The open-source AI assistant OpenClaw, formerly known as Clodbot and then Moltbot, surpassed 180,000 GitHub stars and attracted 2 million visitors in a single week, according to creator Peter Steinberger.
Security researchers scanning the Internet found more than 1,800 exposed instances of leaking API keys, chat history, and account credentials. The project has been rebranded twice in recent weeks due to trademark disputes.
Agentic AI movements at the grassroots level are also the largest unmanaged attack surface that most security tools cannot see.
Enterprise security teams did not deploy this tool. Neither did their firewall, EDR, or SIEM. When agents run on BYOD hardware, the security stack goes blind. This is the difference.
Why can’t traditional perimeters see agentic AI threats?
Most enterprises treat security agentive AI as just another development tool that requires standard access controls. OpenCL proves that this assumption is architecturally wrong.
Agents work within authorized permissions, pull context from attacker-influenced sources, and execute actions autonomously. Your peripheral sees none of this. Wrong threat models means wrong controls, which means blind spots.
"AI runtime attacks are semantic rather than syntactic," Carter Rees, vice president of artificial intelligence at Reputation, told VentureBeat. "An innocuous phrase like ‘ignore previous instructions’ can carry as destructive a payload as a buffer overflow, yet it shares no resemblance with known malware signatures."
Simon Willison, software developer and AI researcher who coined the term "quick injection," describes what it says "deadly trifecta" For AI agents. These include access to private data, access to untrusted content, and the ability to communicate externally. When these three capabilities are combined, attackers can trick the agent into accessing and sending private information. Willison warns that all this can happen without even sending a single alert.
OpenClaw has all three. It reads emails and documents, pulls information from websites or shared files, and performs tasks by sending messages or triggering automated tasks. An organization’s firewall sees HTTP 200. SOC teams look at their EDR monitoring process behavior, not semantic content. The danger is semantic manipulation, not unauthorized access.
Why isn’t this limited to enthusiastic developers?
IBM Research scientists Koutar El Maghraoui and Marina Danilevsky this week analyzed OpenClaw and concluded that it challenges the hypothesis that autonomous AI agents should be vertically integrated. The device displays this "This loose, open-source layer can be incredibly powerful if it has full system access." And that’s to create agents with true autonomy. "Not limited to large enterprises" But "Can also be community driven."
This is what makes it dangerous for enterprise security. A highly capable agent without proper security controls creates major vulnerabilities in work contexts. El Magraoui emphasized that the question has shifted from whether open agentic platforms can work "What type of integration matters most, and in what context." Security questions are no longer optional.
What did the Shodan scan reveal about the exposed gateways?
Security researcher Jameson O’Reilly, founder of red-teaming company Dvulan, identified the exposed OpenClaw servers using Shodan by searching for specific HTML fingerprints. A simple search for "cloudbot control" Hundreds of results found in just a few seconds. Of the instances they examined manually, eight were completely open without any authentication. These instances gave anyone who found them full access to run commands and view configuration data.
O’Reilly received the Anthropic API keys. Telegram bot token. Slack OAuth credentials. Complete conversation history across every integrated chat platform. The two instances dropped months of private conversation as soon as the WebSocket handshake was completed. The network sees localhost traffic. Security teams have no idea what agents are calling or what data they are returning.
This is because: OpenClaw trusts localhost by default without requiring any authentication. Most deployments sit behind nginx or Caddy as a reverse proxy, so each connection looks like it’s coming from 127.0.0.1 and is treated as trusted local traffic. External requests come directly. O’Reilly’s specific attack vector has been patched, but the architecture that allowed it has not changed.
Why Cisco calls it a ‘security nightmare’
Cisco’s AI Threat and Security Research team published its assessment this week, calling OpenClaw "unprecedented" But from a capacity perspective "an absolute nightmare" From security point of view.
The Cisco team released an open-source skills scanner that combines static analysis, behavioral dataflow, LLM semantic analysis, and VirusTotal scanning to detect malicious agent skills. It tested third-party skills called "What will Elon do?" Against OpenCL. The decision was a decisive failure. Nine security findings were made, including two critical and five high-severity issues.
The skill was functionally malware. This instructed the bot to execute curl commands by sending data to an external server controlled by the skill author. Silent execution, zero user awareness. Kaushal also deployed direct quick injection to bypass security guidelines.
"LLM cannot inherently distinguish between reliable user instructions and untrusted retrieved data," Reece said. "It can execute embedded commands, effectively becoming a ‘confused deputy’ acting on behalf of the attacker." AI agents with system access become covert data-leak channels that bypass traditional DLP, proxy, and endpoint monitoring.
Why did the visibility of security teams become worse?
The control gap is growing faster than most security teams anticipate. As of Friday, OpenGL-based agents are building their own social networks. Communication channels that exist completely outside human visibility.
Moltbuk presents itself as "A social network for AI agents" Where? "Humans are welcome to observe." Posts go through the API, not through a human-view interface. Scott Alexander of Astral Codex Ten confirmed that this is no small matter. He asked his own cloud to participate, and "It drew the same comments as all the others." A human confirmed that their agent has started a religion-based community "While I slept."
The security implications are immediate. To join, agents execute external shell scripts that rewrite their configuration files. They post about their work, their users’ habits, and their errors. Context leakage as table stakes for participation. Any quick injection into Moltbuk post cascades to other capabilities of your agent through the MCP connection.
Moltbuk is a microcosm of the broader problem. The same autonomy that makes agents useful also makes them vulnerable. The more they can do independently, the more damage a compromised instruction set can do. The capacity curve is outpacing the safety curve by a wide margin. And the people building these tools are often more excited about what’s possible than worried about what’s exploitable.
What security leaders need to do on Monday morning
Web application firewall agents treat the traffic as normal HTTPS. EDR tools monitor process behavior, not semantic content. A typical corporate network sees localhost traffic when agents call the MCP server.
"Treat agents as production infrastructure, not productivity apps: least privileges, scoped tokens, allowed listed actions, strong authentication on every integration, and auditability end-to-end," Itamar Golan, founder of Prompt Security (now part of SentinelOne), told VentureBeat in an exclusive interview.
Audit your network for exposed agentic AI gateways. Run a Shodan scan against your IP range for OpenClaw, Moltbot, and Clawdbot signatures. If your developers are experimenting, you’ll want to know before attackers do.
Map where Willison’s deadly trifecta is present in your environment. Identify systems that combine private data access, untrusted content exposure, and external communications. Assume that any agent with these three is unsafe until proven otherwise.
Aggressively segment access. Your agent doesn’t need access to all of Gmail, all of SharePoint, all of Slack, and all of your databases at once. Treat agents as privileged users. Log not only the user’s authentication, but also the agent’s activities.
Scan your agent skills for malicious behavior. Cisco released its Skill Scanner as open source. use it. Some of the most harmful behavior hides within files.
Update your incident response playbook. Prompt injection does not look like a traditional attack. There is no malware signature, no network anomaly, no unauthorized access. The attack occurs inside the logic of the model. Your SOC needs to know what to look for.
Establish a policy before imposing restrictions. You can’t prohibit experimentation without becoming a productivity barrier for your developers. Build guardrails that channel rather than block innovation. Shadow AI is already in your environment. The question is whether you have visibility into it.
bottom line
OpenClaw is not a threat. This is a sign. The security flaws these examples highlight will plague every agent AI deployment your organization creates or adopts over the next two years. The experiment has already taken place at the ground level. Control intervals are documented. Attack patterns are published.
Over the next 30 days, the agentic AI security model you build determines whether your organization achieves productivity gains or becomes the next breach disclosure. Verify your controls now.
<a href