“Your AI? It’s my AI now.” This line came from Ate Maor, VP of Threat Intelligence at Cato Networks, in an exclusive interview with VentureBeat at RSAC 2026 — and it describes what happened to a UK CEO whose OpenClaw instance ended up for sale on BreachForum. Maor’s argument is that the industry has ceded the kind of autonomy to AI agents that no human employee would ever have, giving up zero trust, least privilege and honor-violations in the process.
The evidence arrived on BreachForum three weeks before Maor’s interview. On February 22, a threat actor using the handle “FluffyDuck” posted a listing for root shell access to the CEO’s computer for $25,000 in Monero or Litecoin. The shell was not a selling point. The OpenClaw AI was the CEO’s personal assistant. The buyer will get every conversation the CEO had with the AI, the company’s complete production database, Telegram bot tokens, Trading 212 API keys, and personal details the CEO told the assistant about family and finances. The threat actor noted that the CEO was actively interacting with OpenClaw in real time, making the listings a live intelligence feed rather than a static data dump.
Vitaly Simonovich, senior security researcher at Cato Ctrl, documented the listing on February 25. CEO’s OpenClaw instance stored everything in plain-text Markdown files under ~/.openclaw/workspace/, with no encryption at rest. The threat actor didn’t need to pull anything out; The CEO had already assembled it. When the security team discovered the breach, there was no native enterprise kill switch, no management console, and no way to list how many other instances were running in the organization.
OpenClaw runs locally with direct access to the host machine’s file system, network connections, browser sessions, and installed applications. Coverage so far has tracked its velocity, but not mapped the threat surface. The four vendors that used RSAC 2026 to send responses still haven’t produced the control that enterprises need most: a native kill switch.
Danger emerges based on numbers
| metric |
Number |
Source |
|
Internet facing examples |
~500,000 (24th March live check) |
Ate Maor, Cato Networks (Exclusive RSAC 2026 Interview) |
|
Exposed examples with security risks |
30,000+ observations made during scan window |
bitsite |
|
Exploitable via known RCE |
15,200 examples |
securityscorecard |
|
high-severity CVE |
3 (Highest CVSS: 8.8) |
NVD (24763, 25157, 25253) |
|
Malicious Skills on ClawHub |
341 in no audit (335 from Cloughowoc); 824 by mid-February |
Any |
|
Clawhub skills with serious flaws |
13.4% of 3,984 analyzed |
snyk |
|
API token exposed (Moltbook) |
1.5 million |
knowledgeable |
Maor ran a live Sensis check during an exclusive VentureBeat interview at RSAC 2026. “The first week it came out, there were about 6,300 instances. Last week, I checked: 230,000 instances. Let’s check now… almost half a million. Almost doubled in a week,” Maor said. Three high-severity CVEs define the attack surface: CVE-2026-24763 (CVSS 8.8, command injection via Docker path handling), CVE-2026-25157 (CVSS 7.7, OS command injection), and CVE-2026-25253 (CVSS 8.8, token for full gateway compromise Exfiltration). All three CVEs have been patched, but OpenClaw has no enterprise management plane, no centralized patching mechanism, and no fleet-wide kill switch. Individual administrators must manually update each instance, and most do not.
The defender-side telemetry is equally worrying. CrowdStrike’s Falcon sensors already detect more than 1,800 unique AI applications across their customer fleet – from ChatGPT to Copilot to OpenClave – generating approximately 160 million unique instances on enterprise endpoints. ClawHavoc, a malicious skill distributed through the ClawHub marketplace, became the primary case study in the OWASP Agentic Skills Top 10. CrowdStrike CEO George Kurtz during his RSSC 2026 keynote marked this as the first major supply chain attack on the AI agent ecosystem.
AI agents got root access. Security found nothing.
Maor framed visibility failure through the OODA loop (observation, orientation, decision, action) during an RSAC 2026 interview. Most organizations are failing in the first step: Security teams can’t see what AI tools are running on their networks, meaning the productivity tools employees bring quietly become shadow AI that attackers take advantage of. The BreachForum list proved the final case. CEO’s OpenClaw instance became a centralized intelligence center by aggregating SSO sessions, credential stores, and communication history in one place. “The CEO’s assistant can be your assistant if you buy access to this computer,” Maor told VentureBeat. “It’s helpful to the attacker.”
Ghost agents increase exposure. Organizations adopt AI tools, run a pilot project, lose interest and move on – leaving agents with no credibility intact. “We need an HR perspective on agents. Onboarding, monitoring, offboarding. If there’s no business justification? Termination,” Maor told VentureBeat. “There are no ghost agents left on our network, because it’s already happening.”
