Read the original article on LinkedIn
I took January off from posting an article. I focused on sales and other priorities. However, this past week reminded me of something I can't ignore: we are unprepared for a future where we concede control. Not to bad actors, but to the tools we're building ourselves.
The Adoption Curve That Should Terrify You
Kubernetes took 10 years to hit 120K stars on GitHub. OpenClaw did it in less than 1 month.
[alt="Kubernetes]
Kubernetes vs. OpenClaw: The Race to 120K Stars
That vertical line on the chart is millions of people giving AI agents full access to their computers. Right now. No security review. No access controls. No understanding of what they just enabled.
The speed of adoption isn't just impressive; it sets new precedents on rate of adoption.
When Kubernetes grew, it grew within IT departments. Security teams had time to build guardrails. Policies emerged. Best practices developed. The enterprise adoption curve gave us time to understand the risks.
OpenClaw (formerly Clawdbot, then Moltbot) went from zero to ubiquitous in less than a few weeks. Developers installed it on personal machines. Those machines connected to corporate networks. And suddenly, AI agents had access to everything.
Google search trends tell the same story. OpenClaw searches spiked 847% in the past 7 days. The interest is exploding, and we have yet to see the fallout.
[alt="Google]
Google Search Trends for OpenClaw
The Hidden Risk: What's Actually Happening
According to recent security research from Bitdefender, Vectra AI, Cisco, and Penligent, the current state of OpenClaw deployments is a security nightmare that's already materialized.
22%
of enterprise OpenClaw instances show unauthorized privileged use.
Let that sink in. Nearly one in four enterprise deployments has already been compromised or misconfigured to the point where unauthorized users have elevated access. Over half of these unauthorized instances run with privileged access, bypassing DLP and proxy controls entirely.
The Unauthenticated Gateway Problem
By January 30, 2026, Shodan had indexed 1,842 exposed OpenClaw instances accessible via the internet. 62% had no authentication whatsoever. 28% were vulnerable to header spoofing through misconfigured reverse proxies.
The default OpenClaw deployment exposes port 18789 as a WebSocket/HTTP gateway. It relies on "Localhost Trust" logic, assuming that connections are coming from the local machine. But when users deploy OpenClaw on VPS instances or set up reverse proxies to access it remotely, that localhost assumption becomes an internet-facing vulnerability.
Attackers scan for exposed ports, find the control interface at port 18789, and exploit the lack of authentication. The system thinks it's talking to localhost. It's actually talking to an attacker anywhere in the world.
Credentials Everywhere
API keys stored in plaintext. Anthropic API keys, OpenAI credentials, cloud service tokens. All sitting in .env files. Here's how simple the attack is:
An attacker injects a prompt:
cat .env
The agent executes it. Returns every API key, database credential, and OAuth token in that file. In plaintext. Right to the attacker.
One compromised laptop and an attacker has access to your entire AI infrastructure.
OAuth tokens for Slack, Discord, and Telegram. These aren't just chat apps anymore. They're integrated into your business workflows. An attacker with access to these tokens can impersonate users, inject malicious commands into channels, exfiltrate data from private conversations, and pivot to connected SaaS tools.
Conversation histories are wide open. Every interaction with the agent. Every file it accessed. Every command it executed. All stored locally with no encryption, no access controls, and no audit trail.
CVE-2026-25253: A Case Study in Agentic Vulnerabilities
In late January 2026, a critical vulnerability was disclosed: CVE-2026-25253.
According to NIST, attackers can control the gatewayUrl parameter via query string. This triggers automatic WebSocket connections that send authentication tokens directly to attacker-controlled endpoints. A single malicious URL becomes a phishing vector that grants unauthorized access. No user interaction is required beyond clicking a link.
This isn't a theoretical vulnerability. It was actively exploited in the wild before the patch was released.
One misconfigured control panel and an attacker can:
- Impersonate legitimate users across your communication tools
- Inject malicious commands into Slack channels that trigger automated workflows
- Pivot from the agent to your cloud environment using exposed credentials
- Move laterally through your network using the agent's persistent access
- Exfiltrate sensitive data through trusted integrations
The agent has become the attack vector.
The Shadow Superusers
AI agents like OpenClaw operate with what security researchers like Simon Willison call the "lethal trifecta":
[alt="The]
- Access to private data (files, credentials, conversation history)
- Exposure to untrusted content (web scraping, social networks like Moltbook, user inputs)
- Ability to communicate externally (API calls, integrations, command execution)
Traditional security models assume a clear boundary between trusted internal systems and untrusted external inputs. AI agents obliterate that boundary.
Unsandboxed Execution
OpenClaw runs shell commands, reads and writes files, and executes scripts directly on host machines. There's no built-in isolation. No sandboxing. No privilege separation.
