OpenClaw is an open-source, self-hosted AI personal assistant that connects frontier language models to real messaging platforms — WhatsApp, Telegram, Signal, Discord, Slack, iMessage — and grants them autonomous access to local file systems, shell commands, email, calendars, and web browsers.
That is an extraordinary amount of access for any software to request. The appeal is obvious: the promise of a true AI assistant that can actually do things on your behalf is enormously compelling for productivity-minded users and developers. But that same capability stack is precisely what makes OpenClaw a uniquely dangerous proposition for any business environment.
Security researchers at Snyk have termed this combination of extensive system access, exposure to untrusted content, ability to communicate externally, and persistent memory a “lethal quaternary of vulnerabilities.”
The Administrative Access Problem: You’re Handing Over the Keys
When OpenClaw is installed, it doesn’t ask for polite, limited permissions. It requires administrative access to function. This is where the risk calculus breaks down entirely. Think of your operating environment as a building.
Standard software gets a key card to one floor. Administrative access gives a visitor the master key to every room, every server closet, every locked cabinet — and lets them make copies. When you grant admin permissions to any third-party application, you are not simply enabling a feature; you are extending implicit trust to every line of code in that application, every plugin it connects to, every future update it receives, and every third party its marketplace integrates with.
When an agent is compromised — through a malicious skill, prompt injection, or vulnerability exploit — attackers inherit all of that access, including OAuth tokens that enable lateral movement through the organization.
Trend Micro researchers described this plainly as “shadow AI with elevated privileges.” The danger is not theoretical. It is documented and it has already happened at scale.
A Security Crisis Compressed Into Weeks
The timeline of what unfolded after OpenClaw went viral is a case study in how quickly agentic AI can become a systemic threat.
Within weeks of going viral, a researcher identified roughly 1,000 OpenClaw instances online with zero authentication. Security researcher Jamieson O’Reilly gained access to Anthropic API keys, Telegram tokens, and full command execution on exposed instances. A Kaspersky security audit identified 512 vulnerabilities, of which 8 were classified as critical.
It escalated from there. Security Scorecard’s STRIKE team found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. More than 15,000 of those were directly vulnerable to remote code execution.
The core architectural flaw enabling this was almost embarrassingly basic: OpenClaw binds by default to 0.0.0.0:18789, listening on all network interfaces including the public internet, rather than 127.0.0.1 (localhost only) as security practice demands. For a tool with system-wide permissions, that default has real-world consequences.
The CVEs You Need to Know
The vulnerability disclosures paint a damning picture. CVE-2025-49596 received a CVSS score of 9.4 for unauthenticated access leading to complete system compromise.
CVE-2025- 6514 received a CVSS score of 9.6 for command-injection vulnerabilities that enable arbitrary code execution.
Two additional command injection vulnerabilities — CVE-2026-24763 and CVE-2026-25157 — were disclosed in rapid succession, allowing attackers to inject and execute arbitrary commands through improperly sanitized input fields in the gateway.
Then came ClawJacked. The vulnerability required no installed extension, no marketplace plugin — just the bare OpenClaw gateway running as documented. A developer visits an attacker-controlled webpage; malicious JavaScript silently opens a WebSocket connection to OpenClaw’s localhost gateway. Because the gateway automatically trusts local connections, the attacker’s site gains full control of the agent in milliseconds. Security researchers confirmed that the entire attack chain from first click to full compromise takes milliseconds.
The Marketplace Malware Problem
Even if the core application were flawlessly hardened, there is a second attack surface that is harder to control: the plugin ecosystem.
Attackers distributed hundreds of malicious skills via ClawHub, OpenClaw’s public marketplace. These skills used professional documentation and innocuous names like “solana-wallet-tracker” to appear legitimate, then instructed users to run external code that installed keyloggers on Windows or Atomic Stealer malware on macOS. Researchers confirmed that roughly 12% of the entire registry was compromised at one point.
By a later count, more than 820 malicious skills were found out of 10,700 listed — up sharply from earlier tallies — as attackers continued to seed the marketplace with new payloads.