Cisco moves to openc kill switch
Cisco President and Chief Product Officer Jitu Patel laid out the bet during an exclusive VentureBeat interview at RSAC 2026. Patel said of AI agents, “I think of them like teenagers. They’re highly intelligent, but they have no fear of consequences.” “The difference between delegating work to an agent and delegating work to a fiduciary… One of them leads to bankruptcy. The other leads to market dominance.”
Cisco launched three free, open-source security tools for OpenClave at RSAC 2026. DefenseClaw packages Skill Scanner, MCP Scanner, AI BOM, and CodeGuard into a single open-source framework running inside NVIDIA’s OpenShell runtime, which NVIDIA launched at GTC a week before RSAC. “Every time you actually activate an agent in an Open Shell container, you can now automatically turn on all the security services we built through Defense Claw,” Patel told VentureBeat. AI Defense Explorer Edition is a free, self-service version of Cisco’s algorithmic red-teaming engine, which tests any AI model or agent for rapid injection and jailbreak in over 200 risk subcategories. The LLM Security Leaderboard ranks Foundation models based on adversarial resilience rather than performance benchmarks. Cisco also shipped Duo Agentic Identity to register agents as identity objects with timed permissions, Identity Intelligence to discover shadow agents through network monitoring, and the Agent Runtime SDK to embed policy enforcement at build time.
Palo Alto makes Agentic Endpoint its own security category
Palo Alto Networks CEO Nikesh Arora characterized the OpenGL-class tool as creating a new supply chain that runs through unregulated, unsecured markets during a March 18 pre-RSA briefing with VentureBeat. Koi found 341 malicious skills on ClawHub in its initial audit, with the total number increasing to 824 as the registry expanded. Snik found that 13.4% of the skills analyzed had serious security flaws. Palo Alto Networks built Prisma AIRS 3.0 around a new agent registry that requires each agent to log in before operating, with credential verification, MCP gateway traffic control, agent red-teaming, and runtime monitoring for memory poisoning. Any pending acquisition adds supply chain visibility specifically for Agentic endpoints.
Cato CTRL gave adverse evidence
Cato CTRL, the threat intelligence arm of Cato Networks, presented two sessions at RSAC 2026. The separately published 2026 Cato CTRL Threat Report includes a proof-of-concept “Living AI” attack targeting Atlassian’s MCP and Jira Service Management. Maor’s research provides independent adversarial validation that vendor product announcements cannot provide on their own. Platform vendors are building governance for approved agents. Cato CTRL documented what happens when a non-sanctioned agent on a CEO’s laptop is sold on the dark web.
monday morning action list
Regardless of the vendor stack, four controls are immediately implemented: bind OpenClave only to localhost and block external port exposure, enforce application permission lists via MDM to prevent unauthorized installation, rotate every credential on machines where OpenClave is running, and enforce least-privilege access on any account touched by the AI agent.
- Locate the install base. CrowdStrike’s Falcon Sensor, Cato’s SASE platform, and Cisco Identity Intelligence all detect shadow AI. For teams without premium tooling, query endpoints for the ~/.openclaw/ directory using native EDR or MDM file-discovery policies. If the enterprise has no endpoint visibility, run Shodan and Censys queries against corporate IP ranges.
-
To patch or take apart. Test each discovered instance against CVE-2026-24763, CVE-2026-25157, and CVE-2026-25253. Instances that cannot be patched should be network-isolated. There is no fleet-wide patching mechanism.
-
Audit Skills Establishments. Review established skills against Cisco’s Skills Scanner or Snick and No Research. Any skill from an unverified source should be removed immediately.
-
Implement DLP and ZTNA controls. Cato’s ZTNA controls prohibit unapproved AI applications. Cisco Secure Access enforces the policy on SSE MCP tool calls. Palo Alto’s Prisma Access browser controls data flow at the browser layer.
-
Kill the ghost agents. Create a registry of every AI agent running. Document business rationale, human owners, credentials held, and systems accessed. Cancel credentials of agents without any justification. Repeat weekly.
-
Deploy DefenseSquare for approved use. Run OpenClaw inside NVIDIA’s OpenShell Runtime with Cisco’s DefenseClaw to automatically scan skills, verify MCP server, and device runtime behavior.
-
Red-team before deployment. Use Cisco AI Defense Explorer Edition (free) or Palo Alto Networks’ agent red-teaming in Prisma AIRS 3.0. Test the workflow, not just the model.
The OWASP Agentic Skills Top 10, published using ClawHavoc as a primary case study, provides a standards-grade framework for evaluating these risks. Four vendors sent responses to RSAC 2026. None of them are native enterprise kill switches for unapproved OpenClause deployments. Unless one exists, the Monday morning action list above is the closest we can get to it.
<a href