Editor note: The sudden rise and crash of OpenClaw and Moltbook have been wild. The media will move on, but the story isn’t over for IT teams dealing with the risks posed by unauthorized AI. In this Q&A, Nick Lupien (Head of Recon Labs) will help make sense of the recent news and offer broader AI governance advice.
At this stage, it’s probably best to treat OpenClaw (formerly Moltbot, formerly Clawdbot) like malware. In order for OpenClaw to perform its stated function (a local personal assistant), it requires significant access to private data, arbitrary code execution privileges, and absolute autonomy without human approval. This combination is dangerous even without AI, but it’s particularly concerning when you consider that AI is vulnerable to prompt injection (other people trying to trick your agent into acting against your best interests) and misalignment (the model underneath providing inaccurate data and suggestions).
These are both “forever problems” with large language models, and they’re the reason we put “humans in the loop” for critical functions like sending emails or texts or executing code in privileged contexts. When you hand the keys over to an agent that will automatically act on your behalf, you’re taking immeasurable risk with not only your data, but that of everyone you interact with. It’s like turning on full car automation on untested infrastructure and then going to sleep. It raises serious concerns.
Moltbook is a public “Reddit-like” social media site that OpenClaw agents interact with autonomously. There have already been reports of massive data loss due to an improperly configured database. Though this and other vulnerabilities have been addressed, it’s the clearest example yet of the threats posed by OpenClaw, and it’s likely not the last.
Unauthorized/unvetted apps are still a big problem and contribute to significant losses for companies every year. The type of risk is the same: loss of confidentiality and integrity when the application misbehaves, whether through malicious activity or accidental misuse. The addition of AI significantly increases the magnitude of the threat: they are more likely to be exploited, and the effects of misuse are significantly more damaging to you, your organization, and everyone you interact with.
Stepping back, I wouldn’t conflate OpenClaw with most “AI tools.” There are many AI tools like Claude, Gemini, and ChatGPT that have mechanisms to control human-in-the-loop and that encourage good security practices. The best safety measures we’ve seen are proactive ones: provide people with vetted tools, and train them on best practices for interacting with confidential data. All of the large providers have a “no training on customer data” option for paid subscribers, and some have zero data retention policies available. Research and understand these features before deciding on a platform. Search for “Trust Center” with the products you’re considering to fully understand their compliance environments. For enterprise deployments, look for features like audit logs, admin controls, and SSO integration.
Deciding whether to allow AI tools at your company is a risk/benefit discussion. The risks of a trained workforce using vetted tools can be controlled but are never completely mitigated. Apps change quickly, and new features may introduce new risks that require significant, ongoing attention. If you decide to embrace AI, commit to one or two products at first, and create a plan to keep up with changes to those products. Even vetted tools require good policy around integrations and human approvals.
Prevention is really the first step. Decide on a path that satisfies employee and company needs, create a policy, communicate it, and enforce it.
Surveying / Enforcing: if you have a managed security provider or security operations center, have a conversation with them about detecting unauthorized software installations or visits to unauthorized sites. They will have a number of tools at their disposal to detect and surface unauthorized use.
Never grant an AI agent “modify” or “execute” permissions against a system that processes confidential data without a human approver.
The concept of “least privilege” underscores this entire conversation. Would you allow an intern to commit code to your production codebase without a senior engineer’s review and approval? Would you allow them to send emails to the CEOs of your customers without reviewing or approving them? Least privilege isn’t new, but people placing total trust in LLM agents is. Generally, you can’t have both.
The Center for AI Safety (https://safe.ai/) is a non-profit dedicated to reducing societal-scale risk from AI. Their newsletter addresses current events pertaining to AI risk, including cyber risks.
Anthropic Academy has several great courses around AI fluency and technical expertise: https://anthropic.skilljar.com/
As always, monitor vendor security advisories and CVE databases for AI-related vulnerabilities.
Create a policy that provides a governable path to individuals using AI safely and responsibly, and commit to supporting and enforcing it.