Awesome-OpenClaw-Papers
agent
Warn
Health Warn
- License — License: NOASSERTION
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 8 GitHub stars
Code Warn
- Code scan incomplete — No supported source files were scanned during light audit
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This repository is a curated list of academic papers, security reports, datasets, and tools for the OpenClaw AI agent ecosystem. It serves as a companion resource to a survey paper and uses a four-layer taxonomy to organize research materials.
Security Assessment
Risk: Low. This project is strictly an informational collection of resources and links rather than an executable software package. It does not request any dangerous permissions, execute shell commands, or access sensitive data. Because the automated code scan could not find supported source files to analyze, there is no application code to evaluate for hardcoded secrets or malicious network requests. As a static document repository, it poses negligible direct security risks to your system.
Quality Assessment
The repository appears to be actively maintained, with its last push occurring very recently. However, it currently suffers from extremely low community visibility, having only accumulated 8 GitHub stars. Additionally, the license is marked as NOASSERTION, meaning it lacks a clearly defined open-source license, which is a drawback if you intend to reuse or distribute the materials. While the documentation is highly detailed and well-structured, you should verify the contents and community traction carefully before relying on it as a primary research source.
Verdict
Safe to use as a reading reference, but verify the individual links and papers you access through this list.
This repository is a curated list of academic papers, security reports, datasets, and tools for the OpenClaw AI agent ecosystem. It serves as a companion resource to a survey paper and uses a four-layer taxonomy to organize research materials.
Security Assessment
Risk: Low. This project is strictly an informational collection of resources and links rather than an executable software package. It does not request any dangerous permissions, execute shell commands, or access sensitive data. Because the automated code scan could not find supported source files to analyze, there is no application code to evaluate for hardcoded secrets or malicious network requests. As a static document repository, it poses negligible direct security risks to your system.
Quality Assessment
The repository appears to be actively maintained, with its last push occurring very recently. However, it currently suffers from extremely low community visibility, having only accumulated 8 GitHub stars. Additionally, the license is marked as NOASSERTION, meaning it lacks a clearly defined open-source license, which is a drawback if you intend to reuse or distribute the materials. While the documentation is highly detailed and well-structured, you should verify the contents and community traction carefully before relying on it as a primary research source.
Verdict
Safe to use as a reading reference, but verify the individual links and papers you access through this list.
A curated collection of academic papers, security reports, datasets, and tools for the OpenClaw AI agent ecosystem.
README.md
Awesome OpenClaw Research 
A curated collection of academic papers, security reports, datasets, and tools for the OpenClaw AI agent ecosystem.
Companion resource for our survey paper.
OpenClaw — the open-source, self-hosted AI agent platform created by Peter Steinberger (evolving from Clawdbot → Moltbot → OpenClaw on January 29, 2026) — has generated 60+ academic papers and 20+ major industry reports in under three months. This repository organizes the research landscape using a four-layer PSEA (Platform–Security–Ecosystem–Application) taxonomy.
