Editor’s note: The following is a sponsored blog post from QA.
The agentic AI evolution is as profound as the day the internet began to replace our physical shops. OpenClaw is one of the first open-source autonomous AI agent platforms to scale. This isn’t a chatbot; it doesn’t wait for your questions. Traditional generative AI systems or assistants produce outputs and will be swiftly outpaced. OpenClaw agents call AI models, access files, break down complex tasks, use sub-agents, integrate with tools (internal and external), run to schedule and can keep working overnight on its own without human supervision autonomously.
Most organizations don’t have an agentic strategy, but they are thinking about how to deploy these autonomous agents into their business. However, they still describe them as “tools.” That misunderstanding is where the AI security risk starts. What stands out is how quickly adoption is outpacing the control. Organizations are experimenting with autonomy before they’ve fully defined their trust boundaries, oversight regime or even appropriate accountability.
You should think of agentic AI in organizational terms, as the opportunity to redesign how work can be structured and executed.
So, what does this mean in practical terms? To be effective, this means an agent may need to read your emails, query internal systems, write and execute code, trigger API calls, and interact with external services, persistently and autonomously. This evolution isn’t just providing assistance during your day-to-day work; AI agents can and will begin to perform some of your work.
And importantly, to add true value, they will need to do so using your identity, your permissions and your access paths- at the very least, a proportional part of your work-based identity. That is one of the defining characteristics of agentic AI: it must have authority, inherited or otherwise.
The risks now aren’t just model accuracy or hallucinations. When your agent acts, it is acting as you, inside your business with systems that were never designed for autonomous behavior. Take a moment to think about the customers in your business, when they begin to use agents to interact with your services that were designed for traditional human speed and logic processing. These services will also need to be redesigned with those specific agentic behavior characteristics in mind.
Open-source AI agent framework OpenClaw attracts attention
OpenClaw is a good example of the AI agentic model moving from theory into widespread deployment. It’s an open-source, self-hosted AI agent framework that can connect and is designed to operate within the enterprise, including email, cloud storage, messaging platforms and code repositories, through a principle of a community-driven skill ecosystem.
Once deployed, it can autonomously read, write, execute and orchestrate tasks across those systems, operating continuously, not interactively. The huge appetite for agentic adoption isn’t accidental, as the capability is very compelling for any enterprise. Remember, we’re not just talking about semi-passive copilot rollouts here. This is next-level.
I’m a big fan of technology friction as a lever to drive change. The friction, until recently, was one of the limiting factors for agentic adoption. Deploying something like OpenClaw required infrastructure configuration, turning a blind eye to basic security control (which turns out is easy to do) and technical competence that acted as a natural control. Many of those OpenClaw controls have now been removed. Security continues to be overlooked in most alpha and beta phase innovations, but we’ll come back to this.
Jensen Huang, CEO at NVIDIA, describes, “OpenClaw has open-sourced the operating system of agentic computers.” It was created by Austrian developer Peter Steinberger and in a few short months, it became by Jensen’s own declaration “the largest, most popular, most successful open-source project in the history of humanity.”
OpenClaw’s new agentic AI packaging models have also removed the barrier to entry. Agent runtimes can now be deployed on commodity devices, including mobile (Android) devices. Browser-native implementations can also reduce many of the setup headaches. Simple command installations bundle models, dependencies and execution layers into a single step. It’s never that easy in an enterprise, but for controlled groups it’s a welcome step change.
This follows a familiar pattern in technology, where complexity is reduced so distribution can expand. Ecosystems naturally begin to grow. But in this case, what is being distributed is not passive software. It’s autonomous implementations with delegated authority across sensitive systems.
The security model hasn’t kept pace
OpenClaw’s security issues are not isolated vulnerabilities. With so many emerging security risks in this space, I’ve rolled a couple up that are worth highlighting. As a security practitioner, in my view a technology being capable and the technology being ready carries a meaningful difference. It must be ready for the level of trust, accountability and data security that real-world users, let alone enterprises within regulatory frameworks, demand. The security issues should be seen as structural issues of how these systems operate when security isn’t designed in at the outset.
The first security risk is visibility
When an agent acts, it uses real credentials and approved interfaces. If it accesses sensitive data, the request is treated as valid. If it sends data externally, the connection is authorized. If it executes commands, it does so within its granted permissions.
There is no clear distinction between normal and malicious behavior at the agentic control layer. This can leave traditional, what I call “classic” security controls largely ineffective. Endpoint detection tools look for malware. Data loss prevention tools look for known patterns. Identity systems validate authentication. None of these are natively designed to detect misuse of legitimate, autonomous activity.
The same can be said for modern security systems that may assume a bad actor gains access to credentials and be operating, aka “living off the land” in an enterprise. Suspicious behavior and anomaly detection engines would begin to flag and falsely identify agentic activity as hostile. So, what happens when your security operations center (SOC) embraces agentic AI and deploys agentic detection agents to track and detect rogue agentic behavior? I’ve written about the rise of the agentic AI defender; take a look at the article here.
The result is a blind spot, and at the very least an agentic blind AI alley.
The second security risk is prompt-layer compromise
Agentic systems consume external data as part of their decision-making process. Emails, documents, messages and web content are all treated as inputs. Attackers can embed instructions within that content. The agent interprets those instructions as part of its task and can execute them. This is known as indirect prompt injection.
