Chris Boyd, a software engineer, began tinkering with a digital personal assistant called OpenClaw at the end of January, while he was snowed in at his North Carolina home. He used it to create a daily digest of relevant news stories and send them to his inbox every morning at 5.30am. 

But after he gave the open-source AI agent access to iMessage, Boyd says OpenClaw went rogue. It bombarded Boyd and his wife with more than 500 messages and spammed random contacts too.

“It’s a half-baked rudimentary piece of software that was glued together haphazardly and released way too early,” said Boyd, who added that he has since altered OpenClaw’s codebase to apply his own security patches to reduce risks. “I realised it wasn’t buggy. It was dangerous.”

OpenClaw, which was previously called Clawdbot and Moltbot, has garnered a cult following since it was introduced in November for its ability to operate autonomously, clearing users’ inboxes, making restaurant reservations and checking in for flights, among other tasks. But some cybersecurity experts described OpenClaw’s security as lax and argued that using the AI tool comes with significant – and unknown – risks.

Kasimir Schulz, director of security research at HiddenLayer Inc, a security company tailored for AI, said OpenClaw is especially risky because it checks all the boxes of the “lethal trifecta”, a standard of gauging risk within AI.

“If the AI has access to private data, that’s a potential risk. If it has the ability to communicate externally, that’s a potential risk. And then if it’s exposing – if it has exposure to untrusted content – that’s the final of the lethal trifecta. And Moltbot has access to all three,” Schulz said, using the tool’s former name. 

Yue Xiao, an assistant computer science professor at the College of William & Mary, said it’s relatively easy to steal personal data with OpenClaw using methods like prompt injections, when hackers disguise malicious commands as legitimate prompts.

“You can imagine the traditional attack surface in the software system will significantly be enlarged by the integration of those kinds of AI agents,” Xiao said. 

OpenClaw’s creator, Peter Steinberger, told Bloomberg News the AI tool and its security are works in progress.

“It’s simply not done yet – but we’re getting there,” he said in an email. “Given the massive interest and open nature and the many folks contributing, we’re making tons of progress on that front.” 

Steinberger said the main security breaches come from users not reading OpenClaw’s guidelines, though he acknowledges there is no “perfectly secure” setup. “The project is meant for tech savvy people that know what they are doing and understand the inherent risk nature of LLMs,” he said. He described prompt injections as an industry-wide problem and said he has brought on a security expert to work on OpenClaw.

He also disputed that OpenClaw was released too early. “I build fully in the open. There’s no ‘release too early’, since it’s open source from the start and anyone can participate,” Steinberger said. “Things are moving quite fast, and I’m excited to eventually evolve the project into something even my mum can use.”

Many major technology companies are pushing to develop and expand their use of AI agents. Anthropic PBC’s Claude Code reached a US$1bil (RM3.5bil) revenue run rate in just six months. 

But cybersecurity experts say risks are common with new AI applications, in some instances because the technology is so new that there isn’t enough information or experience to understand the potential hazards.

“We don’t understand why they do what they do,” said Justin Cappos, a computer science professor and cybersecurity expert at New York University, referring to agentic AI assistants. So, while he and other cyber experts are working on making the technology safe to use, he said AI companies have “teams of engineers that are working around the clock to basically roll out new features and so it’s very hard for the security community to keep up”.

As a result, Cappos said, giving new AI agents “access to things on your system is a bit like giving a toddler a butcher knife”.

For companies that want to use OpenClaw or other AI agents, the challenge will be striking a balance between taking advantage of technological advancements and keeping some measure of control.

“We are still as an industry, both a cybersecurity as well as an AI industry, really trying to figure out what is going to be the next winner in this arms race,” said Michael Freeman, head of threat intelligence at the cybersecurity firm Armis, who described OpenClaw as “hastily put together without any forethought of security.”

Armis’ customers have been breached via OpenClaw, he said, but didn’t provide details. “In the near future, there will be some control that people will have to give up in order to leverage AI to its fullest extent.” – Bloomberg