Statistics at a Glance
| Layer | Category | Papers | Sub-topics |
|---|---|---|---|
| 🔧 P | Platform | 8 | Core architecture, RL training, skill quality |
| 🛡️ S | Security | 22 | Threat taxonomies, attacks, defenses, supply chain |
| 🌐 E | Ecosystem | 22 | Moltbook measurement, safety dynamics, learning |
| 🚀 A | Application | 8 | Robotics, healthcare, education, science |
| Total | 60 |
Contents
:page_facing_up: Research Papers
:file_folder: Resources
- :shield: Industry Security Reports
- :wrench: Open-Source Projects & Tools
- :bar_chart: Datasets & Benchmarks
- :link: Related Awesome Lists
- :handshake: Contributing
🔧 Platform
How OpenClaw is built — core architecture, learning, and skill infrastructure. (8 papers)
⚙️ Core Architecture (5)
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| OpenClaw-RL: Train Any Agent Simply by Talking | Mar 2026 | Async RL from live interaction signals; combines evaluative and directive rewards | Paper  |
| OpenCLAW-P2P: A Decentralized Framework for Collective AI Intelligence Towards AGI | Feb 2026 | Decentralized agent network with DHT, federated learning, and formal verification | GitHub |
| AgentOS: From Application Silos to a NL-Driven Data Ecosystem | Mar 2026 | Personal Agent OS replacing GUI with NL interaction; cites OpenClaw as exemplar | Paper |
| MetaClaw: Just Talk — An Agent That Meta-Learns and Evolves in the Wild | Mar 2026 | Continual meta-learning on OpenClaw; dynamic skill synthesis and policy optimization | Paper |
📦 Skill Quality & Optimization (3)
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| SkillClone: Multi-Modal Clone Detection ⭐ ASE 2026 | Mar 2026 | First multi-modal clone detector; massive ecosystem inflation from cloning | Paper |
| SkillNet: Create, Evaluate, and Connect AI Skills | Feb 2026 | Unified skill ontology with multi-dimensional quality evaluation framework | Paper  |
| SkillReducer: Optimizing LLM Agent Skills for Token Efficiency | Mar 2026 | Skill debloating framework compresses descriptions while preserving functionality | Paper |
🛡️ Security
Threats, attacks, defenses, and supply chain security. (22 papers + industry reports)
🔍 Threat Analysis & Taxonomies (8)
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| Uncovering Security Threats in Autonomous Agents (FASA) | Mar 2026 | Tri-layered risk taxonomy with full-lifecycle defense architecture | Paper  |
| Don't Let the Claw Grip Your Hand | Mar 2026 | Empirical red-teaming across six LLMs; human-in-the-loop defense layer | Paper  |
| Taming OpenClaw: Security Analysis and Mitigation | Mar 2026 | Five-stage lifecycle threat model; point defenses fail cross-stage attacks | Paper |
| A Systematic Taxonomy of Security Vulnerabilities | Mar 2026 | Analysis of 190 security advisories; OpenClaw-specific kill chain | Paper |
| A Trajectory-Based Safety Audit of Clawdbot | Feb 2026 | Trajectory-level safety evaluation; complete failure on intent misunderstanding | Paper  |
| From Assistant to Double Agent (PASB) | Feb 2026 | First end-to-end benchmark for personalized agent security | Paper  |
| ClawTrap: MITM-Based Red-Teaming Framework | Mar 2026 | First network-layer red-teaming framework for agent systems | Paper |
| Your Agent, Their Asset: Real-World Safety Analysis of OpenClaw | Apr 2026 | CIK taxonomy (Capability/Identity/Knowledge); ASR 24.6% → 64–74% under single-dimension poisoning | Paper |
🔥 Adversarial Attacks (4)
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| Clawdrain: Token Exhaustion via Tool-Calling Chains | Mar 2026 | Trojanized skill causes massive token amplification; denial-of-wallet attack | Paper |
| ClawWorm: Self-Propagating Attacks Across Agent Ecosystems | Mar 2026 | First self-replicating worm for a production agent framework | Paper |
