Detecting, Blocking & Remediating OpenClaw using Jamf

Updated
  • 9 minute(s) read
Prev Next

Executive Summary

Agentic AI tools such as OpenClaw (previously known as Clawdbot and Moltbot) represent a new class of threat for organizations; blurring the lines between legitimate user activity and unsanctioned autonomous access to corporate systems.

Employees may be attracted to OpenClaw's perceived convenience and personal assistant features such as email access, calendar scheduling and messaging without fully recognizing the risks involved in granting wholesale unregulated access to corporate data. Without advanced monitoring and analytics in place, IT and security teams may find it difficult to distinguish between legitimate human behavior and an OpenClaw agent acting on the user's behalf, with both accessing corporate resources through the same authenticated APIs and sessions.

This advisory describes how to use Jamf Security Cloud, Jamf Protect, and Jamf Pro together to implement a layered defense against unauthorized OpenClaw usage on managed macOS devices. The controls span network-level blocking, binary execution prevention, endpoint detection analytics, SIEM telemetry, inventory-based detection, and automated removal.

No single control is sufficient on its own. Jamf recommends deploying several of the methods below in combination for defense in depth.


Jamf Security Cloud - Content Filtering & Blocking

Jamf Security Cloud includes category-based content filtering and network blocking capabilities to allow organizations to monitor and control access for categories of applications and websites.

The following common domains relating to OpenClaw are now included in the "Other generative AI" content filtering category:

  • openclaw.ai

  • clawhub.ai

  • open-claw.me

  • molt.bot

  • openclaw.bot

Organizations who wish to block access to OpenClaw and other tools in this category can Configure a Content Filtering Policy within the Policies section of Jamf Security Cloud:

Note

Blocking this category will mitigate the most popular one-line method of installation from the OpenClaw website, however advanced users can still use the instructions in the GitHub repository to install directly through npm or other package managers. As such, consider this control and block method in conjunction with the other visibility and remediation controls listed in this article.


Jamf Protect - Custom Prevent Lists (OpenClaw Companion App)

OpenClaw supports an optional companion app for macOS that exposes additional platform-based tools such as Camera and Screen Recording access to a local or remote OpenClaw gateway instance. As this companion app is a signed macOS binary, you can use Custom Prevent Lists in Jamf Protect to block its runtime execution on managed devices.

To implement this block; within the Jamf Protect portal, navigate to Threat Prevention > Custom Prevention Lists, and click Create Prevent List. Give your new list a name such as "Block OpenClaw Companion App" and select “Signing Information” as the Prevent Type. Then, choose one of the following prevention methods (either one is acceptable for use in blocking the current variant of the app):

  • Team ID: Y5PE65HELJ

  • Signing ID: bot.molt.mac

This will result in the companion app being blocked on launch and the user seeing an active block prompt:

Note

Custom Prevention Lists under Threat Prevention will block the runtime execution of the OpenClaw companion app but not the OpenClaw Gateway binary and LaunchAgents, as they lack the requisite signing identifiers. This prevention method is useful in ensuring that users do not install and run the companion app on devices, but it is not exhaustive in blocking OpenClaw on macOS.


Jamf Protect - Custom Analytics

Jamf has published a series of Jamf Protect Custom Analytics to support organizations wishing to detect the installation, persistence and invocation of OpenClaw in their environment. These custom analytics perform filesystem and process detections using Jamf Protect’s filter based analytics engine to detect OpenClaw artifacts on a device and report back through Jamf Protect alerting.

Customers may implement all of the following analytics or select a subset based on their requirements. The analytics are also available as YAML definitions in the Jamf Protect resources GitHub repository.

How to Create a Custom Analytic from Filter Text

  1. In the Jamf Protect portal, navigate to Configuration > Analytics and click Create

  2. Set the Sensor Type to the value specified for each analytic below (either File System or Process)

  3. In the Analytic Filter section, switch to Filter Text View

  4. Paste the filter expression provided inline below

  5. Configure the severity and any desired Analytic Actions (such as adding affected devices to a Jamf Pro Smart Group)

Field

Value

Name

OpenClawInstallation

Sensor Type

Process Event

Description

Detection of OpenClaw installation commands from openclaw.ai.

Filter (Text View) Content:

$event.type == 1 AND
  $event.process.args.@count > 1 AND
  (
    (
      (ANY $event.process.args CONTAINS[c] "npm") AND
      (ANY $event.process.args BEGINSWITH "openclaw") AND
      (
        (ANY $event.process.args == "i") OR
        (ANY $event.process.args == "install") OR
        (ANY $event.process.args == "add") OR
        (ANY $event.process.args == "in") OR
        (ANY $event.process.args == "ins") OR
        (ANY $event.process.args == "inst") OR
        (ANY $event.process.args == "insta") OR
        (ANY $event.process.args == "instal") OR
        (ANY $event.process.args == "isnt") OR
        (ANY $event.process.args == "isnta") OR
        (ANY $event.process.args == "isntal") OR
        (ANY $event.process.args == "isntall")
      ) AND
      $event.process.path.lastPathComponent == "node"
    ) OR
    (
      (ANY $event.process.args BEGINSWITH "openclaw") AND
      (ANY $event.process.args == "add") AND
      $event.process.path.lastPathComponent == "pnpm"
    )
  )

Field

Value

Name

ClawHubSkillsInstall

Sensor Type

Process Event

Description

Detection of skills installed from ClawHub via npx, pnpm or bun commands.

