Be Very Careful with AI Agents!

ByMike Moffit

AI agents—software that can take actions on your behalf using artificial intelligence—are having a moment. The appeal is obvious: imagine a robot butler that triages your inbox, manages your calendar, and handles tedious tasks while you focus on more important work.

That’s the promise driving the recent surge in popularity of OpenClaw (formerly known as Clawdbot and Moltbot), which is now all the rage in tech circles. Token Security found that at least one person is using it at nearly a quarter of its enterprise customers, mostly running from personal accounts. That’s a shadow IT nightmare—employees connecting work email and Slack to an unsanctioned tool that IT doesn’t know about and can’t monitor. Whether you’re an individual tempted by OpenClaw’s promise or a manager wondering what your users are up to, you need to understand the risks these AI agents pose.

OpenClaw is an AI agent built around “skills”—installable plugins that let it integrate with your messaging apps, email, calendar, and more. You communicate with OpenClaw via Messages, Slack, WhatsApp, and similar apps. Because it’s open source, you’ll need to provide your own API keys for AI services like OpenAI or Anthropic, which means ongoing costs that can add up quickly—people have reported spending $10–$25 per day.

The more serious problem? Security researchers have discovered serious vulnerabilities, including misconfigured instances exposed to the internet that leak credentials, API keys, and private messages, and a supply chain vulnerability where malicious skills uploaded to the ClawdHub library can execute arbitrary commands on users’ systems. Even beyond specific bugs, OpenClaw’s fundamental design encourages users to grant broad access to sensitive accounts.

Why AI Agents Are Risky

Security concerns aren’t unique to OpenClaw—they apply to any AI agent that acts on a user’s behalf. Here’s what’s at stake:

  • Credential exposure: For an AI agent to send emails, manage your calendar, or post to Slack, it needs your authentication tokens or login credentials. If the agent software stores these credentials insecurely, or an attacker gains control, they could be exposed.
  • Prompt injection: AI agents work by following instructions, but they can’t easily distinguish between prompts and data in the content they use. A class of attacks called “prompt injections” trick AI systems by hiding malicious content in emails, websites, or documents that will be processed. An attacker could embed instructions in an email that would cause your agent to search for and forward email messages containing passwords or financial data, follow links to malware sites, or take other harmful actions. There is currently no foolproof defense against this class of attack.
  • Data exfiltration: An AI agent with access to your email and your computer’s filesystem could be manipulated to extract information from elsewhere on your computer—financial data, customer lists, or personal details—and send it to an attacker.
  • Unvetted extensions: OpenClaw and similar AI agents let users install “skills” or plugins to extend functionality. Libraries that allow users to share custom skills often have minimal or no security vetting, making it easy for attackers to submit poisoned skills. Installing such a skill could grant malicious code access to everything your agent can touch.
  • Exposed control interfaces: Security researchers found OpenClaw control servers exposed on the Internet, potentially leaking API keys, VPN credentials, and conversation histories. This risk is unique to OpenClaw at the moment, but future AI agents may suffer from similar vulnerabilities, particularly as they’re adopted by less technically savvy users.

How to Reduce Your Risk

We’ll come right out and say it: we strongly recommend against installing OpenClaw or other AI agents on your Mac. In a year or so, Apple may have updated Siri to provide many of these capabilities with significantly stronger privacy and security. But for now, just say no.

If you decide to use AI agents despite these risks, here are practical steps to protect yourself:

  • Use dedicated accounts: When possible, create separate accounts specifically for agent use rather than linking your primary personal or work accounts.
  • Limit permissions: Grant the agent access only to accounts it absolutely needs. If you only want help with your calendar, don’t also connect your email and messaging services.
  • Avoid connecting sensitive services: Never connect anything involving money, healthcare, or confidential business information. The liability is too high if something goes wrong.
  • Review agent actions: If the platform offers logs or activity feeds, check them regularly. Look for unexpected messages sent, files accessed, or connections made.
  • Vet extensions carefully: Don’t install skills or plugins from unknown sources, and even with known libraries, look for evidence of others using and reviewing the skills. Treat skills like any other software you’d install on your computer.
  • Keep software updated: Security patches for OpenClaw and similar tools address known vulnerabilities. If you’re running an agent, keep it up to date.
  • Run agents in isolated environments: Technical users should consider running agents in sandboxed environments or virtual machines to limit potential damage.

If you run a business, you should assume that some employees have already installed OpenClaw or will soon, and may have connected their work email and Slack accounts without realizing the associated risks. Here’s what you can do:

  • Educate before it’s a problem: Proactively explain the risks to employees. People are more receptive before they’ve already invested time setting something up.
  • Update acceptable use policies: Make clear that connecting work accounts to unsanctioned AI agents is prohibited, and explain why.
  • Offer sanctioned alternatives: If employees want AI assistance, point them toward safer options that don’t require handing over credentials to sensitive accounts.

What About Claude Cowork and OpenAI Codex?

Not all AI agent platforms carry the same level of risk. Anthropic’s Claude Cowork and OpenAI’s Codex take a different architectural approach from OpenClaw. Rather than requesting authentication tokens for your email, messaging, and other personal services, they operate within their own controlled, sandboxed environments. These systems work primarily with files, code, and data you explicitly place into their workspace, which substantially limits the fallout from an attacker gaining some level of control.

