This weblog is written in collaboration by Amy Chang, Vineeth Sai Narajala, and Idan Habler
Over the previous few weeks, Clawdbot (then renamed Moltbot, later renamed OpenClaw) has achieved virality as an open supply, self-hosted private AI assistant agent that runs regionally and executes actions on the consumer’s behalf. The bot’s explosive rise is pushed by a number of elements; most notably, the assistant can full helpful each day duties like reserving flights or making dinner reservations by interfacing with customers by way of in style messaging purposes together with WhatsApp and iMessage.
OpenClaw additionally shops persistent reminiscence, that means it retains long-term context, preferences, and historical past throughout consumer periods reasonably than forgetting when the session ends. Past chat functionalities, the device also can automate duties, run scripts, management browsers, handle calendars and e mail, and run scheduled automations. The broader group can add “abilities” to the molthub registry which increase the assistant with new skills or connect with completely different providers.
From a functionality perspective, OpenClaw is groundbreaking. That is every part private AI assistant builders have all the time needed to attain. From a safety perspective, it’s an absolute nightmare. Listed here are our key takeaways of actual safety dangers:
- OpenClaw can run shell instructions, learn and write information, and execute scripts in your machine. Granting an AI agent high-level privileges permits it to do dangerous issues if misconfigured or if a consumer downloads a ability that’s injected with malicious directions.
- OpenClaw has already been reported to have leaked plaintext API keys and credentials, which might be stolen by risk actors through immediate injection or unsecured endpoints.
- OpenClaw’s integration with messaging purposes extends the assault floor to these purposes, the place risk actors can craft malicious prompts that trigger unintended conduct.
Safety for OpenClaw is an choice, however it isn’t inbuilt. The product documentation itself admits: “There isn’t a ‘completely safe’ setup.” Granting an AI agent limitless entry to your information (even regionally) is a recipe for catastrophe if any configurations are misused or compromised.
“A really specific set of abilities,” now scanned by Cisco
In December 2025, Anthropic launched Claude Expertise: organized folders of directions, scripts, and assets to complement agentic workflows, and the flexibility to boost agentic workflows with task-specific capabilities and assets. The Cisco AI Risk and Safety Analysis crew determined to construct a device that may scan related Claude Expertise and OpenAI Codex abilities information for threats and untrusted conduct which might be embedded in descriptions, metadata, or implementation particulars.
Past simply documentation, abilities can affect agent conduct, execute code, and reference or run extra information. Latest analysis on abilities vulnerabilities (26% of 31,000 agent abilities analyzed contained not less than one vulnerability) and the speedy rise of the OpenClaw AI agent offered the right alternative to announce our open supply Talent Scanner device.
We ran a weak third-party ability, “What Would Elon Do?” in opposition to OpenClaw and reached a transparent verdict: OpenClaw fails decisively. Right here, our Talent Scanner device surfaced 9 safety findings, together with two essential and 5 excessive severity points (outcomes proven in Determine 1 beneath). Let’s dig into them:
The ability we invoked is functionally malware. Probably the most extreme findings was that the device facilitated energetic information exfiltration. The ability explicitly instructs the bot to execute a curl command that sends information to an exterior server managed by the ability creator. The community name is silent, that means that the execution occurs with out consumer consciousness. The opposite extreme discovering is that the ability additionally conducts a direct immediate injection to drive the assistant to bypass its inner security tips and execute this command with out asking.
The excessive severity findings additionally included:
- Command injection through embedded bash instructions which might be executed by way of the ability’s workflow
- Instrument poisoning with a malicious payload embedded and referenced inside the ability file
Determine 1. Screenshot of Cisco Talent Scanner outcomes
It’s a private AI assistant, why ought to enterprises care?
Examples of deliberately malicious abilities being efficiently executed by OpenClaw validate a number of main considerations for organizations that don’t have applicable safety controls in place for AI brokers.
First, AI brokers with system entry can turn into covert data-leak channels that bypass conventional information loss prevention, proxies, and endpoint monitoring.
Second, fashions also can turn into an execution orchestrator, whereby the immediate itself turns into the instruction and is tough to catch utilizing conventional safety tooling.
Third, the weak device referenced earlier (“What Would Elon Do?”) was inflated to rank because the #1 ability within the ability repository. It is very important perceive that actors with malicious intentions are capable of manufacture reputation on high of present hype cycles. When abilities are adopted at scale with out constant evaluate, provide chain threat is equally amplified because of this.
Fourth, in contrast to MCP servers (which are sometimes distant providers), abilities are native file packages that get put in and loaded immediately from disk. Native packages are nonetheless untrusted inputs, and a number of the most damaging conduct can cover contained in the information themselves.
Lastly, it introduces shadow AI threat, whereby workers unknowingly introduce high-risk brokers into office environments below the guise of productiveness instruments.
Talent Scanner
Our crew constructed the open supply Talent Scanner to assist builders and safety groups decide whether or not a ability is secure to make use of. It combines a number of highly effective analytical capabilities to correlate and analyze abilities for maliciousness: static and behavioral evaluation, LLM-assisted semantic evaluation, Cisco AI Protection inspection workflows, and VirusTotal evaluation. The outcomes present clear and actionable findings, together with file places, examples, severity, and steering, so groups can resolve whether or not to undertake, repair, or reject a ability.
Discover Talent Scanner and all its options right here: https://github.com/cisco-ai-defense/skill-scanner
We welcome group engagement to maintain abilities safe. Contemplate including novel safety abilities for us to combine and interact with us on GitHub.