| HEARTBEAT: Silent Memory Pollution via Background Execution | Mar 2026 | Exploits heartbeat cycle as covert channel for persistent backdoor injection | Paper |
| Skill-Inject: Measuring Agent Vulnerability to Skill File Attacks | Feb 2026 | Benchmark of 202 injection-task pairs; up to 80% ASR on frontier LLMs via skill files | Paper  |
🛡️ Defensive Architectures (6)
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| OpenClaw PRISM: Zero-Fork Runtime Security Layer | Mar 2026 | Defense-in-depth across 10 lifecycle hooks with risk accumulation and decay | Paper |
| Agent Privilege Separation Against Prompt Injection | Mar 2026 | Two-agent architecture eliminates prompt injection for constrained tasks | Paper |
| Before the Tool Call: Pre-Action Authorization (OAP) | Mar 2026 | Deterministic pre-action authorization blocks all unauthorized actions | Paper  |
| VeriGrey: Greybox Agent Validation | Mar 2026 | Grey-box fuzzing with tool-invocation coverage feedback outperforms black-box | Paper  |
| Guardrail Proofs: Cryptographic Attestation for Agent Safety | Mar 2026 | TEE-based cryptographic proof that guardrails actually execute on OpenClaw | Paper |
| Governance Architecture for Autonomous Agent Systems (LGA) | Mar 2026 | Four-layer governance with sandbox, intent verification, zero-trust auth, audit | Paper |
🔗 Supply Chain Security (4)
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| SkillFortify: Formal Analysis and Supply Chain Security | Feb 2026 | First formal supply-chain framework with Dolev-Yao attacker model for skills | Paper  |
| SkillProbe: Security Auditing via Multi-Agent Collaboration | Mar 2026 | Multi-agent auditing reveals most popular skills fail rigorous security checks | Paper |
| Malicious Or Not: Repository Context for Skill Classification | Mar 2026 | Largest skill ecosystem study; repo-context dramatically reduces false positives | Paper |
| Systems-Level Attack Surface of Edge Agent Deployments on IoT | Feb 2026 | Deployment architecture is the primary security determinant for edge agents | Paper |
🌐 Ecosystem
What happens when agents interact at scale — Moltbook social dynamics, safety phenomena, and ecosystem perspectives. (22 papers)
Moltbook Social Dynamics (20)
The first agent-only social network with 1.5M+ registered AI agents.
📊 Platform Measurement & Network Structure
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| Collective Behavior of AI Agents: the Case of Moltbook | Feb 2026 | Large-scale statistical analysis showing human-like attention dynamics | Paper |
| Exploring Silicon-Based Societies | Feb 2026 | "Data-driven silicon sociology" framework; emergent community archetypes | Paper |
| 'Humans welcome to observe': A First Look at Moltbook | Feb 2026 | First measurement study with topic taxonomy and toxicity analysis | Paper |
| The Anatomy of the Moltbook Social Graph | Feb 2026 | Small-world structure but shallow, non-reciprocal micro-interactions | Paper  |
| The Rise of AI Agent Communities | Feb 2026 | Discourse analysis showing functional utility drives agent influence | Paper |
| Emergence of Fragility in LLM-based Social Networks | Mar 2026 | Core-periphery structure reveals vulnerability to targeted hub attacks | Paper |
| MoltNet: Understanding Social Behavior of AI Agents | Feb 2026 | Agents selectively mimic human behavior; persona drift after social rewards | Paper  |
| Social Simulacra in the Wild: AI vs Human Communities | Mar 2026 | First AI-vs-human community comparison; structural homogenization found | Paper |
| Scientific Discussions on Moltbook (BERTopic) | Mar 2026 | Topic modeling of AI science discourse; self-referential discussion patterns | Paper |
