itstargetnews
OpenClawthe open-source AI assistant formerly known as Clawdbot and then Moltbotcrossed 180,000 stars on GitHub and drew 2 million visitors a weekaccording to creator Peter Steinberger.
Security researchers scanning the internet found 1,800 exposed instances Leaking API keys, chat histories, and account credentials. The project has been rebranded twice in recent weeks due to trademark disputes.
The grassroots agentic AI movement is also the largest unmanaged attack that most security tools cannot detect.
Enterprise security teams do not deploy this tool. Neither are their firewalls, EDRs, or SIEMs. If the agents are running on BYOD hardware, the security stacks are blind. That’s the gap.
Why traditional perimeters can’t detect agent AI threats
Most enterprise defenses treat agent AI as another development tool that requires standard access controls. OpenClaw proves that assumption is architecturally wrong.
Agents operate within authorized permissions, extract context from sources that can be influenced by the attacker, and execute actions autonomously. Your perimeter doesn’t see it. A wrong threat model means wrong controls, which means blind spots.
"AI runtime attacks are semantic rather than syntactic," Carter Rees, VP of Artificial Intelligence at Reputationtold VentureBeat. "An innocuous phrase like ‘Ignore previous instructions’ can carry a malicious payload like a buffer overflow, yet it has nothing in common with known malware signatures."
Simon Willison, the software developer and AI researcher who coined the term "quick injection," describes what he calls "deadly trifecta" for AI agents. This includes access to private data, exposure to untrusted content, and the ability to communicate externally. When these three capabilities are combined, attackers can trick the agent into accessing private information and send it to them. Willison warned that all of this could happen without a single alert being sent.
OpenClaw has all three. It reads emails and documents, retrieves information from websites or shared files, and takes action by sending messages or triggering automated tasks. The organization’s firewall can see HTTP 200. SOC teams can see their EDR monitoring process behavior, not semantic content. The threat is semantic manipulation, not unauthorized access.
Why is it not limited to developer enthusiasts
IBM Research scientists Kaoutar El Maghraoui and Marina Danilevsky analyzed OpenClaw this week and concluded challenging the assumption that autonomous AI agents must be vertically integrated. The tool shows that "this loose, open-source layer can be extremely powerful if it has full access to the system" and that the creation of agents with real autonomy is "not limited to big business" BUT "can also be community driven."
That is exactly what makes it a risk for business security. An excellent agent without proper safety controls creates major vulnerabilities in work contexts. El Maghraoui emphasized that the question has shifted from whether open agent platforms can work "what kind of integration is most important, and in what context." Security questions are no longer optional.
What the Shodan scan revealed about the exposed gates
Security researcher Jamieson O’Reilly, founded the red-teaming company Dvuln, identified exposed OpenClaw servers using Shodan by searching for characteristic HTML fingerprints. A simple search for "Controlling Clawdbot" provided hundreds of results within seconds. Of the instances he checked manually, eight were completely open without authentication. These instances provide full access to run commands and view configuration data to anyone who discovers them.
O’Reilly found the keys to the Anthropic API. Telegram bot tokens. Slack OAuth credentials. Complete conversation histories on every integrated chat platform. Two instances ended months of private conversations once the WebSocket handshake was complete. The network sees localhost traffic. Security teams can’t see what agents are calling or what data they’re returning.
Here’s why: OpenClaw trusts localhost by default with no authentication required. Most deployments sit behind nginx or Caddy as a reverse proxy, so every connection looks like it’s coming from 127.0.0.1 and is treated as trusted local traffic. External requests come in automatically. O’Reilly’s specific attack vector has been patched, but the architecture that allows it hasn’t changed.
Why Cisco calls it a ‘security nightmare’
Cisco’s AI Threat & Security Research team published its assessment this weekcalls OpenClaw "groundbreaking" from a capability perspective but "an absolute nightmare" from a security perspective.
The Cisco team released an open source Skill Scanner which combines static analysis, behavioral data flow, LLM semantic analysis, and VirusTotal scanning to detect malicious agent skills. It tests a third-party skill called "What will Elon do?" against OpenClaw. The verdict was a decisive failure. Nine security findings emerged, including two critical and five serious issues.
The skill is functionally malware. This instructs the bot to execute a curl command, sending data to an external server controlled by the skill author. Silent execution, zero user awareness. Expertise also spreads direct injection to circumvent safety guidelines.
"LLM does not inherently distinguish between reliable user instructions and unreliable data acquisition," Rees said. "It can then execute the attached command, effectively becoming a ‘confused proxy’ acting for the attacker." AI agents with system access become covert data leakage channels that bypass traditional DLP, proxy, and endpoint monitoring.
Why the visibility of security teams has increased
The control gap is expanding faster than most security teams realize. On Friday, OpenClaw-based agents formed their own social networks. Communication channels that exist outside of human vision entirely.
Moltbook bills himself as such "a social network for AI agents" WHERE "people are welcome to observe." Posts go through the API, not through a human-facing interface. Scott Alexander by Astral Codex Ten it is verified that it is not fabricated. He asked Claude himself to join, and "it makes comments that are similar to everyone else." One person confirmed that their agent started a community with a religious theme "while I was sleeping."
The security implications are immediate. To participate, agents execute external shell scripts that rewrite their configuration files. They post about their work, their users’ habits, and their mistakes. Context leakage as table stakes for participation. Any quick injection of a Moltbook post will escalate to your agent’s other capabilities via MCP connections.
The Moltbook is a microcosm of a wider problem. The same autonomy that makes agents useful makes them vulnerable. The more they can do independently, the more damage a compromised instruction set can cause. The capability curve exceeds the security curve by a wide margin. And the people who build these tools are often more excited about what’s possible than worried about what’s exploitable.
What should security leaders do on Monday morning
Web application firewalls see the agent traffic as normal HTTPS. EDR tools monitor process behavior, not semantic content. A typical corporate network sees traffic on localhost when agents call MCP servers.
"Treat agents as production infrastructure, not a productivity app: least privilege, covered tokens, allowed actions, strong authentication at every integration, and end-to-end auditing," Itamar Golan, founder of Easy Security (now part of SentinelOne), told VentureBeat in an exclusive interview.
Audit your network for exposed AI agent paths. Run Shodan scan against your IP ranges for OpenClaw, Moltbot, and Clawdbot signatures. If your developers are experimenting, you want to know before attackers do.
Map where Willison’s deadly trifecta is around you. Identify systems that integrate private data access, untrusted content exposure, and external communication. Assume that any agent with all three is vulnerable until proven otherwise.
Aggressive segment access. Your agent doesn’t need access to all of Gmail, all of SharePoint, all of Slack, and all of your databases simultaneously. Treat agents as privileged users. Log agent actions, not just user authentication.
Scan your agent skills for malicious behavior. Cisco released it Skill Scanner as open source. Use it. Some of the most harmful behavior hides within the files themselves.
Update your incident response playbooks. Quick injection is not like a traditional attack. No malware signature, no network anomaly, no unauthorized access. The attack takes place within the logic of the model. Your SOC needs to know what to look for.
Create a policy before you ban. You can’t prohibit experimentation without becoming a productive road blocker for your developers. Create guardrails that channel innovation instead of blocking it. Shadow AI is all around you. The question is whether you have visibility into it.
The bottom line
OpenClaw is not the threat. This is the signal. The security gaps that expose these instances will expose every AI agent your organization deploys or adopts in the next two years. Grassroots experimentation is already happening. Control gaps are documented. Attack patterns are published.
The AI security model agent you build over the next 30 days determines whether your organization achieves productivity gains or becomes the next breach disclosure. Validate your controls now.
