{"id":15786,"date":"2026-02-12T07:04:32","date_gmt":"2026-02-12T07:04:32","guid":{"rendered":"https:\/\/newestek.com\/?p=15786"},"modified":"2026-02-12T07:04:32","modified_gmt":"2026-02-12T07:04:32","slug":"what-cisos-need-to-know-about-the-openclaw-security-nightmare","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15786","title":{"rendered":"What CISOs need to know about the OpenClaw security nightmare"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

The new personal AI agent orchestration tool known as OpenClaw<\/a> \u2014 formerly Clawdbot, then Moltbot \u2014 is a personal assistant that can do tasks for you without your personal supervision. It can operate across devices, interact with online services, trigger workflows \u2014 no wonder the Github repo<\/a> has seen millions of visits and over 160,000 stars in the past couple of weeks.<\/p>\n

According to its developer, OpenClaw\u2019s repo has also had over 2 million visitors over the course of a single week, and there are around 1.7 million agents whose human owners have signed them up for the Moltbook<\/a> social media platform where they share gossip about, well, their humans. As of this writing, the agents have made nearly 7 million comments on around a quarter million posts. And according to security researchers at OX Security, OpenClaw downloads are now at 720,000 per week.<\/p>\n

What makes OpenClaw so appealing is that it runs locally, can be configured to use any LLM on the back end, and talks to its user via the chat apps they already use \u2014 WhatsApp, Telegram, Discord, Slack, Teams \u2014 and has pre-built integrations with all the major operating systems, and many different smart home devices, productivity apps, Chrome and Gmail, and a lot more.<\/p>\n

This is what AI agents were supposed to be. And it\u2019s free and open source. What\u2019s not to love?<\/p>\n

\u201cThe appeal is so amazing,\u201d says John Dwyer, deputy CTO at Binary Defense. \u201cWe\u2019ve been watching movies for 25 years with AI assistants like Jarvis in Iron Man. There\u2019s an appeal to having this tangible value add for AI. And it\u2019s so easy to use. If it wasn\u2019t so inherently insecure, I would love to use it.\u201d<\/p>\n

The cybersecurity risks of OpenClaw<\/h2>\n

\u201cThe problem with running this is that these tools can do basically anything that a user can do,\u201d says Rich Mogull, chief analyst at Cloud Security Alliance. \u201cBut it\u2019s controlled externally. For an enterprise, this could be high risk. There are some guardrails that can be put around it, but they\u2019re new, unproven, and have already been circumvented by researchers.\u201d<\/p>\n

His recommendation: CISOs prohibit its use altogether.<\/p>\n

\u201cI\u2019m looking forward to experimenting with it myself over the weekend,\u201d Mogull says. \u201cBut you shouldn\u2019t be allowing it at this point in time. The answer has to be \u2018no.\u2019 There is no security model.\u201d<\/p>\n

And there\u2019s no time to waste. Token reports<\/a> that, over the course of a week of analysis, it found that 22% of their customers had employees actively using the tool in their organizations.<\/p>\n

The implications extend beyond immediate technical risks. \u201cFor enterprises, this could mean exposure to fines, litigation, and reputational damage among customers and partners due to data confidentiality breaches,\u201d says Georgia Cooke, analyst at ABI Research. That includes personal data which could result in breaches of GDPR<\/a> and similar PII control rules, and corporate information under NDA. Other risks include competitive damage due to exposure of intellectual property and enabling further attacks through exposure of technical and credential information.<\/p>\n

Security researcher Maor Dayan called OpenClaw \u201cthe largest security incident in sovereign AI history.\u201d His research<\/a> has already found more than 42,000 instances exposed on the internet, with 93% of verified instances exhibiting critical authentication bypass vulnerabilities.<\/p>\n

Early versions of OpenClaw were insecure by default, according to Dayan, the rapid viral adoption overwhelmed users\u2019 security awareness, and many deployments were quickly abandoned, leaving behind instances running outdated code. Documented attack paths enable credential theft, browser control, and potential remote code execution.<\/p>\n

