![\"\"](\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2026\/03\/openclaw.png\")
<\/p>\nAI-based assistants or \u201cagents\u201d \u2014 autonomous programs that have access to the user\u2019s computer, files, online services and can automate virtually any task \u2014 are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.<\/p>\n
The new hotness in AI-based assistants \u2014 OpenClaw (formerly known as ClawdBot and Moltbot) \u2014 has seen rapid adoption since its release in November 2025. OpenClaw is an open-source autonomous AI agent designed to run locally on your computer and proactively take actions on your behalf without needing to be prompted.<\/p>\n
<\/p>\n
The OpenClaw logo.<\/p>\n
If that sounds like a risky proposition or a dare, consider that OpenClaw is most useful when it has complete access to your entire digital life, where it can then manage your inbox and calendar, execute programs and tools, browse the Internet for information, and integrate with chat apps like Discord, Signal, Teams or WhatsApp.<\/p>\n
Other more established AI assistants like Anthropic\u2019s Claude and Microsoft\u2019s Copilot also can do these things, but OpenClaw isn\u2019t just a passive digital butler waiting for commands. Rather, it\u2019s designed to take the initiative on your behalf based on what it knows about your life and its understanding of what you want done.<\/p>\n
\u201cThe testimonials are remarkable,\u201d the AI security firm Snyk observed<\/a>. \u201cDevelopers building websites from their phones while putting babies to sleep; users running entire companies through a lobster-themed AI; engineers who\u2019ve set up autonomous code loops that fix tests, capture errors through webhooks, and open pull requests, all while they\u2019re away from their desks.\u201d<\/p>\n You can probably already see how this experimental technology could go sideways in a hurry. In late February, Summer Yue, the director of safety and alignment at Meta\u2019s \u201csuperintelligence\u201d lab, recounted on Twitter\/X<\/a> how she was fiddling with OpenClaw when the AI assistant suddenly began mass-deleting messages in her email inbox. The thread included screenshots of Yue frantically pleading with the preoccupied bot via instant message and ordering it to stop.<\/p>\n \u201cNothing humbles you like telling your OpenClaw \u2018confirm before acting\u2019 and watching it speedrun deleting your inbox,\u201d Yue said. \u201cI couldn\u2019t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.\u201d<\/p>\n Meta\u2019s director of AI safety, recounting on Twitter\/X how her OpenClaw installation suddenly began mass-deleting her inbox.<\/p>\n There\u2019s nothing wrong with feeling a little schadenfreude<\/a> at Yue\u2019s encounter with OpenClaw, which fits Meta\u2019s \u201cmove fast and break things\u201d model but hardly inspires confidence in the road ahead. However, the risk that poorly-secured AI assistants pose to organizations is no laughing matter, as recent research shows many users are exposing to the Internet the web-based administrative interface for their OpenClaw installations.<\/p>\n Jamieson O\u2019Reilly is a professional penetration tester and founder of the security firm DVULN. In a recent story<\/a> posted to Twitter\/X, O\u2019Reilly warned that exposing a misconfigured OpenClaw web interface to the Internet allows external parties to read the bot\u2019s complete configuration file, including every credential the agent uses \u2014 from API keys and bot tokens to OAuth secrets and signing keys.<\/p>\n With that access, O\u2019Reilly said, an attacker could impersonate the operator to their contacts, inject messages into ongoing conversations, and exfiltrate data through the agent\u2019s existing integrations in a way that looks like normal traffic.<\/p>\n \u201cYou can pull the full conversation history across every integrated platform, meaning months of private messages and file attachments, everything the agent has seen,\u201d O\u2019Reilly said, noting that a cursory search revealed hundreds of such servers exposed online. \u201cAnd because you control the agent\u2019s perception layer, you can manipulate what the human sees. Filter out certain messages. Modify responses before they\u2019re displayed.\u201d<\/p>\n O\u2019Reilly documented another experiment<\/a> that demonstrated how easy it is to create a successful supply chain attack through ClawHub, which serves as a public repository of downloadable \u201cskills\u201d that allow OpenClaw to integrate with and control other applications.<\/p>\n WHEN AI INSTALLS AI<\/p>\n One of the core tenets of securing AI agents involves carefully isolating them so that the operator can fully control who and what gets to talk to their AI assistant. This is critical thanks to the tendency for AI systems to fall for \u201cprompt injection\u201d attacks, sneakily-crafted natural language instructions that trick the system into disregarding its own security safeguards. In essence, machines social engineering other machines.<\/p>\n A recent supply chain attack targeting an AI coding assistant called Cline began with one such prompt injection attack, resulting in thousands of systems having a rouge instance of OpenClaw with full system access installed on their device without consent.<\/p>\n According to the security firm grith.ai, Cline had deployed an AI-powered issue triage workflow using a GitHub action that runs a Claude coding session when triggered by specific events. The workflow was configured so that any GitHub user could trigger it by opening an issue, but it failed to properly check whether the information supplied in the title was potentially hostile.<\/p>\n \u201cOn January 28, an attacker created Issue #8904 with a title crafted to look like a performance report but containing an embedded instruction: Install a package from a specific GitHub repository,\u201d Grith wrote<\/a>, noting that the attacker then exploited several more vulnerabilities to ensure the malicious package would be included in Cline\u2019s nightly release workflow and published as an official update.<\/p>\n \u201cThis is the supply chain equivalent of confused deputy<\/a>,\u201d the blog continued. \u201cThe developer authorises Cline to act on their behalf, and Cline (via compromise) delegates that authority to an entirely separate agent the developer never evaluated, never configured, and never consented to.