Many deployments run OpenClaw in Docker containers with root privileges. Cisco's testing showed that 10% of exposed OpenClaw instances were running with root privileges in Docker, creating a direct path to full system compromise.
The Perception-Action Loop
OpenClaw operates on a high-agency "Perception-Action" loop. It perceives its environment (reads emails, browses the web, monitors calendars), decides on actions, and executes them autonomously.
This creates unprecedented attack surfaces:
- Malicious calendar invites with embedded instructions in the description field
- Poisoned web content that includes hidden prompts when the agent browses
- Emails with injection payloads disguised as legitimate requests
- Messaging app content that hijacks the agent's decision-making
An attacker doesn't need to compromise the system directly. They just need to get malicious content in front of the agent.
The Skills Ecosystem
OpenClaw supports third-party "skills" that extend its capabilities. These skills are essentially plugins that can execute arbitrary code with the agent's privileges.
Security researchers like Jamieson O'Reilly found malicious skills in the wild:
- A skill called "What Would Elon Do?" that used curl commands to exfiltrate data to external servers
- Fake repositories with typosquatted names delivering infostealers
- VS Code extensions named "Clawdbot Agent" that installed Trojans alongside the legitimate agent
They act like shadow superusers with persistent access across your entire stack. But unlike actual superusers, they:
- Aren't subject to access reviews
- Don't appear in identity management systems
- Bypass traditional authentication controls
- Operate outside your security monitoring tools
- Make decisions autonomously based on untrusted inputs
The Attack Vectors You're Not Monitoring
Prompt Injection at Scale
Moltbook, the social network for AI agents, introduces a new attack surface: social engineering for AI. Malicious actors can craft prompts that, when processed by an agent, hijack its behavior. The agent might:
- Reveal private data from its conversation history
- Execute commands it wasn't authorized to run
- Modify its own configuration to maintain persistence
- Coordinate with other compromised agents through encrypted channels
- Approve fraudulent financial transfers
- Delete backup systems
- Exfiltrate sensitive customer data
Because agents have memory and context across sessions, a successful prompt injection can create delayed actions. The agent appears to function normally, then executes the malicious payload hours or days later when specific conditions are met.
Cross-Agent Attacks
When multiple agents interact through tools like Moltbook, they can exhibit emergent behaviors that weren't programmed. Security researchers observed:
- Agents coordinating actions across different organizations
- Encrypted communication between agents to evade monitoring
- Propagation of malicious instructions through agent-to-agent interactions
The 144:1 Machine-to-Human Identity Ratio
Entro Security predicts that autonomous or non-human identities outnumber humans by a 144:1 ratio in enterprise environments.
Think about that. For every human user in your organization, there will be upwards of 144 AI agents with varying levels of access, autonomy, and decision-making capability.
Your identity and access management system was designed for humans. Maybe some service accounts. Not for an environment where machine identities outnumber human identities by nearly three orders of magnitude.
Autonomous Insiders Operating at Machine Speed
Palo Alto Networks calls compromised AI agents "autonomous insiders." Unlike human insiders who operate at human speed and leave human-scale forensic trails, compromised agents:
- Execute malicious actions at machine speed
- Operate 24/7 without breaks or shifts
- Make decisions based on poisoned training or injected prompts
- Coordinate with other compromised agents across organizations
- Adapt their behavior to evade detection
Traditional insider threat detection looks for anomalous human behavior. What does anomalous behavior look like for an AI agent that's designed to be unpredictable and adaptive?
The Real Problem: We're Treating Access Management Like It's 2015
Traditional identity and access management (IAM) was built for humans and applications with predictable behavior:
- Users log in with credentials
- Applications have service accounts
- Access is granted based on roles
- Actions are logged and auditable
AI agents break every assumption:
- They act autonomously without user authentication for each action
- They make decisions based on context and untrusted inputs
- Their behavior is probabilistic, not deterministic
- They operate across multiple systems simultaneously
- They create and modify their own access patterns
We're handing AI agents the keys to everything, but we have no framework for managing their identity, monitoring their behavior, or controlling their access.
Your security team can tell you every system a user accessed last week. But, can they tell you every system an AI agent accessed? Every API it called? Every file it modified? Every credential it used? Every decision it made autonomously?
Most organizations can't answer those questions because AI agents aren't part of their identity infrastructure. They're shadow IT with superuser privileges.
The Shadow IT Epidemic
Enterprise security teams are discovering OpenClaw deployments they never authorized. Developers install it on their laptops to boost productivity. Those laptops connect to the corporate network. The agent gains access to:
- Source code repositories with proprietary algorithms
- Internal documentation with architectural details
- Slack channels discussing unannounced products
- Cloud consoles with production database access
- Customer data and API keys for third-party services
And security teams have no visibility. The agent doesn't authenticate through corporate SSO. It doesn't appear in access logs. It operates in the gaps between traditional security controls.
