The OAuth token replay discussion here highlights a broader problem with the OpenClaw ecosystem: there is no standardized trust model between agents and the services they access.
When people grab OAuth tokens for replay in OpenClaw, they are essentially doing at the user level what malicious skills do at the agent level — bypassing intended access controls because the system has no way to distinguish legitimate from illegitimate use.
This is the same pattern showing up everywhere:
- 312,000 instances on Shodan with no auth (CyberSecurityNews)
- 40,000+ exposed instances (SecurityScorecard this week)
- 824+ malicious skills in ClawHub
- Infostealers now grabbing entire agent identities (Hudson Rock)
The common thread: agents operate with broad, undifferentiated access. No permission tiers, no credential isolation, no audit trail.
Until the ecosystem adds proper trust layers at both the platform level (what Google is clumsily trying to do here) and the host level (monitoring what agents actually do with their access), this cat-and-mouse will continue.
When people grab OAuth tokens for replay in OpenClaw, they are essentially doing at the user level what malicious skills do at the agent level — bypassing intended access controls because the system has no way to distinguish legitimate from illegitimate use.
This is the same pattern showing up everywhere: - 312,000 instances on Shodan with no auth (CyberSecurityNews) - 40,000+ exposed instances (SecurityScorecard this week) - 824+ malicious skills in ClawHub - Infostealers now grabbing entire agent identities (Hudson Rock)
The common thread: agents operate with broad, undifferentiated access. No permission tiers, no credential isolation, no audit trail.
Until the ecosystem adds proper trust layers at both the platform level (what Google is clumsily trying to do here) and the host level (monitoring what agents actually do with their access), this cat-and-mouse will continue.