This containment approach reduces risk, but does not eliminate it. Prompt injection remains a concern whenever an AI system processes untrusted content, even inside a sandbox. An AI agent analyzing a malicious document could still be manipulated into taking unintended actions within its allowed environment. Similarly, any code generated by these systems—particularly code that touches the network or executes system commands—should be reviewed carefully to make sure it hasn’t been compromised by prompt injection.

The key distinction is scope. Claude Cowork and Codex are designed to operate within a defined workspace, whereas tools like OpenClaw require standing access to your most sensitive accounts. From a security perspective, a compromised sandbox is a recoverable incident; a compromised email or messaging account may not be.

The Bottom Line

AI agents promise a lot and may provide genuine convenience, but at a cost beyond just paying for API tokens. Before you or anyone in your organization connects an AI agent to sensitive accounts, consider: What’s the worst that could happen if this system were compromised by an attacker? If the answer involves passwords being stolen, private email being exposed, or photos being posted to social media without your knowledge, proceed with extreme caution. If you can imagine a way financial accounts could be accessed or business data stolen, don’t proceed at all.

(Featured image by iStock.com/Thinkhubstudio)

Social Media: AI agents like OpenClaw promise to automate tedious tasks, but recent security vulnerabilities highlight the dangers of using them. Learn the risks and how to protect yourself—and your organization—if you choose to use an agent.

Similar Posts

  • Apple Stands Up The Street

    $50.6 Billion in revenue, $10.5 Billion in net profit and $235 Billion in the bank. Let’s get one thing straight, 99.9% of the companies in the world would love to have those kind of numbers. And while this fell into the range of Apple’s forward-looking guidance, it did fall short of the expectations of the analysts.

    This was the first time in 13 years (!) that Apple posted lower year-over-year sales. Apple saw lower iPhone sales than last year at this time. However, keep in mind that was when the iPhone 6 was at its peak. Nevertheless, Apple sold 51.1 million iPhones and said they are having difficulty keeping up with the demand for the recently released iPhone 5se.

    Mac sales and iPad sales also declined as expected with Apple selling a bit over 4 million Macs and 10.25 million iPads. On the bright side, Services revenue increased 20% to almost $6 billion and “other” products which include Apple TV, Apple Watch, Beats and iPod generated $2.189 billion which is 30% growth.

    Apple’s board of directors both increased the dividend paid on Apple shares to $0.57 which is about a 10% raise and increased their share buy-back program. With Apple being so widely held, this dividend increase makes Apple one of the largest payers of dividends in the world. Since the start of their dividend and share re-purchase program, Apple has returned over $163 billion to shareholders, the majority of that being in the form of share buy-backs.

    Apple’s guidance for the current quarter which ends at the end of June also projects a year-over-year decline in revenues. They forecast sales in the range of $41-$43 billion which is also lower than analysts predicted.

    There is no sugar-coating these results which were for the most part, a miss. Forecasting demand, revenue and margin is tricky and there are a bunch of factors that enter into this calculation and a bunch more that are ready to blow up the forecast. International monetary trends, new product introductions are all a bit of a wild card.

    There is some good news hidden in the report. Apple said that the iPhone enjoys an unprecedented 95% loyalty rate, Apple Pay is seeing 1 million new users a week, 13 million people subscribe to Apple Music and Apple’s installed base is 1 billion devices and growing.

    Apple had a huge hit with the iPhone 6 and that did push sales to a peak level last year. It was an anomaly, however, and Apple’s business is still incredibly strong, just a bit more down to earth. You can’t hit home runs every time at bat! Tim Cook says the product pipeline is strong and I believe him.

    Hey, I didn’t have to come up with a new adjective to describe what Apple did to the street this quarter. That’s a fringe benefit. Putting this all into perspective is important. It is not like Apple is losing money or losing customers. In fact, the opposite is true. In three short months, they made over $10 billion in profit and sold millions and millions of iPhones, iPads and Macs! Now, if Small Dog could just do a tiny fraction of that…

  • BlueAnt Mini Wireless

    No, not some new invasive species, but rather some really cool wireless headphones! BlueAnt audio is one of our newest headphone lines that we have begun to carry here at Small Dog. The “Pump Mini”:http://www.smalldog.com/product/87884/blueant-pump-mini-wireless-hd-audio-sport-buds-purple Wireless HD Audio Sports Buds have become my latest must have! These are lightweight, hold a great charge and come in several colors.

    When I first saw these headphones I was a little skeptical. I actually hadn’t ventured into wireless earbuds before trying these headphones and had heard customer complaints in the stores about different varieties over the last year or so. The biggest issue that I had heard was comfort and how well they stayed in your ears, so I had no idea what I about to experience! I charged up the headphones and tested them out on some morning runs before work and was very pleased with them. I easily connected the headphones to my iPhone and enjoyed great sound out of them. They were comfortable and stayed in my ears easily. I was even able to take phone calls with them and those I was talking to could easily hear me. I also connected them to my Apple Watch and as you might guess, preferred this over carrying my iPhone with me.

    I’ve begun using these earbuds in the office as well with my MacBook Air. I unfortunately have to wear glasses, so I find that many over the ear headphones (and I’ve used countless ones!) inevitably give me a headache from the pressure the headphones put on my glasses behind my ears. Contacts aren’t an option for me so I have found these headphones have begun to serve a truly universal role!