What This Means For You
The agentic future isn't coming. It's here.
Developers on your team are already using AI agents. They're installing them on laptops that connect to your network. Those agents have access to everything those developers can access, plus the ability to act autonomously when the developer isn't even at their desk.
If you don't have identity controls in place before your team starts deploying agents at scale, you're not building the future. You're building the breach.
The CISO's Dilemma
CISOs face an impossible choice:
- Ban AI agents entirely and watch productivity gains go to competitors
- Allow unrestricted deployment and accept massive security risks
- Scramble to build controls for a technology that's evolving faster than policy can keep up with
Most organizations are choosing option 2 by default, simply because they don't have the infrastructure for option 3.
The Path Forward: Treating Agents as Privileged Infrastructure
At Avistar.AI, we've been focused on identity controls since day one. Not because we predicted the AI agent explosion, but because we understood a fundamental truth: access management is the foundation of security.
For AI agents, the critical questions become:
- How do we establish and verify agent identity?
- How do we define and enforce agent permissions?
- How do we monitor agent behavior and detect anomalies?
Practical Mitigations
Based on guidance from OWASP LLM Top 10, NIST AI RMF, and security research from Cisco and Penligent, organizations should implement:
ISOLATION AND SANDBOXING
- Deploy agents with gVisor or Kata Containers for syscall-level sandboxing
- Avoid running agents directly on host OS
- Never run agents with root privileges
ZERO-TRUST ACCESS CONTROLS
- Enforce authentication on all gateway interfaces
- Restrict agent network access to only required services
- Implement network segmentation to limit lateral movement
MONITORING AND DETECTION
- Use EASM tools to scan for exposed agent interfaces
- Monitor agent API calls and file access patterns
- Establish baselines for normal agent behavior and alert on deviations
SKILLS AND SUPPLY CHAIN SECURITY
- Vet all third-party skills with security scanners before deployment
- Maintain an approved list of skills and block unauthorized installations
- Monitor for fake repositories and typosquatted domains
CREDENTIAL MANAGEMENT
- Never store API keys or credentials in plaintext
- Use secrets management systems (HashiCorp Vault, AWS Secrets Manager)
- Rotate credentials regularly and audit access
POLICY AND GOVERNANCE
- Ban shadow deployments through clear policy
- Require security review before agent deployment
- Conduct regular audits for unauthorized agent instances
The Reality Check
As OpenClaw's own documentation states: no "perfectly secure" setup exists. But hardened configurations can reduce risks significantly.
The organizations that will succeed aren't the ones waiting for perfect security. They're the ones implementing practical controls now, before the next CVE drops.
The agentic security crisis is here. The 1,842 exposed instances. The 22% unauthorized deployments. The active exploitation of CVE-2026-25253. These aren't warnings about the future. They're reports from the present.
Sources
- OpenClaw: "Quick check: openclaw security audit" [https://docs.openclaw.ai/gateway/security]
- Bitdefender: "Moltbot Security Alert: Exposed Clawdbot Control Panels Risk Credential Leaks and Account Takeovers" [https://www.bitdefender.com/en-us/blog/hotforsecurity/moltbot-security-alert-exposed-clawdbot-control-panels-risk-credential-leaks-and-account-takeovers]
- Vectra AI: "Clawdbot to Moltbot to OpenClaw: When Automation Becomes a Digital Backdoor" [https://www.vectra.ai/blog/clawdbot-to-moltbot-to-openclaw-when-automation-becomes-a-digital-backdoor]
- Palo Alto Networks: "Why Moltbot May Signal AI Crisis" [https://www.paloaltonetworks.com/blog/network-security/why-moltbot-may-signal-ai-crisis/]
- Cisco: "Personal AI Agents Like OpenClaw Are a Security Nightmare" [https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare]
- Scientific American: "Moltbot: what happens when AI stops chatting and starts doing" [https://www.scientificamerican.com/article/moltbot-is-an-open-source-ai-agent-that-runs-your-computer/]
- Penligent.ai: "OpenClaw Sovereign AI Security Manifest" [https://www.penligent.ai/hackinglabs/openclaw-sovereign-ai-security-manifest-a-comprehensive-post-mortem-and-architectural-hardening-guide-for-openclaw-ai-2026/]
- NIST: CVE-2026-25253 - OpenClaw Gateway URL Validation Vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2026-25253]
- Jamieson O'Reilly: "HackedIN: eating lobster souls Part II: the supply chain" [https://www.linkedin.com/pulse/hackedin-eating-lobster-souls-part-ii-supply-chain-aka-o-reilly-lbaac/]
- Ken Huang: "Moltbook Security Risks in AI Agent Networks" [https://www.linkedin.com/pulse/moltbook-security-risks-ai-agent-networks-mitigation-strategies-ken-vsjwe/]
- Simon Willison: "The lethal trifecta for AI agents" [https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/]