Threat Insight

AI Agent OpenClaw Poses Serious Cybersecurity Risks

Clawbot is the latest iteration of a personal AI agent that has become popular in some circles recently. It has also been available under the brand Clawdbot and Moltbot.

  • Insight

At its core, OpenClaw is a self-hosted AI agent that runs on your own machine and can execute real actions on your behalf, including shell commands, file operations, and network requests. To use its full capabilities, OpenClaw requires access to all your credentials and permissions. This makes it very powerful but also a potential security nightmare, unless you completely sandbox it.

Deploying OpenClaw itself requires a lot of knowledge or it will expose your machine to direct attacks from the outside. Scans show an increasing number of vulnerable deployments of OpenClaw on the internet. New ways to exploit vulnerabilities in OpenClaw is also being found.

The real power of OpenClaw comes from the ecosystem of “skills”. OpenClaw skills are essentially small packages that extend what the agent can do. Each skill is built around a SKILL.md file and may include scripts and extra resources. Most skills can be found on ClawHub, the public marketplace for OpenClaw extensions.

The problem is that it is easy to add malicious properties to these skills and any malicious scripts will get access to all the permissions that OpenClaw has. VirusTotal Code Insight has already analyzed more than 3016 OpenClaw skills and hundreds of them show malicious properties.

Recommendations

While OpenClaw can be a powerful tool, it is, at least in its current iteration, a security nightmare. Organizations are recommended to not allow the use of OpenClaw or similar AI agents on machines that have access to their network.

For those who want to experiment with OpenClaw on their private computers, the following actions are recommended:

  • Treat Skill folders as trusted-code boundaries and strictly control who can modify them.
  • Use Sandboxed executions and keep agents away from sensitive credentials and personal data.
  • Be extremely sceptical of any skill that requires pasting commands into a shell or running downloaded binaries.
    References

[1] https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html

Stay ahead with cyber insights

Newsletter

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.