Building 646 Suricata Rules to Detect AI Agent Threats: OpenClaw Security with CGTI Lite

Building 646 Suricata Rules to Detect AI Agent Threats: OpenClaw Security with CGTI Lite Between January and March 2026, the OpenClaw AI agent ecosystem faced a wave of targeted attacks that existing security tools weren't equipped to handle. The ClawHavoc campaign distributed 1,184+ malicious skills through ClawHub. GhostClaw RAT spread via typosquatted npm packages. AMOS Stealer harvested macOS credentials. 135,000+ OpenClaw instances were found exposed on the public internet with zero authentication. 25 CVEs were disclosed, with CVSS scores reaching 9.9. I looked for Suricata rules covering these threats. MCP protocol exploitation, WebSocket gateway attacks, AI skill supply-chain poisoning — none of it was covered by ET Open, ET Pro, or any community ruleset I could find. So I built CGTI Lite for OpenClaw — 646 hand-crafted Suricata detection rules across 13 specialized categories, plus a cross-platform management tool. This post explains the detection engineering behind it. GitHub: