Agentic Threats: How to Manage a Problem Like OpenClaw

For all the talk of agentic AI, few tools have caught the public imagination quite like OpenClaw. At the time of writing, the personal assistant had amassed nearly 244,000 stars on GitHub – putting it comfortably in the top 20 most popular projects of all time. Over 47,000 forks currently exist, as developers customise it for new use cases.

Yet the tool itself – designed to “feel local, fast, and always-on” – is also a potentially serious security risk when deployed in enterprise environments. Its autonomy, broad access to sensitive data and systems, and exposure to vulnerabilities, misconfigurations and malicious add-ons should be concerning for any CISO.

The challenge will be managing these risks at a time when shadow AI is increasingly difficult to tackle.

What is OpenClaw?

Developed by Austrian programmer Peter Steinberger and released in November 2025, OpenClaw is marketed as “a personal, single-user assistant”. Originally named Clawdbot, then Moltbot, it runs locally on a user’s machine (or server) and autonomously performs a wide range of tasks by connecting to large language models (LLMs) and third-party systems. It can read and draft emails, schedule and summarise meetings, manage smart devices, interact with customers via social media, and much more.

Crucially, it requires elevated permissions to do all of this. And it stores all interactions with these external systems locally, along with related configuration data, which ensures that behaviour persists across sessions. This poses a potentially significant security risk, enabling threat actors to turn the tool into a powerful, controllable backdoor into the enterprise.

Cequence Security CISO, Randolph Barr, tells Assured Intelligence that OpenClaw blends three elements that security practitioners typically work hard to separate.

“It ingests untrusted external inputs such as web content, messages, and calendar invites; it has access to sensitive systems and data including local files, browser sessions, API keys, and connected SaaS platforms; and it can take autonomous action at machine speed,” he explains. “That combination collapses long-standing assumptions about user intent, browser isolation, and even localhost as a trusted boundary.”

Understanding the risk

The attack surface for OpenClaw covers several elements. Multiple vulnerabilities have already been discovered by researchers, covering server-side request forgery (SSRF), missing authentication and path traversal issues. A new ClawJacked bug could enable malicious websites to silently brute force a target’s local gateway password in seconds for complete remote control.

“Attackers are not just gaining access to a single system; they are inheriting delegated authority across SaaS applications, cloud consoles, messaging platforms, and browser sessions” Randolph Barr

Because the agent is programmed to read emails and other content, it is also vulnerable to indirect prompt injection attacks, where malicious instructions are hidden in web content or messages. Or threat actors could target instances directly. One report reveals over 135,000 OpenClaw deployments globally that have been misconfigured to expose their control panels and grant full system access. Over a third (35%) are assessed to be vulnerable.

Then there are the hundreds of malicious “skills” (plugins) that researchers have discovered on the ClawHub repository. Due to poor internal vetting on the site, users could unwittingly download infostealer malware. In fact, security experts have already uncovered the first live infostealer attack on an OpenClaw instance, and predict many more in the future.

If an agent gets manipulated or compromised, “things can spiral quickly”, says Barr – enabling threat actors to search local files and internal wikis, steal sensitive documents and source code, or access connected SaaS apps. Because the agent is trusted, this could all happen without raising any immediate red flags.

“Across these scenarios, the core issue is the same. Attackers are not just gaining access to a single system; they are inheriting delegated authority across SaaS applications, cloud consoles, messaging platforms, and browser sessions,” Barr continues. “That level of access enables intellectual property theft, credential harvesting, lateral movement, financial fraud, and business email compromise to occur quickly and with minimal friction.”

Shining a light on the shadows

All of the experts Assured Intelligence spoke to expressed concerns that developer teams may be adopting tools like OpenClaw faster than controls can keep pace.

“Architecturally, OpenClaw is a locally running control plane for an AI agent that can authenticate, orchestrate actions, and execute commands to connected nodes (devices/tools) from the developer’s machine,” Noma Security CISO, Diana Kelley, tells Assured Intelligence.