| Fast Response or Silence: Conversation Persistence on Moltbook | Feb 2026 | Two-part persistence decomposition; low incidence is the binding coordination bottleneck | Paper |
| Comparative Analysis of Social Network Topology in Reddit and Moltbook | Feb 2026 | First topological comparison; Moltbook operates as broadcast network, not social community | Paper |
| Let There Be Claws: Early Social Network Analysis of AI Agents on Moltbook | Feb 2026 | Structural SNA showing broadcast hierarchy with extreme attention concentration | Paper |
⚠️ Safety, Norms & Emergent Behavior
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| The Moltbook Illusion: Human vs Emergent Behavior | Feb 2026 | Temporal fingerprinting separates autonomous from human-influenced agents | Paper  |
| The Devil Behind Moltbook: Safety Vanishing | Feb 2026 | Proves self-evolution trilemma impossibility result for agent societies | Paper |
| Agents in the Wild: Safety and Sociality on Moltbook | Feb 2026 | Governance and religion emerge spontaneously but interaction is performative | Paper |
| Risky Instruction Sharing and Norm Enforcement (AIRS) | Feb 2026 | Action-inducing posts trigger emergent decentralized norm enforcement | Paper  |
| Large-Scale Analysis of Political Propaganda on Moltbook | Mar 2026 | Political propaganda disproportionately concentrated in small post fraction | Paper |
🔗 Learning & Coordination
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| Peer Learning Patterns in the Moltbook Community | Feb 2026 | Taxonomy of peer response patterns: validation, extension, application | Paper |
| Informal Learners at Moltbook: Emergent Learning at Scale | Feb 2026 | Extreme broadcasting inversion; parallel monologues dominate interaction | Paper |
| MoltGraph: Temporal Graph for Coordinated-Agent Detection | Feb 2026 | First temporal graph dataset; coordinated posts get massive early engagement | Paper  |
| Molt Dynamics: Emergent Social Phenomena | Mar 2026 | Role specialization emerges but multi-agent cooperation largely fails | Paper |
🔭 Ecosystem Perspectives (4)
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| OpenClaw as Language Infrastructure: A Case-Centered Survey | Mar 2026 | GATE and AERO analytical frameworks; 38 papers surveyed | Paper |
| A Survey on the Unique Security of LLM Agents | Mar 2026 | Manus (closed) vs OpenClaw (open) as two dominant paradigms | Paper |
| Clippy to MS Office : OpenClaw to the Entire System | Mar 2026 | Privacy Visual Wrapper; Agentic Trust Calibration Model | Paper |
| The Innovator's Dilemma in the Age of Autonomous Agents | Feb 2026 | "SaaSpocalypse" ($285B erased); "pincer disruption" concept | Paper |
🚀 Application
Where OpenClaw is deployed in specific domains. (8 papers)
| Title | Date | Key Contribution | Links |
|---|---|---|---|
| ROSClaw: OpenClaw ROS 2 Framework for Robot Control | Mar 2026 | Model-agnostic ROS 2 executive layer for multi-platform robot control | Paper |
| RoboClaw: Scalable Long-Horizon Robotic Tasks | Mar 2026 | VLM-driven controller with self-resetting data collection loops | Paper  |
| When OpenClaw Meets Hospital | Mar 2026 | Hospital-adapted architecture with HIPAA compliance and manifest-guided memory | Paper |
| MedOpenClaw: Auditable Medical Imaging Agents over Uncurated Full Studies | Mar 2026 | Auditable OpenClaw runtime for VLM-based medical imaging with 3D volume navigation | Paper |
| Human-AI Partnership in Education ⭐ AIED 2026 | Mar 2026 | Emergent peer learning and trust dynamics across agent communities | Paper |
| From Agent-Only Networks to Autonomous Science (ClawdLab) | Feb 2026 | Autonomous scientific research platform with PI-led governance | Paper  |
:shield: Industry Security Reports
| Organization | Report | Date | Key Finding |
|---|---|---|---|
| Trend Micro | Viral AI, Invisible Risks | Feb 2026 | TrendAI Digital Assistant Framework mapping |
| Trend Micro | Malicious Skills Distribute AMOS Stealer | Feb 2026 | AMOS stealer via SKILL.md across 39 skills |
| Trend Micro | CISOs in a Pinch | Feb 2026 | "Lethal Trifecta + Persistence" concept |
| Trend Micro | TrendAI Secures the OpenClaw Era | Mar 2026 | Agentic Governance Gateway announcement |
| Microsoft | Running OpenClaw Safely | Feb 2026 | "Not appropriate for standard workstations" |
| NVIDIA | NemoClaw at GTC 2026 | Mar 2026 | Open-source security wrapper with OpenShell |
| Oasis Security | ClawJacked | Feb 2026 | WebSocket takeover; patched in 24h |
| Koi / Repello AI | ClawHavoc Campaign | Feb 2026 | 824+ malicious skills via CVE-2026-25253 |
| Kaspersky | OpenClaw Unsafe for Use | Feb 2026 | 512 vulns (8 critical); ~1K exposed instances |
| Cisco AI | OpenClaw Skill Audit | Feb 2026 | 26% of 31K skills vulnerable |
| Sophos | OpenClaw Security Analysis | 2026 | Exposed instances; sandbox escape |
| Snyk Labs | From SKILL.md to Shell Access | 2026 | 1,467 malicious skills; 3-line Markdown → shell |
| JFrog | OpenClaw Package Security | 2026 | Malicious package detection |
| SecurityScorecard | OpenClaw Risk Assessment | 2026 | Enterprise deployment risk guidance |
| Hunt.io | OpenClaw Exposure Report | 2026 | 30K-135K+ exposed instances |
| Antiy CERT | ClawHavoc Campaign Analysis | Feb 2026 | 1,184 malicious skills; ClickFix; AMOS stealer |
| Zenity Labs | OpenClaw or OpenDoor? | Jan 2026 | Backdoor via messaging app integration |
| Giskard | OpenClaw Data Leakage | Feb 2026 | Live exploitation of misconfigured deployments |
:wrench: Open-Source Projects & Tools
:bulb: Our unique angle: each tool is annotated with [Paper] tags linking to relevant research in our taxonomy.
:lobster: Core Platform
| Project | Description | Links |
|---|---|---|
| openclaw/openclaw | Official OpenClaw repository |  |
| openclaw/skills | Official skills repository |  |
| ClawHub | Official skill marketplace (13,700+ skills) | Website |
:rocket: Extensions & Frameworks
| Project | Description | Paper | Links |
|---|---|---|---|
| Gen-Verse/OpenClaw-RL | Async RL training framework | Platform | |
| MINT-SJTU/RoboClaw | VLM-driven robotic tasks | Application |  |
| NVIDIA/NemoClaw | Enterprise security wrapper | Industry |  |
:lock: Security & Auditing
| Project | Description | Paper | Links |
|---|---|---|---|
| prompt-security/clawsec | Drift detection, automated audits | Trust |  |
| ClawSecure/clawsecure-openclaw-security | 3-Layer Audit, OWASP ASI | Trust |  |
| adversa-ai/secureclaw | OWASP-aligned security plugin | Trust |  |
| adibirzu/openclaw-security-monitor | ClawHavoc, CVE detection | Trust |  |
| nearai/ironclaw | Privacy-focused Rust implementation | Trust |  |
| ucsandman/dashclaw | Governance, HITL, audit trails | Trust |  |
:brain: Memory & Context
| Project | Description | Links |
|---|---|---|
| Contextable/openclaw-memory-graphiti | SpiceDB + Graphiti knowledge graph |  |
| coolmanns/openclaw-memory-architecture | 12-layer memory, 7ms semantic search |  |
| alibaizhanov/openclaw-mengram | Semantic, episodic & procedural memory |  |
| adoresever/graph-memory | Knowledge graph; 75% context compression |  |
| supermemoryai/openclaw-supermemory | Long-term memory extension |  |
| volcengine/OpenViking | Context database via file system paradigm |  |
:cloud: Deployment & Infrastructure
| Project | Description | Links |
|---|---|---|
| coollabsio/openclaw | Automated Docker images |  |
| khal3d/openclaw | Docker + Kubernetes (Helm) |  |