Filter (Text View) Content:

$event.type == 1 AND
  $event.process.args.@count > 1 AND
  (
    (
      (
        (
          (ANY $event.process.args CONTAINS[c] "/npx") OR
          (ANY $event.process.args CONTAINS[c] "/pnpm")
        ) AND
        (ANY $event.process.args BEGINSWITH[c] "clawhub")
      ) OR
      (
        (ANY $event.process.args CONTAINS[c] "/bunx-") AND
        (ANY $event.process.args CONTAINS[c] "/clawhub")
      )
    ) AND
    (ANY $event.process.args == "install") AND
    $event.process.path.lastPathComponent == "node"
  )

Field

Value

Name

OpenClawOnboard

Sensor Type

Process Event

Description

Detection of OpenClaw onboard command to initiate setup.

Filter (Text View) Content:

$event.type == 1 AND
  $event.process.args.@count > 1 AND
  (
      (ANY $event.process.args CONTAINS[c] "openclaw") AND
      (ANY $event.process.args == "onboard")
  ) AND
  $event.process.parent.path.lastPathComponent == "node"

Field

Value

Name

OpenClawGatewayPersistence

Sensor Type

File System Event

Description

Detection of OpenClaw's gateway persistence (~/Library/LaunchAgents/ai.openclaw.gateway.plist).

Filter (Text View) Content:

("LaunchDaemon" IN $tags OR "LaunchAgent" IN $tags) AND
  $event.path.lastPathComponent BEGINSWITH "ai.openclaw."

Field

Value

Name

OpenClawDirectoryCreated

Sensor Type

File System Event

Description

Detection of OpenClaw's hidden workspace directory (.openclaw), created during setup.

Filter (Text View) Content:

$event.path MATCHES "\\/Users\\/[^\\/]+\\/\\.openclaw" AND
  $event.isNewDirectory == 1


Jamf Protect - Advanced Threat Controls

One of the potential attack techniques spawning from the use of OpenClaw on macOS relates to malicious skills that attempt to coax users into installing malware and infostealers onto their device.

Jamf Protect’s Advanced Threat Controls are designed to intervene when unsafe or malicious activity is detected and provides protection against common techniques directly observed in malware connected to these malicious skills.

Organizations can enable both Advanced Threat Controls and Endpoint Threat Prevention within Jamf Protect and choose to Block and report or Report only depending on their risk tolerance and operational requirements.


Jamf Protect - Telemetry

Customers can use Jamf Protect Telemetry for macOS to collect system and user event log data and ship it to a SIEM or storage location of their choice.

The Jamf Threat Labs team have created a series of Sigma rules for common OpenClaw installation and invocation commands that can be imported and used in many SIEM solutions:

Repository: jamf/jamfprotect — agentic_detections (Telemetry)

At minimum, devices must be configured for “Applications and processes“ log collection as part of a telemetry set to take advantage of these process based exec detections.


Jamf Pro - Extension Attribute Detection Scripts

Jamf has published two Extension Attribute scripts for inventory-based detection of OpenClaw:

Skills are markdown based files that provide instructions to an LLM/agent on how to perform a certain task such as accessing an API or use of an application on a user’s behalf. Organizations who allow OpenClaw may wish to separately report on which skills are in use or may wish to separately audit for specific malicious skills.

Each script can be added as a Computer Extension Attribute in Jamf Pro to report the presence of OpenClaw and its installed skills as part of standard inventory update policies.

Detection details for these scripts include the users and workspaces for which OpenClaw is detected, the current Gateway run status and a list of skills currently installed or in use:

For customers wishing to pursue automated remediation; detection through these Extension Attributes can be used as the basis of a Jamf Pro Smart Group predicate to then trigger an automated remediation policy on devices.


Jamf Pro - Remediation and Removal via Policy

Once OpenClaw has been detected on a device, organizations may wish to implement either manual or automated remediation and removal. Jamf Pro’s ability to run Policy based scripts provides flexibility in how remediation takes place and can be integrated with Jamf Pro Extension Attributes or Jamf Protect Custom Analytics (with Analytic Remediation) to perform automated policy-based removal with clear audit and logging trails.

Jamf have authored an OpenClaw removal script that is capable of removing various forms of OpenClaw installation on macOS. At the present time, this includes the removal of:

  • Binaries installed using the curl based one liner install command from openclaw.ai

  • Binaries installed using the npm, pnpm and bun package managers

  • The macOS OpenClaw companion app

  • Docker images and containers matching openclaw naming

  • The gateway service and LaunchAgent

  • The .openclaw working/workspace directory for each user

In order to configure remediation and removal of OpenClaw using Jamf Pro, you can create a new Script and Policy and assign its scope to Computers either manually, or via a Smart Group which bases its membership on one of the detection mechanisms listed above.

Note

The openclaw_removal.sh script has been created and provided to give a best effort in removing the most common forms of the current iteration of OpenClaw and its artifacts as of writing. It is not exhaustive in removing all forms of OpenClaw (such as source-based installs), or installations where a user has deliberately obfuscated OpenClaw’s presence (such as changing binary or directory names, etc.). Care should be taken as these tools evolve to ensure that removal is properly validated using other detection methods.

Note

Once OpenClaw has been detected and removed from a system, there may be other post-removal remediation steps that are required. Consider if you need to revoke tokens or sessions for any connected services (such as Google/Gmail, Microsoft, GitHub) or any corporate LLM or inference providers (Anthropic, OpenAI, etc.)

References and Further Reading

Jamf Documentation

Jamf GitHub Resources

External Resources