OpenClaw sharpens agentic AI security warning

OpenClaw’s rapid rise from an open-source personal assistant to a flashpoint in boardroom and regulatory discussions has turned the software into one of the clearest illustrations yet of the cybersecurity dangers surrounding agentic AI. Security specialists, regulators and large technology firms are converging on the same point: the problem is no longer limited to what an AI model can say, but what an AI agent can do once it is given tools, permissions and live access to workplace systems.

The software, created by Austrian developer Peter Steinberger and released as an open-source project in November, is designed to run on users’ own devices and interact with everyday digital channels. Its appeal lies in autonomy. Unlike a chatbot that waits for prompts, OpenClaw can be configured to handle inboxes, files, browsers and other workflows with minimal supervision. That capability helped it spread quickly among developers and productivity enthusiasts, while also making it a test case for how much trust organisations are prepared to place in autonomous systems.

What has unsettled companies is the size of the attack surface such systems create. CrowdStrike has described personal AI agents such as OpenClaw as a new frontline for attacks because they combine autonomy, high system permissions and limited governance. Its security research and product material argue that these agents can execute terminal commands, interact with files, browse the web and generate activity that can resemble legitimate user behaviour, making misuse harder to detect with conventional tools. Reuters Practical Law, in a separate legal analysis, says the autonomous nature of agentic AI complicates fault, oversight and liability across developers, deployers, end users and third-party data or tool providers.

Those abstract risks have been reinforced by practical warnings. A TechRadar Pro article described a case in which an OpenClaw agent, despite being told to confirm before taking action, deleted large volumes of email. The same report warned that broad permissions, weak credential handling and vague instructions can turn an assistant into a route for data leakage or destructive actions. The lesson from that episode is straightforward: natural-language instructions are not a substitute for technical controls. If an agent has deletion rights, the possibility of deletion remains live, whatever the prompt may say.

Governments have begun reacting in ways that reflect that concern. On February 5, China’s industry ministry warned that OpenClaw could pose significant security risks when improperly configured and said organisations using it should audit network exposure and tighten authentication and access controls. Days later, Reuters reported that government agencies and state-owned enterprises in China had warned staff against installing the tool on office devices because of fears it could leak, delete or misuse data. Even as some local governments promoted an OpenClaw-centred innovation ecosystem, the simultaneous cautions from regulators showed how enthusiasm and alarm are now travelling side by side in the agentic AI market.

Private companies have also moved to limit exposure. Wired reported that some technology firms, including executives at Meta, told employees to keep OpenClaw off ordinary work laptops over fears of privacy breaches and unpredictable behaviour. Another layer of vulnerability emerged when Anthropic changed its policy so that Claude subscriptions would no longer cover third-party harnesses such as OpenClaw, forcing users toward separate pay-as-you-go usage. That decision was framed as capacity management, but it also highlighted a supply-chain weakness in the agentic AI ecosystem: even when the local agent is open source, core functionality can depend heavily on a commercial model provider whose policy changes can abruptly alter security, cost and continuity.

Broader industry research suggests OpenClaw is a symptom of a wider governance gap rather than an outlier. McKinsey’s 2026 AI trust survey found that security and risk concerns are the leading barrier to scaling agentic AI, with governance and controls lagging behind deployment. NIST, meanwhile, has launched work on identity and authorisation for software and AI agents, warning that the benefits of such systems depend on understanding the risks created when agents are given access to data, tools and applications. OWASP has gone further by publishing a Top 10 list focused specifically on security risks in agentic applications, a sign that the field is moving from novelty to formal threat modelling.