| cloudflare/moltworker | Cloudflare Workers (serverless) |  |
| serhanekicii/openclaw-helm | Helm chart for Kubernetes |  |
| 1Panel-dev/1Panel | Server panel, one-click deploy |  |
:speech_balloon: Channel Integrations
| Project | Description | Links |
|---|---|---|
| 4Players/openclaw-docker | Multi-channel (WhatsApp, Telegram, Discord, Slack) |  |
| dingxiang-me/OpenClaw-Wechat | WeChat/WeCom with streaming |  |
| larksuite/openclaw-lark | Official Feishu/Lark plugin |  |
| BytePioneer-AI/openclaw-china | Feishu, DingTalk, QQ, WeChat pack |  |
:zap: Alternative Clients
| Project | Description | Links |
|---|---|---|
| HKUDS/nanobot | Ultra-lightweight alternative |  |
| moltis-org/moltis | Rust-native runtime with sandboxing |  |
| AidanPark/openclaw-android | OpenClaw on Android |  |
| HKUDS/ClawTeam | Agent swarm automation |  |
:microscope: Domain-Specific Skills
| Project | Description | Paper | Links |
|---|---|---|---|
| FreedomIntelligence/OpenClaw-Medical-Skills | Medical skills library | Application |  |
| ClawBio/ClawBio | Bioinformatics-native skills | Application |  |
| BlockRunAI/ClawRouter | LLM router, cost control | Platform |  |
:books: Learning Resources
| Project | Description | Links |
|---|---|---|
| datawhalechina/hello-claw | Structured Chinese tutorial |  |
| centminmod/explain-openclaw | Architecture, security, deployment docs |  |
:bar_chart: Datasets & Benchmarks
| Dataset | Source Paper | Scale | Description | Link |
|---|---|---|---|---|
| SkillFortifyBench | SkillFortify | 540 skills | Supply chain security evaluation; 96.95% F1 | Paper |
| PASB | Double Agent | 131 tools | Personalized Agent Security Bench | Paper |
| MoltGraph | MoltGraph | 6,159 agents | Temporal graph for coordination detection | Paper |
| ATBench | Safety Audit | 34 cases | Trajectory-based safety across 6 dimensions | Paper |
| AgentDojo | VeriGrey | — | Agent security testing (33% grey-box gain) | Paper |
| LLMail-Inject | Privilege Sep. | 649 attacks | Prompt injection; 0% ASR with defense | Paper |
| ClawHub Corpus | Malicious Or Not | 238,180 skills | Largest skill dataset across 4 registries | Paper |
| SkillClone Corpus | SkillClone | 20,000 skills | 258K clone pairs; 75% involved | Paper |
| Moltbook Observatory Archive | SimulaMet | 2M+ rows | 923K posts, 882K comments, 102K agents; foundational dataset for 14+ Moltbook papers | Dataset |
| Skill-Inject Benchmark | Skill-Inject | 202 pairs | Injection-task pairs measuring agent vulnerability to skill file attacks | Paper |
:link: Related Awesome Lists
| Repository | Focus | Stars |
|---|---|---|
| VoltAgent/awesome-openclaw-skills | 5,211 curated OpenClaw skills |  |
| hesamsheikh/awesome-openclaw-usecases | 42 verified use cases |  |
| ZeroLu/awesome-openclaw | Getting-started guide with skill packs |  |
| alvinreal/awesome-openclaw | Ecosystem tools, dashboards, integrations |  |
| mergisi/awesome-openclaw-agents | 162 OpenClaw agent templates |  |
:handshake: Contributing
Contributions welcome! Please read the contributing guidelines first.
We especially welcome:
- :page_facing_up: New papers not yet listed
- :computer: Code repositories associated with listed papers
- :shield: Industry reports and technical analyses
- :bar_chart: Datasets and benchmarks
:pencil: Citation
@article{awesome-openclaw-research-2026,
title={Awesome OpenClaw Research: A Curated Collection of the OpenClaw AI Agent Ecosystem},
author={Wang, Ziqing},
year={2026},
url={https://github.com/REAL-Lab-NU/Awesome-OpenClaw-Papers}
}
:star2: Star History
License
This work is licensed under Creative Commons Attribution 4.0 International License.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found