OpenClaw, the open source agentic AI assistant available from GitHub, continues to attract a growing following.
Like many tech-savvy workers, Dane Sherrets, a staff innovation architect at HackerOne, decided to try out the software. He installed it on a virtual private server, gave the collection of programs and agents its own Slack channel, and limited its access to any personal data. Even with limited access, OpenClaw impressed: When Sherrets reserved a virtual phone number for the AI assistant and gave it an API key with the instructions to develop a capability to make phone calls, it did.
While OpenClaw is “a good preview of things to come … [when] people will have more autonomous AI agents that are doing more things for them,” Sherrets approached the installation with a fair amount of distrust.
“I know it’s a vibe-coded project that’s only been out for a few months, really like weeks in terms of going viral, so I treat it as like something that’s going to get popped, [and] when it does I want to make sure that the blast radius would be very small,” he says. “Someone won’t be able to hack it and like run away with my like Social Security number or like Google account or contacts.”
OpenClaw showcases the potential demand for agentic AI assistants, with the number of stars on GitHub growing about 29% per day since Jan. 24, when the open source project — then named OpenClawd — went viral. (Starring a project on GitHub essentially bookmarks the repository and is considered to be a measure of popularity.)
Yet, the project did not start out with a secure design and is still developing a security framework, says Marijus Briedis, chief technology officer at cybersecurity services firm NordVPN. The company’s researchers installed OpenClaw in isolated virtual instances and were concerned at how easy the AI agent could go off the rails.
“Its security model assumes a level of user expertise that most people do not possess,” he says. “Users familiar with network isolation, permission management, and secure tunneling can mitigate risks. However, for the average user deploying OpenClaw on a home server or low-cost VPS, the default settings are insufficiently secure, and the documentation does not adequately emphasize security.”
Compromised in a HEARTBEAT
Because the OpenClaw system processes data from untrusted sources — which can include email, Web pages, and documents, for example — attempts at prompt injection are quite easy to perform. In one demonstration, researchers at AI security firm HiddenLayer directed their instance of OpenClaw to summarize Web pages, among which was a malicious page that commanded the agent to download a shell script and execute it. The shell script appended instructions to its HEARTBEAT.md file, which is executed every 30 minutes by default.
Parsing any malicious external input — such as a website, in this example — can lead to the easy takeover of a user’s OpenClaw instance. Source: HiddenLayer
The attack underscores one of the three capabilities that make agentic AI assistants so potentially dangerous, known as the lethal trifecta. In this case, the exposure to untrusted content in summarizing a Web page, combined with two other facets of the trifecta — access to private data and the ability to externally communicate — puts user’s data at risk.
Any agentic AI system that has these capabilities without effective security controls is dangerous, says Kasimir Schulz, a security researcher with HiddenLayer.
“With OpenClaw, almost all of the ways that the model can interact with the system are through both untrusted external input and communicating externally,” he says. “All of the Web requests that it can do, all of the chat messages it can read and write — those are ways that it can be attacked. Those are ways it can send out data and it has access to all of your data as well.”
Skills: The New Vulnerable Supply Chain
OpenClaw makes extensive use of Anthropic’s Claude Skills, a simple method of linking specific code and commands with natural language requests. OpenClaw allows the use of skills through its public skills registry, ClawHub. Yet such extensible architecture add significant dangers, allowing third parties to hide malicious functionality in the plug-in-like skills, says Michal Salát, threat intelligence director at cybersecurity firm Gen, whose researchers are running several instances of the agentic AI assistant in isolated testing environments.
“As we well know from early app stores, these marketplaces are a gold mine for criminals who fill the store with malicious code to prey on curious early adopters,” he says. “Our current research shows roughly 15% of the skills we’ve seen contained malicious instructions.”
The company has also detected some skills the load in external functionality, a common tactic among malware authors to bypass security checks.
The extensible architecture is another way that OpenClaw demonstrates the possible automated future for software development, Gen researchers say. While bugs are fixed in hours or days and quickly patched, the ability to add additional functionality means the AI assistant can easily be co-opted by attackers.
“As we know well from app stores, dangerous applications regularly slip through the cracks, and it took years to put guardrails in place to even vet third party apps,” Salat says. “We will see the same situation with agentic AI skills. This is why it will become important to make sure you’re giving your agent only safe and approved skills.”
Clawing to Stay Installed
Configuration continues to be a problem as well, according to security researchers. The top concern for researchers at Zenity, an AI agent security firm, is the “degree of agency OpenClaw has over its own configuration,” says Stav Cohen, a senior AI security researcher at the firm. OpenClaw agents are able to modify critical settings — including adding new communication channels and modify its system prompt — without requiring confirmation from a human, he says.
“What makes OpenClaw stand out is the state in which it was released — security considerations were largely deprioritized in favor of usability and rapid adoption,” Cohen says. “OpenClaw is marketed as an easy-to-use assistant that can ‘do everything,’ without sufficiently communicating the risks associated with deploying a highly privileged, autonomous agent.”
The problems also complicate attempts to fully remove the program. Consumers that want to delete OpenClaw should do so carefully, because OpenClaw can leave behind users’ credentials and configuration files if users do not follow instructions, according to application-security firm OX Security.
“Even after users try to uninstall the tool or remove secrets through the Web UI, sensitive data can remain accessible on the machine — and fully revoking access across every connected platform is far harder than most users realize,” the company said.
It’s unsurprising that OpenClaw has captured the imagination, but while everyone wants their own AI assistant like JARVIS in Marvel’s Iron Man franchise, the dangers at present are hard to overcome, says HiddenLayer’s Schulz.
“If we do want to move forward toward something like JARVIS, you need stronger guardrails, you need better system design,” he says. “There’s always a fine line between usability and security.”
The creator of OpenClaw, Peter Steinberger, who did not respond to requests for comment, tacitly acknowledged the issues. The Security discussion on OpenClaw’s website ends with: “Security is a process, not a product. Also, don’t trust lobsters with shell access.”
