BLOG Featured Recent Video Category Start Free Trial What Security Teams Need to Know About OpenClaw, the AI Super Agent February 04, 2026 | Elia Zaitsev | Securing AI JOIN US >> We’re hosting a global broadcast on Tuesday, Feb. 10, featuring AI red teaming experts to discuss the security implications of OpenClaw. Register here. OpenClaw, an open-source AI agent previously known as Clawdbot and Moltbot, is a powerful personal assistant that can connect to LLMs, integrate with external APIs, and autonomously execute an array of tasks like sending email or controlling browsers. While OpenClaw carries the promise of AI-driven productivity, it also presents growing security concerns. OpenClaw is installed on local machines or dedicated servers. It stores configuration data and interaction history locally, which allows its behavior to persist across sessions. Because it’s designed to run locally, users often give it expansive access to terminal, files, and in some cases, root-level execution privileges. If employees deploy OpenClaw on corporate machines and/or connect it to enterprise systems and leave it misconfigured and unsecured, it could be commandeered as a powerful AI backdoor agent capable of taking orders from adversaries. Since the open source project has skyrocketed past 150,000 GitHub stars in the past few days, this poses a growing risk. A range of malicious activity could threaten OpenClaw deployments. Adversaries can submit malicious instructions directly to exposed OpenClaw instances or indirectly by embedding instructions in data sources ingested by OpenClaw, such as emails or webpages. If successful, these attacks can leak sensitive data from connected systems or hijack OpenClaw’s agentic capabilities to conduct reconnaissance, move laterally, and execute adversaries’ instructions. In this blog, we discuss how the CrowdStrike Falcon® platform helps our customers identify OpenClaw deployments, understand their exposure, and mitigate their risk. Gain Visibility into OpenClaw Deployments Before mitigation, security teams need to understand where OpenClaw is deployed, how it is running, and whether it is exposed. The CrowdStrike Falcon platform provides a number of different discovery mechanisms that reveal where OpenClaw is installed. Customers using Falcon endpoint security modules have powerful visibility to investigate full process trees of OpenClaw executing system tools, and detection and prevention capabilities to stop malicious executions either via injection or hallucinations. All CrowdStrike endpoint customers have visibility into OpenClaw running on local machines via the AI Service Usage Monitor dashboard in CrowdStrike Falcon® Next-Gen SIEM. This visibility comes from observed DNS requests to openclaw.ai and also reveals the third-party models that OpenClaw may use. Figure 1. Falcon Next-Gen SIEM dashboard showing a test instance of DNS requests to AI domains Organizations using CrowdStrike Falcon® Exposure Management, CrowdStrike Falcon® for IT, and CrowdStrike Falcon® Adversary Intelligence can gain visibility into OpenClaw deployments both inside and outside the enterprise. For internal visibility, Falcon Exposure Management, using Falcon for IT, can inventory OpenClaw packages on hosts through agent-based inspection. This allows security teams to identify where OpenClaw is installed across managed endpoints, with findings surfaced centrally in the Falcon Exposure Management console. This visibility is particularly important given OpenClaw’s tendency to be deployed informally outside standard software distribution workflows. Figure 2. Falcon Exposure Management Applications view showing the OpenClaw NPM package inventory and associated asset details (click to enlarge) Visibility extends beyond the internal environment. Falcon Exposure Management’s external attack surface management (EASM) capability can enumerate an organization's publicly exposed OpenClaw services, identifying instances that are reachable from the internet due to misconfiguration, port forwarding, or cloud security group errors. Falcon Adversary Intelligence reveals publicly exposed OpenClaw services across the internet, and recent observations have identified a growing number of internet-exposed OpenClaw instances, many of which were accessible over unencrypted HTTP rather than HTTPS. These insights help security teams quickly prioritize exposed deployments that present a higher risk of interception and unauthorized access. Figure 3. Falcon Adversary Intelligence interface displaying External Attack Surface Explore data for an internet-exposed OpenClaw service Together, internal package inventory and external exposure identification through EASM enable organizations to answer two critical questions: Where does OpenClaw exist within the environment? Which instances are exposed to external interaction? Once identified, CrowdStrike Falcon® Fusion SOAR workflows can operationalize this visibility by triggering