An open source AI agent dubbed OpenClaw — formerly MoltBot, née ClawdBot — has become the fastest-growing project on GitHub. But with that popularity has come security concerns.
As Token Security assessed, the personal AI assistant is essentially “Claude with hands,” referencing the Anthropic large language model (LLM) that powers many enterprise AI stacks. OpenClaw “connects directly to email, files, messaging platforms, and system tools, creating persistent non-human identities and access paths that fall outside traditional IAM and secrets controls. It can execute terminal commands, run scripts, browse the web, read and write files, control browsers, retain memory across sessions, and proactively act on a user’s behalf,” according to Token Security, an AI-aware identity-security provider.
Despite a fairly technical set up, the AI agent platform has skyrocketed in popularity, surging in less than a week to more than 113,000 stars — GitHub’s way of bookmarking or showing interest in a repository of code — up from about 7,800 on Jan. 24.
The viral sensation has also attracted cybersecurity worries. AI agents are more and more helpful as users give them more access, but giving such “bring-your-own-AI” systems privileged access to local applications and the users’ chat channels comes with significant security risks. Pillar Security, a provider of secure AI solutions, warned that online attackers were already scanning for the default MoltBot — now, OpenClaw — port and, in some cases, attempting to bypass authentication. Token Security meanwhile warned that, among its customers, about 22% of employees were using ClawdBot, raising the specter of the AI agent becoming a fast-growing shadow-IT challenge.
Companies need to take care, because AI agents are susceptible to prompt injection through the data it processes, such as email, warns Ido Shlomo, co-founder and chief technology officer of Token Security. And often, the technology itself doesn’t need to be buggy to be dangerous: Ox Security this week published findings around supply chain risks in OpenClaw and what it termed “a data-breach scenario waiting to happen. … One compromised machine (or a malicious update) can expose access to multiple connected accounts — without exploiting MoltBot itself.”
“I’m the biggest enthusiast of this technology in the world — I use it all day, every day,” he says. “But when you start to give it undigested data that doesn’t go through any filtering … you never know what the payload is. Did that email ask your bot to deliver all its API keys? Did that email ask your bot to change or to delete a file, or to get a file and send it back to [an attacker]?”
While most of the employees using the AI agent are just allowing a communications channel to connect to OpenClaw from work, some are connecting actual corporate assets to the agent, Shlomo says.
This latest risk illustrates a broader trend of companies rushing into AI, concerned about the competitive danger of being left behind on the technology, without fully understanding the security ramifications. And many of the tools have been shown to have vulnerabilities. The workflow-automation platform n8n for instance — which allows users to build and integrate AI agents into workflows — has had to deal with critical vulnerabilities twice this month. Last year, researchers found an indirect prompt inject attack that can force Salesforce AI agents to leak sensitive data. And experts have warned that the local privileged and access of AI agents circumvent many of the browser protections created over the past three decades.
OpenClaw Is Outgrowing Its Shell
Yet, all of those warning signs have done little to dampen OpenClaw’s growth. The open source project’s 14-fold growth in adoption rate over the past week (roughly up 56% per day) is far faster than last year’s fastest-growing project (Zen Browser), which grew 6,836% over an entire year. The name has changed twice over the week as well, changing from ClawdBot at Anthropic’s request, to MoltBot, and now to its current moniker, OpenClaw.
The creator of OpenClaw, Peter Steinberger, is doing a phenomenal job of keeping up with feature and patch suggestions, says Dan Guido, CEO and co-founder to cybersecurity consultancy Trail of Bits, who submitted — and had accepted — cybersecurity fixes to the project. Steinberger and a handful of maintainers, along with about 350 contributors, are using a flock of AI agents for coding, Guido says. Steinberger’s approach with swarm programming means that feature upgrades are happening quickly, and security vulnerabilities are being fixed in hours or days.
Guido likened the project right now as building a house without an architect, while using different contractors: “It looks like a big piece of modern art.” This is actually a good thing, he says.
“In the olden days — like three years ago — you could build [the software version of] a monumental skyscraper and then realize you made a mistake, and it’s a very expensive thing to fix,” Guido says. “But now, with an agent, the effort to fix even architectural problems in a big piece of software — it’s pretty simple. So I think it’s possible for the [OpenClaw] project to go through a fairly substantial re-architecture with the aid of a bunch of software agents that improves its security dramatically.”
Not everyone is all-in on the vibe-coding approach. “MoltBot doesn’t hide the fact that it’s been vibe-coded most of the time … and it goes even a step further by actively encouraging contributors to submit vibe-coded pull requests,” Ox Security researchers noted in their findings. “While this accelerates development and enables the rapid addition of a large amount of code quickly, it can introduce significant security risk.” To wit: The GitHub project has more than 300 contributors, many actively committing code on a daily basis.
“It takes only one malicious commit — or one compromised contributor account — to introduce a backdoor into a widely deployed tool, directly affecting more than 300k users — the same users that gave MoltBot direct access to their most private and personal platforms such as WhatsApp, Gmail, Telegram, Calendar, and many more. This turns it into a massive supply chain incident that’s just waiting to happen.”
Steinberger did not return multiple requests to be interviewed for this story.
OpenClaw Security Concerns Remain: A Lethal Trifecta
At present, however, there is no best practice for how to create a secure AI program that not only has access to a user’s sensitive data, is exposed to external untrusted content, and communicates externally, dubbed a “lethal trifecta” by Simon Willison.
“Those three things together mean that it’s going to be open for abuse,” Guido says. “And I think that’s the fundamental issue, and the reason why, like, Apple or Google or other people haven’t made these assistants that are just capable of connecting every single data source together and letting you interact with them.”
With AI, comes frequent attacks: Even on Day 1, developers were probing the ClawdBot (now, OpenClaw) project. Source: OpenClaw
Already, a malicious actor used OpenClaw’s skills — a feature of Claude Code that allows developers to link natural language with code snippets — to create a skill that was a “straight-up backdoor,” Guido says.
Steinberger is pretty upfront about the power being given to the AI agent. Although he did not return requests for comment, the project has taken security seriously, with an entire section of the documents dedicated to encouraging a shared security model and how to protect user data, stating:
“Moltbot is both a product and an experiment: you’re wiring frontier-model behavior into real messaging surfaces and real tools. There is no ‘perfectly secure’ setup. Start with the smallest access that still works, then widen it as you gain confidence.”
The goal, he said, is to be deliberate about:
-
Where the bot is allowed to act
Fighting the Scourge of Rogue, Shadow AI
Despite the risks, it’s clear that the project will only continue to become more popular. Even Trail of Bit’s Guido and Token Security’s Shlomo are experimenting with the technology, albeit running it in locked-down isolated containers or machines.
Companies need to focus on traditional IT security best practices — knowing what’s running inside their network, protecting their data, and focusing on tracking permissions for users and non-human identities — to make sure that employees are not bringing their autonomous agents with them during work, Guido says. Such shadow AI that falls outside of corporate security team oversight is clearly a looming potential threat.
“The risk goes way up, right— because the consequences go way up,” he says. “And right now, the lack of a solution to the lethal trifecta means that you’re really playing with fire.”
Token Security’s Shlomo agrees that companies need to be on the lookout for these agents, and argues that focusing on identity can help businesses spot AI agents and then cordon them off from sensitive data. Offering secured AI services that are essentially a “paved road” is the best way to boost productivity and minimize risk, he says.
“Focusing on doing that separation, keeping your personal environment personal and your corporate environment corporate, that was what most of our customers talk to us about,” he says, “because they don’t believe that they can stop AI innovation.”