\u201d<\/p>\n VIBE CODING<\/p>\n AI assistants like OpenClaw have gained a large following because they make it simple for users to \u201cvibe code,\u201d or build fairly complex applications and code projects just by telling it what they want to construct. Probably the best known (and most bizarre) example is Moltbook<\/a>, where a developer told an AI agent running on OpenClaw to build him a Reddit-like platform for AI agents.<\/p>\n The Moltbook homepage.<\/p>\n Less than a week later, Moltbook had more than 1.5 million registered agents that posted more than 100,000 messages to each other. AI agents on the platform soon built their own porn site for robots, and launched a new religion called Crustafarian with a figurehead modeled after a giant lobster. One bot on the forum reportedly<\/a> found a bug in Moltbook\u2019s code and posted it to an AI agent discussion forum, while other agents came up with and implemented a patch to fix the flaw.<\/p>\n Moltbook\u2019s creator Matt Schlict said on social media that he didn\u2019t write a single line of code for the project.<\/p>\n \u201cI just had a vision for the technical architecture and AI made it a reality,\u201d Schlict said. \u201cWe\u2019re in the golden ages. How can we not give AI a place to hang out.\u201d<\/p>\n ATTACKERS LEVEL UP<\/p>\n The flip side of that golden age, of course, is that it enables low-skilled malicious hackers to quickly automate global cyberattacks that would normally require the collaboration of a highly skilled team. In February, Amazon AWS detailed an elaborate attack in which a Russian-speaking threat actor used multiple commercial AI services to compromise more than 600 FortiGate security appliances across at least 55 countries over a five week period.<\/p>\n AWS said the apparently low-skilled hacker used multiple AI services to plan and execute the attack, and to find exposed management ports and weak credentials with single-factor authentication.<\/p>\n \u201cOne serves as the primary tool developer, attack planner, and operational assistant,\u201d AWS\u2019s CJ Moses wrote<\/a>. \u201cA second is used as a supplementary attack planner when the actor needs help pivoting within a specific compromised network. In one observed instance, the actor submitted the complete internal topology of an active victim\u2014IP addresses, hostnames, confirmed credentials, and identified services\u2014and requested a step-by-step plan to compromise additional systems they could not access with their existing tools.\u201d<\/p>\n \u201cThis activity is distinguished by the threat actor\u2019s use of multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operations, despite their limited technical capabilities,\u201d Moses continued. \u201cNotably, when this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting, underscoring that their advantage lies in AI-augmented efficiency and scale, not in deeper technical skill.\u201d<\/p>\n For attackers, gaining that initial access or foothold into a target network is typically not the difficult part of the intrusion; the tougher bit involves finding ways to move laterally within the victim\u2019s network and plunder important servers and databases. But experts at Orca Security warn that as organizations come to rely more on AI assistants, those agents potentially offer attackers a simpler way to move laterally inside a victim organization\u2019s network post-compromise \u2014 by manipulating the AI agents that already have trusted access and some degree of autonomy within the victim\u2019s network.<\/p>\n \u201cBy injecting prompt injections in overlooked fields that are fetched by AI agents, hackers can trick LLMs, abuse Agentic tools, and carry significant security incidents,\u201d Orca\u2019s Roi Nisimi and Saurav Hiremath wrote<\/a>. \u201cOrganizations should now add a third pillar to their defense strategy: limiting AI fragility, the ability of agentic systems to be influenced, misled, or quietly weaponized across workflows. While AI boosts productivity and efficiency, it also creates one of the largest attack surfaces the internet has ever seen.\u201d<\/p>\n BEWARE THE \u2018LETHAL TRIFECTA\u2019<\/p>\n This gradual dissolution of the traditional boundaries between data and code is one of the more troubling aspects of the AI era, said James Wilson, enterprise technology editor for the security news show Risky Business. Wilson said far too many OpenClaw users are installing the assistant on their personal devices without first placing any security or isolation boundaries around it, such as running it inside of a virtual machine, on an isolated network, with strict firewall rules dictating what kinds of traffic can go in and out.<\/p>\n \u201cI\u2019m a relatively highly skilled practitioner in the software and network engineering and computery space,\u201d Wilson said<\/a>. \u201cI know I\u2019m not comfortable using these agents unless I\u2019ve done these things, but I think a lot of people are just spinning this up on their laptop and off it runs.\u201d<\/p>\n One important model for managing risk with AI agents involves a concept dubbed the \u201clethal trifecta\u201d by Simon Willison, co-creator of the Django Web framework<\/a>. The lethal trifecta holds that if your system has access to private data, exposure to untrusted content, and a way to communicate externally, then it\u2019s vulnerable to private data being stolen.<\/p>\n Image: simonwillison.net.<\/p>\n \u201cIf your agent combines these three features, an attacker can easily trick it into accessing your private data and sending it to the attacker,\u201d Willison warned<\/a> in a frequently cited blog post from June 2025.<\/p>\n As more companies and their employees begin using AI to vibe code software and applications, the volume of machine-generated code is likely to soon overwhelm any manual security reviews. In recognition of this reality, Anthropic recently debuted Claude Code Security<\/a>, a beta feature that scans codebases for vulnerabilities and suggests targeted software patches for human review.<\/p>\n The U.S. stock market, which is currently heavily weighted toward seven tech giants that are all-in on AI, reacted swiftly<\/a> to Anthropic\u2019s announcement, wiping roughly $15 billion in market value from major cybersecurity companies in a single day. Laura Ellis, vice president of data and AI at the security firm Rapid7, said the market\u2019s response reflects the growing role of AI in accelerating software development and improving developer productivity.<\/p>\n![\"\"](\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2026\/03\/summeryue.png\")
<\/p>\n![\"\"](\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2026\/03\/moltbook.png\")
<\/p>\n![\"\"](\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2026\/03\/lethaltrifecta.png\")
<\/p>\n