AI/ML , AI benefits/risks , Application security What OpenClaw revealed about the agent security model May 11, 2026 Share By Goutham Nekkalapu (Credit: Tada Images – stock.adobe.com) COMMENTARY: OpenClaw attracted over 200,000 GitHub stars and 2 million visitors in a single week after going viral in January 2026. Security practitioners were not celebrating. Within weeks, the damage was documented. Koi Security’s audit of 2,857 skills in the ClawHub registry confirmed 341 were malicious, roughly 12% of the entire marketplace. CVE-2026-25253, rated CVSS 8.8, gave attackers a path to steal authentication tokens through a local gateway with no origin validation, no rate limiting, and no requirement for the victim to take any action beyond visiting a single webpage. A social platform built around OpenClaw agents exposed 35,000 email addresses and 1.5 million API tokens . None of this required a sophisticated attacker. It required a predictable design choice: give an autonomous system broad access to files, credentials, shell commands, and connected services, then treat security as something users configure rather than something the architecture enforces. The threat model we have seen before When I first read OpenClaw’s architecture, the threat model was immediately recognizable. Systems that accumulate permissions incrementally, each integration reasonable in isolation, eventually produce an attack surface no single team fully understands. Identity protection work makes that pattern familiar. A PII detection model scoped to scan email bodies is one thing. The same model with access to credential stores, persistent memory, and the ability to make outbound network calls is a fundamentally different security proposition, even if the code is identical. Related reading How OpenClaw could be hijacked with a simple website visit OpenClaw, VirusTotal announce partnership to strengthen security on ClawHub Massive OpenClaw supply chain attack floods OpenClaw with malicious skills I have applied that lesson directly in how we architect production systems. When we use models dealing with sensitive information, deliberate design decision to strip the model of any network egress capability. The model can flag sensitive data, but it cannot transmit, store, or forward what it finds. That constraint was not a limitation we tolerated. It was the security property we designed around. OpenClaw made the opposite choice, and the consequences were predictable. Amplified risk, not new risk OpenClaw’s design choices did not introduce new categories of risk. They amplified existing ones by giving a fully autonomous system real authority across a user’s entire digital ecosystem. That distinction matters. The failures that followed mapped almost exactly to known patterns: implicit trust of local connections, no enforcement of least privilege, and unvetted third-party components running with full agent permissions. Palo Alto Networks described it as the “ lethal trifecta ,” a formulation originally coined by security researcher Simon Willison: access to private data, the ability to communicate externally, and the ability to process untrusted content. When a large language model cannot structurally distinguish between a legitimate user instruction and an injected prompt, those three properties together produce a system where the exploitation path is not a corner case. It is the default operating condition. The supply chain as attack vector The supply chain dimension compounds the architectural problem. A single threat actor uploaded 335 malicious packages in an automated campaign between Jan. 27 and 29, 2026, a pattern nearly identical to npm supply chain attacks that have compromised developer environments at scale. Skills masquerading as cryptocurrency trackers, YouTube utilities, and productivity tools delivered Atomic Stealer malware on macOS and reverse shell backdoors on Windows. By Feb. 16, the confirmed count of malicious skills had grown to over 800 across an expanded registry of more than 10,700 skills. This is the trajectory that should concern every organization evaluating agentic AI. Skill registries, plugin stores, and MCP servers are going to be central to how agentic systems get distributed and extended across enterprises. A marketplace that grows faster than its vetting process is not just an inconvenience. It is an attack vector. What a trustworthy agent ecosystem actually requires A trustworthy agent skill registry needs several properties that ClawHub lacked entirely at the time of the attack: mandatory static and dynamic analysis before any skill is published, cryptographic signing and provenance tracking for all packages, scoped permission declarations that are enforced at runtime rather than advisory, and sandboxed execution environments that prevent skills from accessing resources beyond their declared scope. The harder requirement is architectural: the agent runtime itself must enforce capability boundaries that the skill cannot override. If a skill can disable the sandbox, modify its own permissions, or access the host filesystem without restriction (as OpenClaw allowed through its API), then no amount of registry-level vetting provides durable protection. Non-negotiable security properties for production agents Based on what I have built (fraud detection models operating on real-time transaction streams, PII detection systems, and RAG architectures handling sensitive data), there are three security properties I consider non-negotiable before any agentic system touches real user data. Enforceable least privilege. Every component of the system (every skill, every integration, every data access path) must operate with the minimum permissions required for its specific function, and those permissions must be enforced by the architecture, not by configuration that users or skills can modify. Zero-trust integration boundaries. No connected service, no third-party skill, and no external input should be implicitly trusted. Every integration point must be authenticated, every data flow must be validated, and every third-party component must run in an isolation boundary that limits blast radius. Auditable decision chains: in any system where an AI agent takes actions that affect user data or system state, there must be a complete, tamper-evident record of what the agent did, why it did it, what data it accessed, and what external inputs influenced its behavior. The gap that matters Cisco’s State of AI Security 2026 report found that 83% of organizations planned to deploy agentic AI into business functions, while only 29% reported being prepared to secure those deployments. That gap, between adoption velocity and security readiness, is where the next wave of incidents will occur. OpenClaw was not an anomaly. It was a stress test that the industry largely failed, and a detailed preview of what happens when agent architecture and security architecture are designed by different teams with different priorities. The agents are coming, andthey will manage credentials, access sensitive data, execute code, and interact with external services on behalf of users and organizations at scale. Building the security model before they arrive is not a precaution but the only architectural decision that does not require a ClawHavoc to justify. An In-Depth Guide to AI Get essential knowledge and practical strategies to use AI to better your security program. Learn More Goutham Nekkalapu Goutham Nekkalapu is a Principal Research Engineer at Gen (formerly Symantec) specializing in applying artificial intelligence to enhance cybersecurity and digital privacy for millions of users worldwide. His groundbreaking work includes developing AI-powered personalization engines, architecting advanced Retrieval-Augmented Generation frameworks, and pioneering natural conversation-based user experiences powered by Large Language Models. As a named inventor on multiple patents related to cybersecurity and AI applications, Goutham focuses on solving complex business challenges while establishing best practices for responsible Generative AI adoption. Related AI/ML Vibe coding has cybersecurity asking what AI can — and can’t — replace Laura French May 11, 2026 Cyber pros balance hype, skepticism and uncertainty as AI coding disrupts industry norms. AI/ML Google Chrome silently downloads large AI model, raising privacy concerns SC Staff May 8, 2026 Cybersecurity researcher Alexander Hanff discovered that Google Chrome is downloading a 4GB AI model, Gemini Nano, onto users' machines if they meet certain hardware requirements. Security Operations Tanium and ServiceNow partner for autonomous IT operations SC Staff May 8, 2026 The collaboration merges Tanium's real-time endpoint intelligence with ServiceNow's workflow orchestration to address the gap between IT visibility and action. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Banner Browser Cache Cramming Common Gateway Interface (CGI) Client Cookie DLL Injection Dynamic Link Library You can skip this ad in 5 seconds