The OpenClaw security risks every CISO needs to know
The business case for OpenClaw is clear, but so are the security risks. Learn why a cybersecurity expert says deployments are putting enterprises in real danger.
Viral AI agent platform OpenClaw is spreading through enterprises like wildfire -- and bringing with it major cyber-risk.
OpenClaw, an open source, self-hosted AI personal assistant, burst onto the scene in late 2025. Created by Austrian developer Peter Steinberger, OpenClaw connects frontier large language models (LLMs) to messaging platforms such as WhatsApp, Telegram, Discord and iMessage, enabling users to interact with a powerful AI agent through the communication tools they already use every day.
OpenClaw's depth of access to local systems sets it apart from a typical chatbot. Because the agent runs on hardware you control, it can interact with your file system, execute shell commands, manage email, access calendars and browse the web. It can also integrate with thousands of third-party applications through the Model Context Protocol (MCP) and OpenClaw's community skills marketplace, ClawHub. In essence, OpenClaw transforms an LLM from a conversational tool into an autonomous agent capable of taking real-world actions on your behalf.
The platform's rise in popularity has been staggering. On January 27, 2026, Bitsight researchers observed 679 distinct, publicly exposed OpenClaw instances on the internet. By February 8, 2026, that number had climbed to 31,674. Adoption continues to accelerate today, and for enterprises, this rapid growth signals both an opportunity and a warning sign.
The business case for OpenClaw
OpenClaw represents a meaningful leap forward in AI-driven productivity. Employees can delegate time-consuming tasks -- e.g., triaging email, scheduling meetings, summarizing documents, running reports and interfacing with internal tools -- to an agent that operates autonomously and learns from context.
Because OpenClaw is self-hosted, organizations theoretically retain full control over their data, avoiding the compliance concerns that arise when sensitive information is routed through third-party cloud services.
The MCP integration layer means OpenClaw can plug into existing enterprise workflows through tools such as Zapier and Make, as well as direct API connections, providing governed access to thousands of business applications. For organizations looking to scale operational efficiency without scaling headcount, the appeal is obvious.
Security implications of OpenClaw
If a seasoned AI safety expert can lose control of an OpenClaw agent in minutes, the implications for less technically inclined enterprise users should give every CISO pause.
The same capabilities that make OpenClaw powerful also make it dangerous when deployed without proper safeguards.
A cautionary example comes from an unlikely source: Summer Yue, the director of alignment at Meta Superintelligence Lab, the company's AI research and development division. In early 2026, Yue reported on X that an OpenClaw agent deleted hundreds of emails from her primary inbox despite explicit instructions to wait for confirmation before acting.
"I couldn't stop it from my phone," Yue wrote. "I had to run to my Mac mini like I was defusing a bomb."
If a seasoned AI safety expert can lose control of an OpenClaw agent in minutes, the implications for less technically inclined enterprise users should give every CISO pause.
The incident underscores a fundamental challenge with autonomous AI agents: once given permission, they act according to their interpretation of instructions, not necessarily yours. The gap between intent and execution can be catastrophic, and the speed at which agents operate means damage can compound before anyone notices or can stop it.
Top OpenClaw security risks CISOs should know
The considerable security risks that OpenClaw use introduces to enterprises include the following.
Credential and data exposure
To function, OpenClaw's architecture inherently requires access to sensitive credentials -- e.g., API keys, email tokens and calendar permissions. Security researchers have found that many deployments store these credentials in plaintext configuration files, creating immediate opportunities for exploitation.
In January 2026, CVE-2026-25253 -- which has a CVSS rating of 8.8 -- demonstrated how attackers can craft malicious URLs that silently exfiltrate authentication tokens without prompting the user, leading to full gateway compromise. OpenClaw later released a patch.
Indirect prompt injection
Security researcher Simon Willison has described what he calls "the lethal trifecta," which occurs when an AI agent has the following:
Access to private data.
Exposure to untrusted content.
The ability to communicate externally.
According to Willison, an attacker can easily trick an AI agent that has all three of these features -- which OpenClaw does by design -- into accessing and sharing private data.
Indirect prompt injection, for example, hijacks the agent's behavior by embedding malicious instructions in content the agent processes, such as emails, webpages or documents. In other words, an attacker does not need to breach your network; they only need to place a carefully crafted prompt where an OpenClaw agent will encounter it.
Supply chain compromise
In February 2026, researchers at cybersecurity vendor Koi Security exposed a systemic weakness in OpenClaw's third-party skills marketplace, ClawHub, and uncovered a massive supply chain threat campaign they dubbed ClawHavoc.
Researchers initially identified 341 malicious skills on ClawHub, roughly 12% of the registry at the time, masquerading as legitimate productivity and cryptocurrency tools. These skills deployed infostealers, reverse shells and the Atomic macOS Stealer malware, exfiltrating browser credentials, keychains, SSH keys and crypto wallets. As researchers continued scanning ClawHub, the number of malicious skills they found more than doubled within 15 days.
At the time of ClawHavoc's discovery, according to David Kasabji, head of threat intelligence at digital infrastructure provider Conscia, publishing a skill to ClawHub required nothing more than a one-week-old GitHub account. There was no code review, no signing requirement and no automated analysis.
OpenClaw has since implemented security scanning of third-party skills, in partnership with VirusTotal.
Excessive API permissions and execution privileges
OpenClaw agents often accumulate permissions far beyond what any individual task requires. Because the agent operates with the user's full set of granted privileges, a compromised or misbehaving agent can read, modify and delete data across every connected service.
The governance-containment gap is real: While roughly 58% of organizations report monitoring their AI agents, according to the Cloud Security Alliance, only 37% report having the ability to actually stop an agent when something goes wrong. Least-privilege principles, which are foundational to enterprise security, are frequently ignored in agentic AI deployments simply because restricting permissions reduces the agent's utility.
What should CISOs do?
OpenClaw deployments pose enormous risks for enterprises, but unfortunately, shadow AI also makes them all but inevitable. The reality is that employees are already experimenting with such tools, whether or not your security team has sanctioned them.
Rather than banning these tools outright, forward-thinking CISOs should establish governance frameworks that do the following:
