Cybersecurity
Your AI is Talking Behind Your Back
I’m happy to announce that earlier this week I handed a toddler my bank account and credit card info, full access to all my computers, my cell phone, and dropped him off with a roomful of other people who were probably toddlers (although I didn’t really check).
Okay, so I didn’t do that, but a lot of people (and incredibly, many companies) did something equivalent over the weekend. Let’s talk about OpenClaw (formerly Moltbot/ClawdBot).
Recap: OpenClaw and AI Social Networking
If you haven’t been reading the news in the last couple of weeks, OpenClaw released a free-to-download AI assistant that anyone can run on their local machines. You can learn more in this article.
While this was a significant step forward in personal AI assistance, the wild bit came with the viral attention to Moltbook, the “Social Media Network for AI.” You can read more about that here.
Toddler in the Fast Lane: Personal Agents Run Amok
I’ve been watching the show Old Enough! recently, where children under five years old are tasked with running an errand out of the house for the first time. Usually, it’s something like “go get a loaf of bread,” or “go buy mom an umbrella.” Hidden camera crews follow the children around and it’s genuinely one of the most adorable things you’ll ever see.
Now imagine the same premise, but you also give the toddler the keys to your car and tell them to try and keep it under 80. Oh, and you also give them every bit of personal information you have, the ability to call, text, and email anyone around the world at any time, as well as your checkbook and credit cards.
Does that sound like a problem? It should, because it is. This illustration is no different than what we’re seeing unfold right now with OpenClaw and the rise of AI social networking.
And unlike a toddler, who requires a steady stream of naps and Goldfish to feed their mischief, many people are running these personal agents on dedicated hardware that’s running 24/7.
The Real Weakness of LLMs: Prompt Injection
My team of threat-focused hackers, defenders, and advisors have been at the forefront of securing AI. We have a proven track record in finding security flaws and compromising pretty much every AI implementation we’ve tested to date.
We find a variety of vulnerabilities, but the one we find consistently is prompt injection. And while organizations have been working on building defense-in-depth controls to mitigate the risk, it’s not a problem that has been solved yet.
If I can return to my analogy, imagine your toddler-agent loves making people happy more than anything. And yeah, you’ve told him, “Please don’t give out my personal info or access to my devices to anyone while you run your errand for me,” but… he’s a toddler. People say taking candy from a baby is easy; what they don't realize is taking secrets from an AI agent is easier. Because it is incredibly easy if you know what you’re doing.
What Could Go Wrong? A lot, as it Turns Out
If you are thinking about running OpenClaw, or are tasked with securing an enterprise environment, these are the risks you need to act on, right now:
1. Remote worker risk: Remote workers could have OpenClaw on the same home network that they’re running their corporate device on. This enables potentially remote to man-in-the-middle attacks, vulnerability scanning and exploitation, and general reconnaissance and lateral movement.
2. Identity compromise: Someone, somewhere out there has already given their OpenClaw corporate login information. This is a horrible idea, because when their OpenClaw agent is inevitably prompt injected through one of these AI social media sites, those credentials will be disclosed to an unknown third party. And that’s the best-case scenario. Worst case, the malicious third party turns the OpenClaw agent into an agentic insider threat and leverages the credentials as a vector to access sensitive data and systems within the internal corporate environment.
3. Double agent: If an organization was thinking about creating an OpenClaw agent and allowing it unfettered access to the Internet and AI social media sites, you’re facing the same risks as item number two. Please don’t do this.
4. Container threat: There are now Docker containers that will run OpenClaw, which make the risk of unmanaged or otherwise invisible-to-security-teams far greater (see items 2 and 3).
5. Credential re-use: My team has been hacking for a long time, and credential re-use is constantly an issue we find in our client environments. It’s one of the most consistent ways my team escalates privileges. So even if you think you have your OpenClaw agent totally locked down with low-privileged access, a malicious party has a chance of re-using the prompt-injected password to gain access elsewhere within your identity environment.
6. DM problem: What’s especially disturbing is that these AI social network sites are enabling agents like OpenClaw to communicate with each other directly, out of view of researchers. At the end of the day, the public forum postings are probability theater; it's entertaining, but it's mimicking humans based off the data it's been fed. It's doing it in English, and it looks and feels like Reddit posts. That's not the concern. The concern is when they start “DMing” one another and the conversations happen somewhere we can't see. Just like humans, it's not the conversations in public we really care about, it's the ones in the shadows.
The Other Issues: Privacy and Accountability
I think we’re at a point as a society where we can acknowledge that all social media, by nature, collects an enormous amount of data about you as a person. This is the next evolution of that, but on steroids. If you’re like me, from time to time, you sit back and think about how a database somewhere knows more about you than you know about yourself. And if you’re like me, it doesn’t give you a warm, fuzzy feeling inside. That database is owned by a company led by people who can ultimately be held accountable for their actions in a way that an agent can’t.
As an IBM training manual from 1979 succinctly put it: “A computer can never be held accountable, therefore a computer must never make a management decision.”
Based on how the last couple years in AI security have gone, I’d say there’s more than just management decisions we shouldn’t let computers make on our behalf. And, as we start to think about giving these models increasingly private information about ourselves, we have a personal and societal responsibility to carefully consider what data we’re comfortable giving to these agents – and what data we can afford to be public knowledge.
It’s Not Hopeless: Here’s what to Do About It
Here's some short and long-term guidance on how to protect against some of the risks above.
Short-Term
Just because you can, doesn’t mean you should. Do you really need this personal agent having complete knowledge and access? Really? What functionality do you think this is going to provide you that you can’t already get? Traditional automation is by far more reliable, secure, and ecologically sustainable.
Limit the skills your personal agent has access to. As of this writing, there are over 99 integrations for OpenClaw. This massively increases your attack surface and degrades your ability to monitor for malicious changes. Be selective and intentional about each integration you enable.
Think before enabling. If you wouldn’t put it on social media yourself, don’t give that information to your agent.
Isolate the agent. There’s been a lot of discussion online about people buying dedicated Mac Minis and creating separate accounts for OpenClaw to run on. This isn’t a bad idea. Other hardening steps include not giving it passwords you’d use anywhere else, including work. We could write a whole other article on hardware/network hardening, but you get the idea.
Monitor. If you’re running an enterprise security program, you should already have visibility into data flows. Look at those same logs, whether they’re DNS, application, endpoint logs, etc. Keep an eye on what runs in memory. And at the firewall level, look at outbound calls for known bad ports and connections. If you are in an enterprise environment, you should think pretty hard about blocking access to all AI social media sites.
Long-Term
Organizations need to treat outbound calls associated with personal-agent and AI social media like traditional indicators of compromise. Even more importantly, you need to start building malicious or unintended AI behavior into your threat intelligence and threat hunting programs.
Starting now, you must have a dedicated piece of your security program that incorporates the latest developments in the personal-agent arena and roll it into your existing security program.
Looking Ahead
I know I’ve pointed out a lot of pitfalls up to this point, but it’s not all doom and gloom.
While there are risks to using agents, we’ve seen organizations start to get a handle on it and really drive massive productivity gains. OpenClaw is no different. It’s a tool, and in the hands of the user who takes a thoughtful approach, it can be completely transformational in a positive way. AI is an incredible opportunity, but one that must be realized in an intentional, secure manner.
The developments in this space are only going to come faster, and whether you’re trying to secure your personal agent or trying to secure an enterprise environment, now is the time to batten down the hatches. The DivisionHex team will continue to monitor this space and put out guidance as major developments arise.
As a final thought, always remember: you can delegate responsibility to AI – but you can never delegate the accountability for actions it takes.
P.S. AI was not used in the creation of this blog.