This is a supply chain attack at scale delivered through an AI agent’s own official distribution channel.
The Corporate Exposure You May Not Even See
The risk to individual users is serious enough. The risk to organizations is compounding.
OpenClaw integrates with email, calendars, documents, and messaging platforms. When connected to corporate SaaS applications like Slack or Google Workspace, the agent can access Slack messages and files, emails, calendar entries, cloudstored documents, and data from integrated apps — plus OAuth tokens that enable lateral movement. The agent’s persistent memory means any data it accesses remains available across sessions.
The visibility problem makes this worse. Traditional security tools struggle to detect AI agent activity. Endpoint security sees processes running but doesn’t understand agent behavior. Network tools see API calls but can’t distinguish legitimate automation from compromise. Identity systems see OAuth grants but don’t flag AI agent connections as unusual.
Employees are connecting personal AI tools to corporate infrastructure without their security teams knowing. By the time the breach is discovered, the blast radius has already expanded.
The Fundamental Architecture Problem
Even setting aside the specific CVEs — which will be patched and replaced by new ones over time — there is a deeper problem that patches cannot fix.
Even if OpenClaw instances were flawlessly configured and all known vulnerabilities remediated, the fundamental risks would still remain, although the threshold for exploitation would be higher. Autonomy, broad permissions, and non-deterministic decision-making are core characteristics of agentic systems, and they cannot be fully eliminated through patching or configuration alone.
Palo Alto Networks extended the risk framework by identifying a critical fourth element beyond the known trifecta: persistent memory. OpenClaw stores context across sessions in SOUL.md and MEMORY.md files. This means malicious payloads can be fragmented across time, injected into memory on one day, and detonated when the agent’s state aligns on another.
This is not a bug. It is, in a meaningful sense, a feature — and it makes the attack surface permanent.
What Businesses Should Do Right Now
1. Treat OpenClaw as unauthorized software in your environment. Issue clear guidance to your workforce that OpenClaw and similar agentic AI tools are not approved for installation on any device connected to corporate networks, SaaS accounts, or data systems. The admin access requirement alone is grounds for prohibition under most acceptable use policies.
2. Audit your OAuth grants immediately. Supply chain risks from third-party skills, plugins, and model providers require ongoing auditing. Review every app that holds OAuth tokens connected to your corporate accounts — AI agents can silently accumulate access that outlasts the session in which it was granted.
3. Apply the principle of least privilege everywhere. The principle of least privilege is the single most effective security control for AI agents. API keys should be stored in environment variables, scoped to minimum permissions, and rotated regularly. Any AI tool that requires more access than strictly necessary for its stated function should be treated with heightened scrutiny.
4. Educate employees on AI shadow IT. Most employees installing OpenClaw are not acting maliciously — they are trying to be more productive. Build awareness programs that explain why agent-class AI tools carry fundamentally different risks than traditional SaaS, and give workers safe, vetted alternatives so they are not left with no options.
5. Apply zero-trust principles to AI agents. No component, model, or skill should be implicitly trusted, even within a system under the user’s control. Tightly scope agent permissions to only what is necessary, enforce oversight for high-impact actions, and rigorously vet any agent, model, skill, or tool before permitting deployment.
The Bottom Line
OpenClaw is not a cautionary tale about one rogue developer or a single poorly written application. It is a preview of what agentic AI looks like when it scales faster than governance, when admin access is treated as a technical convenience rather than a trust decision, and when marketplace ecosystems grow too fast for any security team to vet.
The speed of this shift is unprecedented. What once took years of cyber and narrative attack evolution has now compressed into weeks.
Granting administrative access to an AI agent is not enabling a productivity tool. It is inviting a system that can read every file, execute any command, communicate with any external service, and remember everything it has ever seen — into the most trusted position on your device and your network. The floodgates that open are not a metaphor. They are your file system, your credentials, your corporate data, and your customer’s information.
Before installing any AI agent that asks for elevated permissions, ask one question first: what happens to everything this agent can touch if it is compromised?
If the answer is uncomfortable, that is your answer.
