Advertisement Advertisement Skip to content
Home About the Author Advertising/Speaking How AI Assistants are Shifting Security Priorities March 8, 2026 28 Comments AI-based assistants or “agents” — autonomous programs that have access to a user’s computer, files, online services, and can automate virtually any task — are gaining popularity among developers and IT workers. But as recent headlines have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations while blurring the lines between data and code, trusted co-workers and insider threats, ninja hackers and novice coders.
The latest trend in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025. OpenClaw is an open-source autonomous AI agent designed to run locally on your computer, proactively taking actions on your behalf without needing to be prompted.
If that sounds like a risky proposition or a dare, consider that OpenClaw is most useful when it has complete access to your digital life, where it can manage your inbox and calendar, execute programs and tools, browse the Internet for information, and integrate with chat apps like Discord, Signal, Teams, or WhatsApp. Other more established AI assistants like Anthropic’s Claude and Microsoft’s Copilot also have these capabilities, but OpenClaw isn’t just a passive digital butler waiting for commands. Rather, it’s designed to take the initiative based on what it knows about your life and its understanding of what you want done.
“‘The testimonials are remarkable,’ noted the AI security firm Snyk. ‘Developers building websites from their phones while putting babies to sleep; users running entire companies through a lobster-themed AI; engineers who’ve set up autonomous code loops that fix tests, capture errors through webhooks, and open pull requests, all while they’re away from their desks.’ You can probably already see how this experimental technology could go sideways in a hurry.
In late February, Summer Yue, the director of safety and alignment at Meta’s ‘superintelligence’ lab, recounted on Twitter/X how she was fiddling with OpenClaw when the AI assistant suddenly began mass-deleting messages in her email inbox. The thread included screenshots of Yue frantically pleading with the preoccupied bot via instant message and ordering it to stop.
‘Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox,’ Yue said. ‘I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.’
Meta’s director of AI safety, recounting on Twitter/X how her OpenClaw installation suddenly began mass-deleting her inbox.
While there’s nothing wrong with feeling a little schadenfreude at Yue’s encounter with OpenClaw, which fits Meta’s ‘move fast and break things’ model but hardly inspires confidence in the road ahead. The risk that poorly-secured AI assistants pose to organizations is no laughing matter. Recent research shows many users are exposing web-based administrative interfaces for their OpenClaw installations to the Internet.
Jamieson O’Reilly, a professional penetration tester and founder of the security firm DVULN, recently warned on Twitter/X that exposing a misconfigured OpenClaw web interface to the Internet allows external parties to read the bot’s complete configuration file, including every credential the agent uses — from API keys and bot tokens to OAuth secrets and signing keys. With this access, O’Reilly said, an attacker could impersonate the operator to their contacts, inject messages into ongoing conversations, and exfiltrate data through the agent’s existing integrations in a way that looks like normal traffic.
‘You can pull the full conversation history across every integrated platform, meaning months of private messages and file attachments, everything the agent has seen,’ O’Reilly said, noting that a cursory search revealed several hundred such servers exposed online. ‘And because you control the agent’s perception layer, you can manipulate what the human sees. Filter out certain messages. Modify responses before they’re displayed.’
O’Reilly documented another experiment demonstrating how easy it is to create a successful supply chain attack through ClawHub, which serves as a public repository of downloadable ‘skills’ that allow OpenClaw to integrate with and control other applications.
WHEN AI INSTALLS AI One of the core tenets of securing AI agents involves carefully isolating them so that the operator can fully control who and what gets to talk to their AI assistant. This is critical because AI systems are prone to ‘prompt injection’ attacks, sneaky natural language instructions that trick the system into disregarding its own security measures.