OpenClaw, the open source agentic AI assistant available from GitHub, continues to attract a growing following.
Like many tech-savvy workers, Dane Sherrets, a staff innovation architect at HackerOne, decided to try out the software. He installed it on a virtual private server, gave the collection of programs and agents its own Slack channel, and limited its access to any personal data. Even with limited access, OpenClaw impressed: When Sherrets reserved a virtual phone number for the AI assistant and gave it an API key with the instructions to develop a capability to make phone calls, it did.
While OpenClaw is "a good preview of things to come ... [when] people will have more autonomous AI agents that are doing more things for them," Sherrets approached the installation with a fair amount of distrust.
"I know it's a vibe-coded project that's only been out for a few months, really like weeks in terms of going viral, so I treat it as like something that's going to get popped, [and] when it does I want to make sure that the blast radius would be very small," he says. "Someone won't be able to hack it and like run away with my like Social Security number or like Google account or contacts."
Related:Attackers Use Windows Screensavers to Drop Malware, RMM Tools
OpenClaw showcases the potential demand for agentic AI assistants, with the number of stars on GitHub growing about 29% per day since Jan. 24, when the open source project — then named OpenClawd — went viral. (Starring a project on GitHub essentially bookmarks the repository and is considered to be a measure of popularity.)
Yet, the project did not start out with a secure design and is still developing a security framework, says Marijus Briedis, chief technology officer at cybersecurity services firm NordVPN. The company's researchers installed OpenClaw in isolated virtual instances and were concerned at how easy the AI agent could go off the rails.
"Its security model assumes a level of user expertise that most people do not possess," he says. "Users familiar with network isolation, permission management, and secure tunneling can mitigate risks. However, for the average user deploying OpenClaw on a home server or low-cost VPS, the default settings are insufficiently secure, and the documentation does not adequately emphasize security."
Compromised in a HEARTBEAT
Because the OpenClaw system processes data from untrusted sources — which can include email, Web pages, and documents, for example — attempts at prompt injection are quite easy to perform. In one demonstration, researchers at AI security firm HiddenLayer directed their instance of OpenClaw to summarize Web pages, among which was a malicious page that commanded the agent to download a shell script and execute it. The shell script appended instructions to its HEARTBEAT.md file, which is executed every 30 minutes by default.
... continue reading