alerts, investigations, or automated response actions when OpenClaw is detected. This closes the gap between discovery and response and sets the foundation for managing risk. Remediation with Falcon for IT Through the OpenClaw (Clawdbot) Search & Removal Content Pack, Falcon for IT delivers enterprise-wide detection and removal of OpenClaw from affected systems. New Content Pack Available: OpenClaw (Clawdbot) Search & Removal The OpenClaw Search & Removal Content Pack is now available in Falcon for IT, giving IT and security teams a fast, scalable way to identify and remediate this emerging risk across their environment. As adversaries continue to weaponize automation and bot-driven persistence, rapid visibility and decisive response are essential for minimizing exposure and operational impact. Falcon for IT delivers this through the Falcon for IT Content Library, allowing teams to seamlessly import and operationalize emerging content without custom scripting or manual effort. By transforming intelligence into actionable detection and remediation workflows, Falcon for IT enables organizations to move from insight to action and respond rapidly at enterprise scale. Figure 4. Screenshot of content pack for OpenClaw Search & Removal Remove OpenClaw from Affected Systems When OpenClaw is discovered running in an environment, Falcon for IT provides workflows that can eradicate OpenClaw components, services, and configuration. The removal workflow operates in two phases to provide thorough cleanup while avoiding changes to unaffected systems. During detection, the workflow checks for running processes, NPM global installations, binary installations in common paths including /opt, /usr/local/lib/node_modules, and Program Files, system services including systemd, launchd, and Windows Services, user-level services such as macOS LaunchAgents, and state and config directories in all user home directories. If no installation is found, it returns "not-found" and exits. When OpenClaw is detected, the removal phase stops services and processes, uninstalls NPM and Homebrew packages, deletes installation directories and binary links from PATH, purges service registrations including systemd units, launchd plists, Windows Services, scheduled tasks, and cron entries, removes configuration directories (.openclaw, .clawdbot, .clawhub), and cleans up firewall rules. The workflow operates across Linux, macOS, and Windows, returning "removed" when complete. Figure 5. Falcon for IT interface confirms successful OpenClaw removal on affected hosts Prompt Injection and OpenClaw’s Agentic Blast Radius The first-order threat posed by prompt injection attacks are sensitive data leaks, which are a significant security concern for OpenClaw, given its potentially expansive access to sensitive files and systems. The second-order threat posed by prompt injection with agentic software such as OpenClaw is that successful attacks can allow an adversary to hijack the agent’s reachable tools and data stores and ultimately assume its powers. CrowdStrike maintains the industry’s most comprehensive taxonomy of prompt injection techniques spanning both direct and indirect prompt injection methods, which is continually updated by our research team as new techniques are discovered. Figure 6. CrowdStrike’s taxonomy of prompt injection methods (click to enlarge) Agentic AI systems can autonomously execute actions, call external tools, and chain multiple operations together to accomplish complex tasks. This autonomy creates new attack vectors. Through agentic tool chain attacks, adversaries can manipulate agents into executing malicious sequences of actions across multiple systems. AI tool poisoning allows attackers to compromise the tools and plugins that agents rely on. A successful prompt injection against an AI agent isn't just a data leak vector — it's a potential foothold for automated lateral movement, where the compromised agent continues executing attacker objectives across infrastructure. The agent's legitimate access to APIs, databases, and business systems becomes the adversary's access, with the AI autonomously carrying out malicious tasks at machine speed. This transforms prompt injection from a content manipulation issue into a full-scale breach enabler, where the blast radius extends to every system and tool the agent can reach. Indirect prompt injection significantly amplifies this risk by allowing adversaries to influence OpenClaw’s behavior through data it ingests rather than prompts it is explicitly given. OpenClaw is designed to reason over and act on external content such as documents, tickets, webpages, emails, and other machine-readable inputs, which means malicious instructions embedded in otherwise legitimate data can be silently propagated into its decision-making loop. Indirect prompt injection attacks targeting OpenClaw have already been seen in the wild, such as an injection attempt to drain crypto wallets, found embedded in a public p