• Self-hosted agent runtimes like OpenClaw are showing up fast in enterprise pilots, and they introduce a blunt reality: OpenClaw includes limited built-in security controls. • The runtime can ingest untrusted text, download and execute skills (i.e. • code) from external sources, and perform actions using the credentials assigned to it. • This effectively shifts the execution boundary from static application code to dynamically supplied content and third-party capabilities, without equivalent controls around identity, input handling, or privilege scoping. • In an unguarded deployment, three risks materialize quickly: - Credentials and accessible data may be exposed or exfiltrated. • - The agent’s persistent state or “memory” can be modified, causing it to follow attacker-supplied instructions over time.

Article Summaries:

  • OpenClaw, a self‑hosted agent runtime gaining traction in enterprise pilots, exposes significant security gaps. The runtime can ingest untrusted text, download and run external code, and act with the credentials it holds, shifting the execution boundary from static application code to dynamic content. In unguarded deployments, attackers can exfiltrate credentials, tamper with the agent’s persistent state, or compromise the host by executing malicious code. Microsoft recommends treating OpenClaw as untrusted code, running it only in isolated environments-such as dedicated VMs or separate hardware-using non‑privileged credentials and limiting data access. Continuous monitoring and a rebuild plan are essential for safe operation.

Sources: