acceptable for use in blocking the current variant of the app): - **Team ID:**`Y5PE65HELJ` - **Signing ID:**`bot.molt.mac` This will result in the companion app being blocked on launch and the user seeing an active block prompt: ![](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/Image%2010-2-2026%20at%204.24%E2%80%AFpm.png) > [!WARNING] > Note > > Custom Prevention Lists under Threat Prevention will block the runtime execution of the OpenClaw companion app but not the OpenClaw Gateway binary and LaunchAgents, as they lack the requisite signing identifiers. This prevention method is useful in ensuring that users do not install and run the companion app on devices, but it is not exhaustive in blocking OpenClaw on macOS. ### Jamf Protect - Custom Analytics Jamf has published a series of Jamf Protect [**Custom Analytics**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_Analytics.html)****to support organizations wishing to detect the installation, persistence and invocation of OpenClaw in their environment. These custom analytics perform filesystem and process detections using Jamf Protect’s filter based analytics engine to detect OpenClaw artifacts on a device and report back through Jamf Protect alerting. Customers may implement all of the following analytics or select a subset based on their requirements. The analytics are also available as YAML definitions in the [**Jamf Protect resources GitHub repository**](https://github.com/jamf/jamfprotect/tree/main/custom_analytic_detections/agentic_detections). #### How to Create a Custom Analytic from Filter Text 1. In the Jamf Protect portal, navigate to **Configuration > Analytics** and click **Create** 2. Set the **Sensor Type** to the value specified for each analytic below (either File System or Process) 3. In the Analytic Filter section, switch to **Filter Text View** 4. Paste the filter expression provided inline below 5. Configure the severity and any desired Analytic Actions (such as adding affected devices to a Jamf Pro Smart Group) ![](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/analytic.jpg) **OpenClaw Installation** | **Field** | **Value** | | --- | --- | | **Name** | OpenClawInstallation | | **Sensor Type** | Process Event | | **Description** | Detection of OpenClaw installation commands from [openclaw.ai](http://openclaw.ai). | **Filter (Text View) Content:** ```plaintext $event.type == 1 AND  $event.process.args.@count > 1 AND  (    (      (ANY $event.process.args CONTAINS[c] "npm") AND      (ANY $event.process.args BEGINSWITH "openclaw") AND      (        (ANY $event.process.args == "i") OR        (ANY $event.process.args == "install") OR        (ANY $event.process.args == "add") OR        (ANY $event.process.args == "in") OR        (ANY $event.process.args == "ins") OR        (ANY $event.process.args == "inst") OR        (ANY $event.process.args == "insta") OR        (ANY $event.process.args == "instal") OR        (ANY $event.process.args == "isnt") OR        (ANY $event.process.args == "isnta") OR        (ANY $event.process.args == "isntal") OR        (ANY $event.process.args == "isntall")      ) AND      $event.process.path.lastPathComponent == "node"    ) OR    (      (ANY $event.process.args BEGINSWITH "openclaw") AND      (ANY $event.process.args == "add") AND      $event.process.path.lastPathComponent == "pnpm"    )  ) ``` **OpenClaw Directory Created** | **Field** | **Value** | | --- | --- | | **Name** | OpenClawDirectoryCreated | | **Sensor Type** | File System Event | | **Description** | Detection of OpenClaw's hidden workspace directory (.openclaw), created during setup. | **Filter (Text View) Content:** ```plaintext $event.path MATCHES "\\/Users\\/[^\\/]+\\/\\.openclaw" AND  $event.isNewDirectory == 1 ``` **OpenClaw Gateway Persistence** | **Field** | **Value** | | --- | --- | | **Name** | OpenClawGatewayPersistence | | **Sensor Type** | File System Event | | **Description** | Detection of OpenClaw's gateway persistence (~/Library/LaunchAgents/ai.openclaw.gateway.plist). | **Filter (Text View) Content:** ```plaintext ("LaunchDaemon" IN $tags OR "LaunchAgent" IN $tags) AND  $event.path.lastPathComponent BEGINSWITH "ai.openclaw." ``` **OpenClaw Onboard** | **Field** | **Value** | | --- | --- | | **Name** | OpenClawOnboard | | **Sensor Type** | Process Event | | **Description** | Detection of OpenClaw onboard command to initiate setup. | **Filter (Text View) Content:** ```plaintext $event.type == 1 AND  $event.process.args.@count > 1 AND  (      (ANY $event.process.args CONTAINS[c] "openclaw") AND      (ANY $event.process.args == "onboard")  ) AND  $event.process.parent.path.lastPathComponent == "node" ``` **ClawHub Skills Install** | **Field** | **Value** | | --- | --- | | **Name** | ClawHubSkillsInstall | | **Sensor Type** | Process Event | | **Description** | Detection of skills installed from ClawHub via npx, pnpm or bun commands. | **Filter (Text View) Content:** ```plaintext $event.type == 1 AND  $event.process.args.@count > 1 AND  (    (      (        (          (ANY $event.process.args CONTAINS[c] "/npx") OR          (ANY $event.process.args CONTAINS[c] "/pnpm")        ) AND        (ANY $event.process.args BEGINSWITH[c] "clawhub")      ) OR      (        (ANY $event.process.args CONTAINS[c] "/bunx-") AND        (ANY $event.process.args CONTAINS[c] "/clawhub")      )    ) AND    (ANY $event.process.args == "install") AND    $event.process.path.lastPathComponent == "node"  ) ``` ### Jamf Protect - Advanced Threat Controls One of the potential attack techniques spawning from the use of OpenClaw on macOS relates to [**malicious skills that attempt to coax users into installing malware and infostealers**](https://opensourcemalware.com/blog/malicious-clawhub-skills-hide-in-plain-sight) onto their device. Jamf Protect’s [**Advanced Threat Controls**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Advanced_Threat_Controls.html) are designed to intervene when unsafe or malicious activity is detected and provides protection against common techniques directly observed in malware connected to these malicious skills. Organizations can enable both [**Advanced Threat Controls**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Advanced_Threat_Controls.html) and [**Endpoint Threat Prevention**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Threat_Prevention_with_Jamf_Protect.html) within Jamf Protect and choose to **Block and report**or **Report only** depending on their risk tolerance and operational requirements. ### Jamf Protect - Telemetry Customers can use [**Jamf Protect Telemetry for macOS**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Telemetry.html) to collect system and user event log data and ship it to a SIEM or storage location of their choice. The [**Jamf Threat Labs**](https://www.jamf.com/threat-labs/) team have created a series of [**Sigma rules**](https://sigmahq.io/docs/basics/rules.html) for common OpenClaw installation and invocation commands that can be imported and used in many SIEM solutions: **Repository:** [**jamf/jamfprotect — agentic_detections (Telemetry)**](https://github.com/jamf/jamfprotect/tree/main/telemetry/detection_rules/agentic_detections) At minimum, devices must be configured for **“Applications and processes“** log collection as [**part of a telemetry set**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_a_Telemetry_Set.html) to take advantage of these process based `exec` detections. ![](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/logging.jpeg) ### Jamf Pro - Extension Attribute Detection Scripts Jamf has published two Extension Attribute scripts for inventory-based detection of OpenClaw: - [**OpenClaw Detection Extension Attribute**](https://github.com/jamf/jamfprotect/blob/main/jamf_pro_extension_attributes/Agentic_Detection/openclaw_detection.sh) - this extension attribute script will detect various forms and artifacts of OpenClaw, including website and npm installs, gateway launch agents and Docker containers on a device - [**OpenClaw Installed Skills Detection Extension Attribute**](https://github.com/jamf/jamfprotect/blob/main/jamf_pro_extension_attributes/Agentic_Detection/openclaw_skill_detection.sh) - this extension attribute script will list any skills currently installed in OpenClaw workspaces and sessions on a device Skills are [**markdown based files**](https://agentskills.io/home) that provide instructions to an LLM/agent on how to perform a certain task such as accessing an API or use of an application on a user’s behalf. Organizations who allow OpenClaw may wish to separately report on which skills are in use or may wish to separately audit for [**specific malicious skills**](https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface). Each script can be added as a [Computer Extension Attribute](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Computer_Extension_Attributes.html) in Jamf Pro to report the presence of OpenClaw and its installed skills as part of standard inventory update policies. Detection details for these scripts include the users and workspaces for which OpenClaw is detected, the current Gateway run status and a list of skills currently installed or in use: ![](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/EAs.jpg) For customers wishing to pursue automated remediation; detection through these Extension Attributes can be used as the basis of a [**Jamf Pro Smart Group**](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Smart_Groups.html)****predicate to then trigger an automated [**remediation policy**](/v1/docs/detecting-blocking-remediating-openclaw-using-jamf#jamf-pro-remediation-and-removal-via-policy) on devices. ### Jamf Pro - Remediation and Removal via Policy Once OpenClaw has been detected on a device, organizations may wish to implement either manual or automated remediation and removal. [**Jamf Pro’s ability to run Policy based scripts**](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Scripts.html) provides flexibility in how remediation takes place and can be integrated with [**Jamf Pro Extension Attributes**](/v1/docs/detecting-blocking-remediating-openclawclawdbot-within-the-jamf-platform#jamf-pro-extension-attribute-detection-scripts)****or****[**Jamf Protect Custom Analytics (with Analytic Remediation)**](/v1/docs/detecting-blocking-remediating-openclaw-using-jamf#jamf-protect-custom-analytics)****to perform automated policy-based removal with clear audit and logging trails. Jamf have authored an [**OpenClaw removal script**](https://github.com/jamf/scripts/blob/main/sales/openclaw_removal/openclaw_removal.sh) that is capable of removing various forms of OpenClaw installation on macOS. At the present time, this includes the removal of: - Binaries installed using the `curl` based one liner install command from openclaw.ai - Binaries installed using the [**npm**](https://www.npmjs.com/), [**pnpm**](https://pnpm.io/) and [**bun**](https://bun.com/) package managers - The macOS OpenClaw companion app - Docker images and containers matching `openclaw` naming - The gateway service and LaunchAgent - The `.openclaw` working/workspace directory for each user In order to configure remediation and removal of OpenClaw using Jamf Pro, you can [**create a new Script and Policy**](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Scripts.html)****and assign its scope to Computers either manually, or via a [**Smart Group**](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Smart_Groups.html) which bases its membership on one of the detection mechanisms listed above. > [!WARNING] > Note > > The openclaw_removal.sh script has been created and provided to give a best effort in removing the most common forms of the current iteration of OpenClaw and its artifacts as of writing. It is not exhaustive in removing all forms of OpenClaw (such as source-based installs), or installations where a user has deliberately obfuscated OpenClaw’s presence (such as changing binary or directory names, etc.). Care should be taken as these tools evolve to ensure that removal is properly validated using other detection methods. > [!NOTE] > Note > > Once OpenClaw has been detected and removed from a system, there may be other post-removal remediation steps that are required. Consider if you need to revoke tokens or sessions for any connected services (such as Google/Gmail, Microsoft, GitHub) or any corporate LLM or inference providers (Anthropic, OpenAI, etc.) ### References and Further Reading #### Jamf Documentation - [Content Filtering — Available Site Categories](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Block_Policy_Available_Site_Categories.html) - [Configuring Your Content Filtering Policy](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Configuring_your_Block_Policy.html) - [Custom Prevent Lists](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Custom_Prevent_Lists.html) - [Creating Analytics](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_Analytics.html) - [Advanced Threat Controls](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Advanced_Threat_Controls.html) - [Endpoint Threat Prevention](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Threat_Prevention_with_Jamf_Protect.html) - [Telemetry](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Telemetry.html) - [Creating a Telemetry Set](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_a_Telemetry_Set.html) - [Computer Extension Attributes (Jamf Pro)](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Computer_Extension_Attributes.html) - [Smart Groups (Jamf Pro)](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Smart_Groups.html) - [Scripts (Jamf Pro)](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Scripts.html) #### Jamf GitHub Resources - [Custom Analytic Detections — Agentic Detections](https://github.com/jamf/jamfprotect/tree/main/custom_analytic_detections/agentic_detections) - [Telemetry Sigma Rules — Agentic Detections](https://github.com/jamf/jamfprotect/tree/main/telemetry/detection_rules/agentic_detections) - [Extension Attribute — OpenClaw Detection](https://github.com/jamf/jamfprotect/blob/main/jamf_pro_extension_attributes/Agentic_Detection/openclaw_detection.sh) - [Extension Attribute — OpenClaw Installed Skills Detection](https://github.com/jamf/jamfprotect/blob/main/jamf_pro_extension_attributes/Agentic_Detection/openclaw_skill_detection.sh) - [Removal Script — OpenClaw](https://github.com/jamf/scripts/blob/main/sales/openclaw/openclaw_removal.sh) #### External Resources - [OpenClaw](https://openclaw.ai/) - [OpenClaw GitHub](https://github.com/openclaw) - [OpenClaw macOS Companion App Documentation](https://docs.openclaw.ai/platforms/macos) - [Jamf Threat Labs](https://www.jamf.com/threat-labs/) - [Sigma Rules Documentation](https://sigmahq.io/docs/basics/rules.html) - [AgentSkills.io — Skills Directory](https://agentskills.io/home) - [Malicious ClawHub Skills Hide in Plain Sight (OpenSourceMalware)](https://opensourcemalware.com/blog/malicious-clawhub-skills-hide-in-plain-sight) - [From Magic to Malware — How OpenClaw's Agent Skills Become an Attack Surface (1Password)](https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface) ####