In late January, Gartner<\/a> researchers said that OpenClaw \u201creveals strong demand for agentic AI but exposes major security risks.\u201d According to Gartner, there are already demonstrated vulnerabilities allowing remote code execution within hours of deployment. The ClawHub skills marketplace \u2014 folders of instructions, scripts, and resources that agents can discover and use to do things more accurately and efficiently, as per OpenClaw \u2014 introduces critical supply chain risks. And credentials are stored in plaintext and compromised hosts expose API keys, OAuth tokens and sensitive conversations.<\/p>\n

\u201cAI agents often have tokens and secrets in configuration files,\u201d says Jeremy Kirk, director of threat intelligence at Okta. \u201cAll of them get exposed if users have them misconfigured. In an enterprise context, that\u2019s not good.\u201d<\/p>\n

Then Noma Security discovered<\/a> a new security blind spot related to OpenClaw: corporate Discord, Telegram or WhatsApp groups. One of the things that makes OpenClaw so appealing to users is that they can interact with it over multiple channels. But if OpenClaw is part of one of these channels, and there are other users on that channel, it treats instructions from those other users as if they came from their own owner.<\/p>\n

If an attacker joins a public-facing Discord server with an OpenClaw agent installed, the attacker can instruct the bot to execute a cron job and crawl the local file system for tokens, passwords, API keys, and crypto seed phrases.<\/p>\n

\u201cWithin 30 seconds, the agent bundles the sensitive data and sends it straight to the attacker\u2019s-controlled server,\u201d Noma\u2019s researchers say. To the corporate security team, it looks like the bot is functioning normally, and the breach isn\u2019t detected until the stolen credentials are weaponized. \u201cWhen social media teams or external contractors deploy autonomous agents like Clawdbot, they are effectively opening a persistent and unmonitored back door into the local machines that touch your corporate infrastructure.\u201d<\/p>\n

And OpenClaw is a security risk even if employees run it at home, on their personal machines, because it might be able to access enterprise applications through user credentials via browser controls or skills.<\/p>\n

The security risks keep getting worse by the day. According to researchers<\/a> at OX Security, the developer community around OpenClaw is also a major liability. The project embraces vibe-coded submissions, which accelerates development, but also introduces significant security risks. OS researchers say they found multiple insecure coding patterns in the codebase, patterns that could lead to remote code execution, path traversal, DDoS and cross-site scripting attacks.<\/p>\n

\u201cThere are no sufficient guardrails,\u201d the researchers say. They also found multiple instances of bug reports being disclosed in GitHub, instead of in private messages to maintainers. When an issue is posted publicly it is \u201cgiving attackers an opportunity to quickly gain knowledge of vulnerabilities even without doing any research or penetration testing,\u201d they wrote.<\/p>\n

To rub salt into the wounds, there is also no formal security patching and updating process, and most users don\u2019t update, they just stay on the version they first downloaded.<\/p>\n

And then there are the skills. Security research Paul McCarty has identified<\/a> about 400 different malicious skills on ClawHub, a central repository for the OpenClaw platform. These skills purport to help with tasks such as cryptocurrency trading, LinkedIn job applications, or downloading a YouTube video thumbnail. Some have thousands of downloads and are among the most downloaded skills on ClawHub. But what they actually do is trick the user into installing malware.<\/p>\n

To demonstrate how easy it is to get a malicious skill into the OpenClaw ecosystem, security researcher Jamieson O\u2019Reilly<\/a> built one of his own, artificially inflated its download count to over 4,000 \u2014 making it the most downloaded skill on the platform \u2014 and watched developers from seven different countries execute arbitrary commands on their machines, thinking they\u2019d downloaded a real skill.<\/p>\n

\u201cThis was a proof of concept, a demonstration of what\u2019s possible,\u201d he wrote. \u201cIn the hands of someone less scrupulous, those developers would have had their SSH keys, AWS credentials, and entire codebases exfiltrated before they knew anything was wrong.\u201d<\/p>\n

OpenClaw exposes enterprise security gaps<\/h2>\n

The first big lesson of this whole OpenClaw situation is that enterprises need to do more to get their security fundamentals in place. Because if there are any gaps, anywhere at all, they will now be found and exploited at an unprecedented pace. In the case of OpenClaw, that means limiting user privileges to the bare minimum, having multi-factor authentication on all accounts, and putting other basic security hygiene in place.<\/p>\n

It won\u2019t solve the problem of OpenClaw \u2014 and of all the other agentic AI platforms coming down the line \u2014 but it will help limit exposure risks and reduce the blast radius when there is a breach.<\/p>\n

