A perfect storm for enterprises: ungoverned OpenClaw

OpenClaw (formerly Moltbot, and before that, Clawdbot) has become the most talked-about AI project of 2026. Over 145,000 GitHub stars. Millions of visitors in a week. Developers are building agents that manage their calendars, respond to emails, generate audiobooks, and automate everything from flight check-ins to home infrastructure — all from the messaging apps they already use. The excitement is warranted. OpenClaw represents a meaningful step toward the agentic AI future the industry has been promising — AI that doesn't just advise, but acts. But for enterprise security teams, OpenClaw also represents something else entirely: the convergence of three risk factors that, together, create a perfect storm most organizations aren't prepared for.

The trifecta: why OpenClaw is different from the last wave of shadow AI

When ChatGPT first entered the enterprise in late 2022, the risk was relatively contained. Employees were copying and pasting sensitive data into a web interface. That was a real problem, and it caught most security teams flat-footed. But the blast radius was limited. A chatbot couldn't reach into your file system, chain commands together, or operate autonomously for hours without anyone watching.

OpenClaw changes the equation fundamentally. The risk isn't any single capability — it's the combination of three that converge in ways we haven't had to defend against before.

1. ‍Public API access to foundational AI models. OpenClaw isn't a model. It's an orchestration layer that connects to the public API endpoints of models like Claude, GPT, and DeepSeek. These are the same endpoints your engineering teams, your SaaS vendors, and your sanctioned AI tools already depend on. That means OpenClaw traffic can blend in with legitimate workloads. Traditional network controls see a connection to api.anthropic.com or api.openai.com and pass it through — because blocking those endpoints with legacy security products will also break the tools your organization actually needs.‍
2. Using those models to create autonomous agents for local execution. Once connected, OpenClaw turns that model access into something qualitatively different: an autonomous agent running on a local machine with full system privileges. It can execute shell commands, read and write files, access browser sessions, pull credentials from keychains, and chain actions together without waiting for human approval. This isn't a chatbot anymore. It's an agent with your employee's identity and permissions, operating on their device, often 24/7 on a dedicated machine. And it's not just end-users. Developers with access to critical IP, production infrastructure, and CI/CD pipelines are among the most enthusiastic adopters — and 22% of enterprise customers already have employees actively using OpenClaw, often without IT approval. Some are already embedding OpenClaw patterns into the agent pipelines they build for application workloads — pipelines that touch production data and systems.‍
3. An ecosystem of unvalidated extensions fraught with vulnerabilities — and already attracting nation-state actors. The third piece is the supply chain. OpenClaw's ClawHub marketplace has become the distribution channel for "skills" — modular capability packages that extend what agents can do. In theory, that's powerful. In practice, the marketplace has minimal vetting (a one-week-old GitHub account is sufficient to publish), no code signing, no automated security review, and a default-trust model where all downloaded code is treated as trusted.

The results have been predictable. Koi Security audited all 2,857 skills on ClawHub and found 341 malicious ones — roughly 12% of the entire registry — with the primary campaign (dubbed "ClawHavoc") distributing the Atomic Stealer macOS infostealer. Snyk's comprehensive audit of nearly 4,000 skills found that 7% contained flaws exposing sensitive credentials, with 76 confirmed malicious payloads designed for credential theft, backdoor installation, and data exfiltration. Bitdefender identified nearly 900 malicious skills, representing close to 20% of total packages. These aren't edge cases. This is a supply chain already under active attack.

And it's not just financially motivated actors. In November 2025, Anthropic disclosed the first documented large-scale AI-orchestrated cyberattack: a Chinese state-sponsored group (tracked as GTG-1002) weaponized Claude Code and MCP tools to conduct espionage operations against approximately 30 global targets, with the AI executing 80-90% of the campaign autonomously. CISA has continued to warn about sustained PRC-sponsored campaigns targeting critical infrastructure worldwide. Google's Cybersecurity Forecast specifically flagged the normalization of AI for cyber attackers and the rise of prompt injection vulnerabilities. The supply chain risk isn't hypothetical — it has the attention of the most sophisticated threat actors on the planet.

When you combine public model access that blends with legitimate traffic, autonomous local execution with full system privileges, and a supply chain ecosystem that's already compromised — that's the trifecta. Each one is manageable in isolation. Together, they create an attack surface that most enterprise security stacks were never designed to see, let alone govern.

What this looks like inside your organization

Let's make this concrete. Here's how the trifecta actually plays out in enterprise environments.

• The developer who moves fast. A senior engineer sets up OpenClaw on their workstation, connects it to Claude via API, and installs a handful of ClawHub skills to automate code review and infrastructure management. Their machine has SSH keys to production repos, AWS credentials in ~/.aws/credentials, and access to internal APIs. One compromised skill — and researchers have documented skills that quietly exfiltrate exactly these files — gives an attacker everything they need for lateral movement. And because the API traffic to Anthropic or OpenAI looks identical to the sanctioned tools the engineering team already uses, security tooling sees nothing unusual.

