By Richard Sonnen, Sentinel Director of AI Innovation & Consulting

Three weeks. That’s how long it took for an open-source project called OpenClaw to go from obscurity to 190,000 GitHub stars, 720,000 weekly downloads, and a Mac mini shortage in U.S. stores. Most security teams didn’t have time to evaluate it before adoption was already underway.

What is OpenClaw?

OpenClaw is a locally hosted AI agent that controls a user’s computer autonomously. It doesn’t just answer questions; it executes shell commands, manages files, sends messages through Slack, Teams, WhatsApp, and iMessage, reads and writes email, and manages calendars. It runs 24/7 and extends its capabilities through a community plugin marketplace called ClawHub.

The appeal is obvious. An AI assistant that handles your email, manages your calendar, monitors your messages, and works while you sleep, all running on your own hardware. People compared it to Jarvis from Iron Man. They weren’t wrong about the capability. They were wrong about the risk.

Everything, everywhere, all at once

A critical remote code execution vulnerability (CVSS 8.8) allowed attackers to take full control of an OpenClaw instance through a single click on a malicious link, even for installations running on localhost. SecurityScorecard found over 135,000 instances exposed to the public internet, 50,000 still vulnerable after the patch was available, and 53,000 associated with known threat actor IPs.

The plugin marketplace was worse. Security audits found that roughly 20% of all ClawHub packages were malicious. One researcher found malware within two minutes of looking. A single threat actor distributed 386 malicious packages targeting crypto wallets, SSH keys, browser passwords, and API keys.

By mid-February, commodity malware like RedLine and Lumma had been updated to specifically target OpenClaw’s configuration directory, harvesting stored authentication tokens. A security audit cataloged 512 vulnerabilities, 8 critical—findings Kaspersky cited in declaring OpenClaw unsafe for use. Cisco’s AI security research team called it “an absolute nightmare.”

This didn’t happen at the office

An employee bought a Mac mini, set it up at home, installed OpenClaw with a single command, and connected their corporate Outlook, Slack, and GitHub. The agent now operates with their full credentials, on hardware you don’t manage, on a network you’ve never seen. Your endpoint protection doesn’t apply. Neither does your DLP or device management.

And the employee didn’t do this to circumvent anyone. They did it because it’s genuinely useful, a respected AI researcher tweeted about it, and the setup guide made it look easy and safe. No exploit required. The employee and the threat vector are cooperating, willingly, because nobody explained why that’s a problem.

Bitdefender’s telemetry confirmed exactly this pattern: employees connecting corporate email, repos, and internal systems to personal AI agents with no organizational oversight. These agents hold delegated credentials outside your IAM controls. When the project’s creator was first told about the marketplace malware, he said security “isn’t really something that he wants to prioritize.”

What to do now

Find it. Most major endpoint and security platforms have shipped OpenClaw detection capabilities in the last two weeks. If you need help running discovery across your environment or aren’t sure what your current tooling covers, contact your Sentinel account manager. We can help you scope and execute.

Rotate exposed credentials. Any corporate credential that was accessible to an OpenClaw instance should be treated as compromised. API keys, OAuth tokens, service accounts, session cookies. If you can’t determine what was exposed, err broadly.

Know where your credentials are actually being used. Static credential inventories aren’t enough when an employee can delegate their access to an autonomous agent in 30 seconds. You need visibility into where and how credentials are being exercised, not just who holds them. Look for anomalous access patterns, unfamiliar device fingerprints, API calls from residential IPs at 3 AM.

Once you’ve contained the immediate risk, the harder work starts.

Teach the why, not just the what. You already have policies about unauthorized software. They didn’t prevent this. Another policy memo won’t prevent the next one. You need to help people understand why connecting corporate credentials to a personal AI agent is dangerous; they’ve created an autonomous system with their full access that can be hijacked, surveilled, or compromised without their knowledge. People who understand the risk make better decisions than people who’ve been told not to do something.

Make it safe to come forward. Some of your employees installed OpenClaw last month. A few of them might be reading this right now. Whether they tell you about it depends entirely on what they think happens next. Punitive responses guarantee you never find the instances that matter most.

OpenClaw won’t be the last tool like this. The pattern is established: viral adoption of a capable AI agent, followed by a security reckoning. The next one will move faster.

If you’d like help to assess your exposure or build a response plan related to OpenClaw or any other AI agent that emerges in its wake, contact us reach out to your Sentinel Account Manager.