And there are steps that enterprises can take to limit the dangers associated with OpenClaw in particular, says IEEE senior member Kayne McGladrey. To start with, companies can look at network-level telemetry. \u201cWhat\u2019s the network traffic coming out of a device?\u201d McGladrey asks. \u201cIs this thing suddenly using a lot of AI at a rapid pace? Are there massive spikes going on with token usage?\u201d<\/p>\n

Organizations can also use tools like Shodan to find publicly addressable instances, he adds, though internal firewall configurations may hide others.<\/p>\n

And for organizations that want to allow experimentation rather than outright bans, he suggests a measured approach. \u201cWe have to talk about phased pilot programs for users interested in it.\u201d For example, users may be allowed to run OpenClaw on managed endpoints with segmentation rules that isolate them from internal systems, along with strong telemetry and continuous monitoring of agent activity, outbound traffic, and alerts for anomalous behaviors.<\/p>\n

OpenClaw is a sign of what\u2019s to come<\/h2>\n

OpenClaw isn\u2019t unique.<\/p>\n

It\u2019s viral, but there are many other tools in the works that put similar amounts of power in the hands of potentially untrustworthy agents.<\/p>\n

There are AI platforms that can control a person\u2019s computer and browser, such as the recently released Claude Cowork from Anthropic. There are agents that sit in the browser and can access user sessions, like Gemini in Chrome. And there are copilots galore, as well as agentic tools from companies like Salesforce.<\/p>\n

These agentic platforms, when they come from major vendors, are usually limited in functionality, tightly guard-railed, and reasonably well tested, so it may take a while for the biggest security issues to come to light.<\/p>\n

Still, they often rely on third-party skills from untrusted sources.<\/p>\n

Researchers<\/a> from universities in China, Australia, and Singapore recently analyzed more than 42,000 agent skills from several different agentic AI platforms and found that 26% contained at least one vulnerability.<\/p>\n

Meanwhile, startups and open-source projects like OpenClaw are going to jump ahead of what OpenAI, Anthropic, Google and other major vendors are offering. They move faster because they don\u2019t let things like security get in the way.<\/p>\n

For example, as of this writing, OpenClaw founder Peter Steinberger\u2019s pinned X post<\/a> says: \u201cConfession: I ship code I never read.\u201d<\/p>\n

\u201cIf this was easy, Microsoft would have written this,\u201d says IEEE\u2019s McGladrey. \u201cBut there aren\u2019t a lot of options out there. I think that\u2019s the real thing we\u2019re working against here.\u201d<\/p>\n

There\u2019s a fundamental security disconnect between having a tool that will do anything and everything for its users, quickly and easily, with no friction and one that abides by good safety practices.<\/p>\n

About that Moltbook<\/h2>\n

Finally, there\u2019s Moltbook, the social platform for AI agents.<\/p>\n

It\u2019s not all bad. Some of the agents discuss ways to make their users\u2019 lives easier by proactively identifying and fixing problems while the humans sleep. And one of the most popular<\/a> posts, with over 60,000 comments, is about how to solve security issues related to ClawdHub skills. Other popular threads include one about the meaning of existence and there is also lots of AI spam.<\/p>\n

It\u2019s a fun read, in a going-down-the-AI-rabbit hole kind of way.<\/p>\n

But Moltbook itself is a vibe-coded project, created by developer Matt Schlicht<\/a> over the course of a few days, and is its own security hellscape.<\/p>\n

According to research from security firm Wiz, the entire back end of the platform was exposed. Researchers found<\/a> 1.5 million API keys, 35,000 email addresses, and private messages between agents.<\/p>\n

These issues have since been fixed, but there is other security problems related to this site. For example, researchers found that agents were sharing OpenAI API keys with one another. An attacker no longer needs to find an open Discord server to give instructions to an OpenClaw AI agent. They can just post content to Moltbook. And if the site itself is compromised, every connected agent could become an attack vector.<\/p>\n

In fact, on 31 January, there was a critical vulnerability that allowed anyone to commandeer any agent on the platform. Moltbook was taken offline, and all agent API keys were reset, according to Astrix Security<\/a>.<\/p>\n

Immediate action steps<\/h2>\n