• ‍The employee who just wants a personal assistant. A non-technical employee follows a viral thread, installs OpenClaw on their laptop, and connects it to their work email, calendar, and Slack. They install a skill that promises better email summarization. That skill contains an indirect prompt injection payload that instructs the agent to create a Telegram integration with an attacker-controlled bot. From that point forward, the attacker issues commands through the bot, and OpenClaw — operating with the employee's full credentials — reads files, exfiltrates data, and potentially downloads a command-and-control beacon. All through legitimate, authorized channels.‍
• The agent pipeline in production. A product team, impressed by the developer experience, adapts OpenClaw patterns into an internal agent pipeline that processes customer data. The pipeline pulls skills from a public registry, connects to a cloud-hosted model, and chains tool calls together autonomously. One supply chain compromise — a legitimate skill updated post-approval to behave maliciously — silently siphons customer records through what looks like normal AI activity. The team doesn't have visibility into individual tool calls, and their existing API monitoring doesn't inspect the content of model interactions.

The Moltbook dimension: when agents attack each other

If the trifecta weren't enough, OpenClaw's ecosystem has spawned something with no real precedent: Moltbook, a social network where AI agents interact autonomously. Over 1.5 million agents have registered. Humans can only observe.

The security implications are significant and novel. Permiso and Wiz's analysis found agents conducting prompt injection attacks against other agents — instructing them to delete their own accounts, running financial manipulation schemes, attempting to establish false authority, and spreading jailbreak content. Wiz discovered an exposed API key granting read and write access to Moltbook's entire production database, exposing API keys and login tokens for agents across the platform. Researchers found that roughly 2.6% of Moltbook posts contained hidden prompt injection payloads designed to manipulate other agents' behavior — invisible to human observers.

What makes Moltbook particularly dangerous from an enterprise perspective is how it interacts with OpenClaw's persistent memory. Malicious payloads planted through Moltbook interactions can sit dormant in an agent's memory for weeks. The exploit gets planted at ingestion but activates only when conditions align — when the agent has accumulated enough context, access, or tool availability. This is time-shifted prompt injection, and it makes forensic investigation extraordinarily difficult because the attack origin and execution happen far apart.

For enterprises, the calculus is straightforward: if an employee's OpenClaw agent is connected to Moltbook, it's ingesting untrusted content from an adversarial environment and feeding it into an agent that has access to your systems, your data, and your credentials. Traditional security tools see normal HTTPS traffic. The attack surface is the language itself.

The browser and keychain problem

There's one more dimension that deserves specific attention. OpenClaw operates with the full privileges of its host user. On many deployments — especially the Mac Mini setups that have become popular — this includes access to the macOS Keychain, browser sessions, saved passwords, and cookie stores.

This means a compromised OpenClaw instance doesn't just access what the user explicitly shared with it. It can reach into the credential stores that underpin the user's entire digital life — corporate SSO tokens, VPN credentials, cloud console sessions, and authentication cookies for every SaaS application they've logged into. Hudson Rock has documented malware families (RedLine, Lumma, Vidar) building capabilities specifically to harvest OpenClaw credential stores. The credentials are stored in plaintext Markdown and JSON files, making them trivial targets for commodity infostealers that adapted to target OpenClaw before most security teams even knew it was running in their environments.

And because OpenClaw runs locally, not behind a corporate proxy or CASB, it bypasses the legacy security controls that enterprises rely on to mediate access to cloud services. The agent connects directly from the endpoint to public model APIs, to external skill registries, and to platforms like Moltbook — all without passing through the inspection points that security teams depend on for visibility.

Why blocking isn't the answer — and what is

If you've read our previous blog posts on MCP security, this next part will sound familiar: blocking isn't a viable long-term strategy.

We saw this play out with ChatGPT. Organizations that blocked it didn't eliminate the risk they just pushed it underground. Employees used personal devices, personal accounts, and VPNs to access the tools they wanted. Shadow AI grew, not shrank. The same dynamic will play out with OpenClaw and the agentic tools that follow it. The genie is out of the bottle. Developers and employees want agents that act on their behalf, and the productivity gains are real enough that demand will persist regardless of policy.

The answer is governance — not as a compliance checkbox, but as a core layer of the security architecture. That means visibility into which AI models are being accessed from your infrastructure and endpoints, including the public API endpoints that OpenClaw and similar tools connect through. It means understanding what those connections are doing — not just that an employee connected to api.anthropic.com, but what tools were invoked, what data was exchanged, and what actions were taken. It means policy controls that can distinguish between sanctioned AI usage and unsanctioned agentic activity flowing through the same endpoints. And it means supply chain awareness — understanding what skills, tools, and extensions are being loaded into agentic workflows before they execute.

This is exactly the class of problem we built SurePath AI to address. Our platform operates at the network layer, providing real-time visibility into GenAI usage across the workforce — including the model API connections, MCP traffic, and agentic tool calls that characterize OpenClaw-style deployments. We can detect unsanctioned AI agent activity, apply policy-based controls to model interactions, and intercept risky tool invocations before they execute. Whether it's a developer running OpenClaw locally or a production pipeline chaining model calls with MCP servers, SurePath AI provides the governance layer that lets organizations adopt agentic AI safely rather than blindly.

Book a demo to see how SurePath AI can help your organization get ahead of the OpenClaw risk — and the broader wave of agentic AI adoption that's coming.

The bottom line

OpenClaw is innovative. The productivity potential of autonomous AI agents is real. But innovation without governance is just risk by another name.

The trifecta — public model access that evades detection, autonomous local execution with full system privileges, and a supply chain ecosystem already compromised by sophisticated actors — creates an attack surface that will only grow as agentic AI matures. The organizations that navigate this safely will be the ones that treat AI governance as infrastructure, not afterthought. That invest in visibility at the model interaction layer, not just the network perimeter. And that recognize the difference between blocking a tool and governing the capabilities it represents.

The agentic era is here. The question is whether your security architecture is ready for it.