It doesn’t rely on exploiting software vulnerabilities or looking for zero days. Instead, it exploits how the system reasons. The attack surface becomes any data source the agent can access. This fundamentally alters the threat model as data is no longer passive. The attacker doesn’t need to attack OpenClaw directly; they can simply poison the agentic operating environment in which it operates. Your lowest level of agentic threat modeling should be “what's the worst my agent can do and is that OK?"
The third security issue is a supply chain exposure
OpenClaw’s functionality is extended through a community skill registry. These skills introduce additional capabilities, but they also introduce unverified code into the execution environment. Malicious packages have already been observed exfiltrating credentials, accessing sensitive files and executing commands. Why? Because the agent uses these skills as part of normal operations. The malicious activity is the same as the intended behavior.
It’s worth calling out some reputable research from the AI security team at Cisco, which decided to test the community skill ‘What would Elon do?’ which is listed as the No 1. skill (intentionally inflated to this ranking by bad actors).
The team discovered that the skill ‘What would Elon do?’ was performing data exfiltration and prompt injection, all while the user was unaware. The OpenClaw skill library doesn’t have any credible vetting process to stop malicious submissions from being distributed. We are of course used to our mobile data app stores having this basic level of scrutiny. Here, there is almost none. The Cisco team has built an OpenClaw skills scanner to help assess and report its features and see if it’s safe to use.
Finally, direct vulnerabilities and misconfigurations
There are so many direct vulnerabilities and opportunities for misconfiguration. Remote code execution flaws, exposed instances with weak authentication and large-scale credential leaks have already been reported and verified. These are not hypothetical risks; they’re active security risks in the wild now. What makes this significant isn’t the number of vulnerabilities, but the combination of autonomy, access and invisibility.
So far, OpenClaw adoption, which is scaling ridiculously fast compared to something like the adoption of Linux many years ago, has demonstrated that systems that operate legitimately within trusted boundaries can and will be weaponized without triggering traditional security controls.
This is where the industry response is beginning to take shape.
NVIDIA’s NemoClaw closing the security gap
NVIDIA’s NemoClaw represents an early attempt to address this security gap but not by replacing the underlying agent model. NemoClaw has introduced a control layer, something called the OpenShell, which is effectively beneath the AI agent runtime, which enforces policy at the level where the actions occur.
So, what does this give us? File access can be restricted, for one. Network communication can also be controlled, with external connections requiring explicit approval. Sensitive data can be processed locally rather than transmitted externally. This is interesting and, in my view, a positive shift from trust-based execution to policy-based execution. Instead of assuming the agent will behave correctly, the system defines what behavior is allowed.
Because the commercial opportunity presented by agentic AI is so significant, these systems enable continuous, automated execution across fragmented enterprise environments. They can and will coordinate workflows, monitor systems and operate at a scale and speed that is not achievable manually by humans.
The security control plane
In sectors such as healthcare, which is likely to drive the private AI (sometimes called sovereign) adoption debate, this could enable analysis of health sensitive data within controlled environments. In finance, it enables real-time operational processing, or in engineering it could enables autonomous system maintenance, for example.
But none of this is really viable, in any enterprise, without having that security control. The organizations that succeed in adopting agentic AI are not those deploying the most advanced models. In my view, they will be the ones that are establishing the ability to fully govern autonomous agents.
The market is beginning to respond, with solutions like NemoClaw indicating a shift toward embedding security within the execution layer itself. Agent platforms are evolving from applications into controlled environments, with built-in policy enforcement and isolation. A word of warning: NemoClaw is only an Alpha release, so there is much more to come. There are still plenty of issues around enterprise application interoperability and MCP security weakness persist. Credit to the gap getting smaller, but it has some way to go, and I do acknowledge the intent to use security as an enabler, which is very positive.
Recommendations for your Claw
My recommendations are straightforward and practical, quicker to implement than waiting for your governance committee, OpenClaw strategy, or regulators and legislators to catch up. In the first instance you must frame the agent as a digital synthetic employee, a coworker, a colleague, and not a technical tool.
Restrict what the agent can access and influence and minimize pervasive permissions, independent of its decisions. Enforce least privilege by default. Embed into Zero Trust architecture, if you’re there. Limit API scopes. Default to read-only access unless write is explicitly required. Apply strict resource controls with a reduced autonomous scope, adjusting in narrow increments within predefined thresholds.
If the agent behaves unexpectedly, for any reason, the agentic blast radius is defined by the boundaries you put in place, not by the permissions you forgot to restrict. For all your production agents, try to create clear accountability – for example, what identity the agent operates under, what permissions are attached to that identity, who provisioned those credentials and how long do they remain valid. Limit what the agent can retrieve or remember and treat everything that comes from outside the defined trust boundary as untrusted until it’s been validated for that specific use case.
I have two good friends that make a living coaching teams to better collaborate, communicate and build trust in the field of cybersecurity. A few years back I recommended they add teaching humans and AI to communicate and collaborate effectively together. Why? Because I believe as we start to identify with agents with clear roles and responsibilities, and human-in-the-loop supervision, trust in the agent will be paramount.
Now, for a reality check, not about the commercial reality of the AI token tax (I’ll save that for another article), but about the perception of productivity. Autonomous AI agents will only boost productivity until managing them becomes the job. When oversight costs more thinking than the work they replace, it’s time to re-evaluate the trust model.