“It’s not a paradigm shift in AI capability. It represents something more structural: autonomy moving down the stack toward individuals” Hanah-Marie Darley

“This is why governance is so important: AI agents running on developer machines must be treated like the highly privileged systems that they are. Mitigation has to combine fast technical containment with a workable governance path.”

What does this mean in practice? Patching promptly any newly discovered vulnerabilities in the product, and “making shadow AI visible”, she says. “Use endpoint management telemetry to identify OpenClaw (processes, listening ports, installed packages) and put it into one of three buckets: approved, tolerated with guardrails, or denied,” Kelley continues. “If you have to deny, do it surgically, and pair it with an approved alternative workflow so teams can still ship.”

Next, lock down access with restricted permissions, argues Cequence Security’s Barr.

“Agents should never inherit broad, long-lived user credentials. Use scoped tokens, short-lived credentials, delegated access models, and task-based authorisation so that an agent can only perform narrowly defined actions aligned to its purpose,” he says.

Barr advises CISOs to monitor where OpenClaw is running and what permissions it’s granted. “Letting an autonomous agent operate directly on someone’s everyday laptop or in an open environment is asking for trouble,” he says. “It’s far safer to run them in isolated spaces, like containers or virtual machines, where you deliberately limit what they can access across the system and network. If something does break or get abused, you’ve contained the blast radius instead of putting the whole environment at risk.”

For Noma Security’s Kelley, it’s about operationalising “safe agent use” as standard. “CISA’s Secure by Design principles are a helpful lens: ownership of outcomes, transparency, and leadership-level prioritisation apply just as much to agentic tooling as they do to software products,” she says. “Require any agent tool that can execute commands or access enterprise systems to have: explicit consent for new device trust, auditable action logs, and reasonable rate limits.”

The bigger picture

Hanah-Marie Darley, chief AI officer at Geordie AI and former field CISO at Darktrace, argues that OpenClaw is emblematic of a new era of enterprise IT.

“Letting an autonomous agent operate directly on someone’s everyday laptop or in an open environment is asking for trouble”

“It’s not a paradigm shift in AI capability. It represents something more structural: autonomy moving down the stack toward individuals rather than remaining inside centrally governed enterprise systems,” she tells Assured Intelligence. “Significantly, it’s not only OpenClaw that demonstrates this, but many other forms of citizen development of AI agents across the enterprise.”

To manage the associated risks, Darley suggests starting with visibility, and then “aggressively” restricting and rotating credentials. Then it’s time for monitoring.

“Autonomous tools tend to create unusual interaction patterns: repeated API calls, automated messaging, or multi-system workflows that look like insider activity,” she says. “Having behavioural observability and activity logs is crucial to understand how agents are behaving and implement policies and mitigations to change those behaviours, beyond basic access controls.”

Next, CISOs should establish clear guidance for personal agents.

“Many employees are experimenting with automation for productivity. Provide guardrails around which systems can be connected and which cannot,” says Darley. “Be as specific as possible about which tools, credentials, and systems can be connected, whether personal accounts are acceptable and if so in what circumstances. Also be sure to identify when official use-case approval or procurement cycles should be triggered.”

Blocking isn’t an option

Experts argue that simpler options just aren’t workable. Blocking the tool outright might sound attractive, but is “not a scalable strategy”, says Cequence Security’s Barr. Given the potential productivity gains from tools like OpenClaw, developers and other users will simply find ways to circumvent rigid controls. CISOs should be focused on guiding innovation rather than blocking it, he adds.

“Create a secure path for teams to experiment and move fast, but back it with strong identity controls, isolated execution environments, API-level oversight, and continuous monitoring,” Barr concludes. “That balance is what keeps progress from turning into risk. When something goes wrong, and in fast-moving AI environments it eventually will, the goal is to limit blast radius, revoke access quickly, and maintain visibility across the agent’s activity surface.”

OpenClaw’s creator has since stepped back from the project to work at OpenAI. But OpenClaw will live on. In fact, it threatens to cast a lengthy shadow over enterprise security teams for some time to come.