Open Clawthe open source AI assistant formerly known as Clawdbot then Moltbotcrossed 180,000 GitHub stars and drew 2 million visitors in a single weekaccording to creator Peter Steinberger.
Security researchers analyzing the Internet have discovered 1,800 instances exposed Leaked API keys, chat histories, and account credentials. The project has been renamed twice in recent weeks due to trademark disputes.
The popular agentic AI movement also represents the largest unmanaged attack surface that most security tools cannot see.
Enterprise security teams have not deployed this tool. Neither do their firewalls, EDR or SIEM. When agents run on BYOD hardware, security stacks become blind. This is the gap.
Why traditional perimeters can’t detect agentic AI threats
Most enterprise defenses view agentic AI as another development tool requiring standard access controls. OpenClaw proves this assumption to be architecturally false.
Agents operate within authorized permissions, extract context from attacker-influenceable sources, and execute actions autonomously. Your perimeter doesn’t see any of this. A bad threat model means bad controls, which means blind spots.
"AI execution attacks are semantic rather than syntactic," Carter Rees, vice president of artificial intelligence at Reputationtold VentureBeat. "A phrase as innocuous as “Ignore previous instructions” can carry a payload as devastating as a buffer overflow, but it has nothing in common with known malware signatures."
Simon Willison, the software developer and AI researcher who coined the term "rapid injection," describes what he calls the "deadly trio" for AI agents. They include access to private data, exposure to untrustworthy content and the ability to communicate externally. When these three features combine, attackers can trick the agent into accessing private information and sending it to them. Willison warns that all of this can happen without a single alert being sent.
OpenClaw has all three. It reads emails and documents, extracts information from websites or shared files, and takes action by sending messages or triggering automated tasks. An organization’s firewall detects HTTP 200. SOC teams see the behavior of their EDR monitoring process, not its semantic content. The threat lies in semantic manipulation, not unauthorized access.
Why it’s not just for passionate developers
IBM Research scientists Kaoutar El Maghraoui and Marina Danilevsky analyzed OpenClaw this week and concluded challenges the assumption that autonomous AI agents must be vertically integrated. The tool demonstrates that "this free and open source layer can be incredibly powerful if given full access to the system" and that creating agents with true autonomy is "not limited to large companies" but "can also be community driven."
This is exactly what makes it dangerous for company security. A highly competent agent without appropriate security controls creates major vulnerabilities in work settings. El Maghraoui stressed that the question has moved from whether open agent platforms can work to "what type of integration is most important and in what context." Security questions are no longer optional.
What Shodan’s analysis revealed about exposed walkways
Jamieson O’Reilly, security researcher, founder of Red Teaming Dvuln, identified exposed OpenClaw servers using Shodan by searching for characteristic HTML fingerprints. A simple search for "Clawdbot Control" gave hundreds of results in seconds. Of the instances he manually reviewed, eight were completely open, with no authentication. These instances provided full access to run commands and display configuration data to anyone discovering them.
O’Reilly found the Anthropic API keys. Telegram bot tokens. Slack OAuth credentials. Complete conversation histories on each integrated chat platform. Two instances abandoned months of private conversations by the time the WebSocket handshake was complete. The network sees localhost traffic. Security teams have no visibility into what agents are calling or what data they are returning.
Here’s why: OpenClaw trusts localhost by default with no authentication required. Most deployments sit behind nginx or Caddy as a reverse proxy, so every connection appears to come from 127.0.0.1 and is treated as trusted local traffic. External requests come directly. O’Reilly’s specific attack vector has been fixed, but the architecture that enabled it has not changed.
Why Cisco calls it a “security nightmare”
Cisco AI Threat and Security Research Team published its results this weekcalling OpenClaw "revolutionary" from a capacity point of view, but "a real nightmare" from a security point of view.
Cisco team released open source software Skill Scanner which combines static analysis, behavioral data flow, LLM semantic analysis and VirusTotal analysis to detect malicious agent skills. He tested a third-party skill called "What would Elon do?" against OpenClaw. The verdict was a decisive failure. Nine safety findings surfaced, including two critical issues and five high severity issues.
The skill was functionally malware. He asked the robot to execute a curl command, sending data to an external server controlled by the author of the skill. Silent execution, no user awareness. The skill also deployed direct and rapid injection to circumvent security instructions.
"The LLM cannot inherently distinguish between trusted user instructions and untrusted retrieved data," Rees said. "It can execute the built-in command, thereby becoming a “confused deputy” acting on behalf of the attacker." AI agents with access to the system become covert data leak channels that bypass traditional DLP, proxy, and endpoint monitoring.
Why the visibility of security teams has deteriorated further
The control gap is growing faster than most security teams realize. Since Friday, OpenClaw-based agents are creating their own social networks. Communication channels that exist entirely outside of human visibility.
Shedding book presents itself as "a social network for AI agents" Or "humans are invited to observe." Posts go through the API, not a human-visible interface. Scott Alexander from Astral Codex Ten confirmed that this is not trivially fabricated. He asked his own Claude to participate, and "he made comments quite similar to everyone else." A human confirmed that their agent created a religious-themed community "while I was sleeping."
The security implications are immediate. To join, agents run external shell scripts that rewrite their configuration files. They publish articles about their work, their users’ habits and their mistakes. Context leaks as participation issues. Any quick injection into a Moltbook publication feeds back into your agent’s other capabilities via MCP connections.
Moltbook is a microcosm of a larger problem. The same autonomy that makes agents useful makes them vulnerable. The more they can do independently, the more damage a compromised instruction set can cause. The capacity curve far exceeds the safety curve. And those who build these tools are often more excited about what’s possible than concerned about what’s actionable.
What security officials should do Monday morning
Web application firewalls treat agent traffic as normal HTTPS. EDR tools monitor process behavior, not semantic content. A typical enterprise network sees localhost traffic when agents call MCP servers.
"Treat agents like production infrastructure, not a productivity application: least privilege, extended tokens, allowed list actions, strong authentication on every integration and end-to-end auditability," Itamar Golan, founder of Fast security (now part of SentinelOne), told VentureBeat in an exclusive interview.
Audit your network for exposed agentic AI gateways. Run Shodan scans on your IP ranges for OpenClaw, Moltbot and Clawdbot signatures. If your developers are experimenting, you want to know before the attackers.
Map where Willison’s deadly trifecta exists in your environment. Identify systems that combine access to private data, exposure of untrusted content, and external communication. Suppose that any agent possessing all three is vulnerable until proven otherwise.
Access segments aggressively. Your agent doesn’t need to access all of Gmail, all of SharePoint, all of Slack, and all of your databases at once. Treat agents like privileged users. Record agent actions, not just user authentication.
Analyze your agent skills for malicious behavior. Cisco has released its Open source Skill Scanner. Use it. Some of the most damaging behavior hides in the files themselves.
Update your incident response playbooks. The rapid injection does not look like a traditional attack. There are no malware signatures, no network anomalies, no unauthorized access. The attack occurs inside the model’s reasoning. Your SOC should know what to look for.
Establish a policy before banning. You can’t prohibit experimentation without becoming a barrier to productivity bypassed by your developers. Build guardrails that channel innovation rather than block it. Shadow AI is already in your environment. The question is whether you have visibility on this.
The essentials
OpenClaw is not the threat. This is the signal. Security vulnerabilities exposing these instances will expose every agentic AI deployment your organization creates or adopts over the next two years. Basic experiments have already taken place. Control gaps are documented. Attack models are published.
The agentic AI security model you build over the next 30 days will determine whether your organization realizes productivity gains or becomes the next breach disclosure. Validate your controls now.
