top of page
Search

Governing Agentic AI: Lessons from Clawdbot



This is a developing story. Watch this blog for advances to this tech when new breakthroughs, partnerships are announced so you can stay on top of how to adapt your internal company policies and practices. 



Agentic AI is advancing at breakneck speed, with daily breakthroughs reshaping what’s possible. One recent one being Clawdbot, or OpenClaw. Clawdbot is like a guest who might overstay their welcome. You can invite it even if you know it, but it might not always do what you expect. That said, Clawdbot is an AI that basically controls your whole system and can perform operations such as reading your inbox, sending emails, checking in for your flights, sending text messages, and many other daily tasks you might perform. At first, it might seem like the perfect AI making your life easier and helping you focus on more important tasks, but it can also turn out to be highly dangerous.


How does it work?

Clawdbot is typically self hosted, meaning it runs on your own machine or a private server. It is accessed through a web interface or connected messaging platforms like Slack or Telegram. Users configure it by providing API keys, permissions and skills (letting it know the actions it can perform) so it can interact with local files, apps, and online services.


Capabilities of Clawdbot:

  • Be invoked via chat on platforms like WhatsApp, Telegram, Discord, Slack, and Teams for ease of usage.

  • Automating your tasks such as running scripts, managing emails, scheduling reminders, and browsing the web.

  • Remember context with persistent memory.

  • Add custom skills or plugins for new automations.

  • Run locally, keeping your data under your control. (Red Flag)


While we saw how useful Clawdbot could be, it comes with risks that users need to be aware of.


  1. Security Risks:

Clawdbot has complete access to your system, even your OS (The ultimate Risk)! It can run scripts, use/interact with apps and if misconfigured, can expose your sensitive data. 

By default, OpenClaw listens locally on TCP/18789 and is meant to be accessed through a browser on localhost or via an SSH tunnel for remote setups. However, some users expose it directly to the Internet. 

If a plugin or skill logs those keys or exposes them in a file, anyone with access could compromise your apps. Infostealer malware specifically looks for these keys on your computer. Real incidents have shown attackers harvesting API keys from exposed OpenClaw instances, demonstrating how high access combined with automation can become a serious vulnerability.

Imagine a situation where a network admin installs Clawdbot on a public facing server. A malicious actor finds the public server, gets in and then extracts valuable API keys (If present), spins up processes to overload the server via Clawdbot itself and maybe asks Clawdbot to write a simple malware to reach their C2 server for information exfiltration. With no proper authentication or access controls in place this is a classic root risk and the “AI helper” effectively becomes another member of a malicious hacker group.


  1. Privacy Risks

Clawdbot observes user activity and interacts with applications, processing sensitive information like internal documents, chat messages, credentials, and personal data. If logs or memory are stored insecurely and retained for long, increasing the chance for this data to be exposed. In organizations, this raises compliance concerns, including GDPR, and even misconfigured logging can accidentally leak confidential information. On a personal level it can get devastating, if you have personal information, tax records, social security number, your medical information, you may not want a fully autonomous AI Agent running on your machine with full permissions to all documents with a propensity to use and potentially leak such sensitive information by mistake. It is not just your own personal information that is at risk but also that of third parties and loved ones sharing information with each other on email or other messaging systems that were supposed to be end-to-end encrypted. All such and more private information lies exposed to Clawdbot that runs with full permission and may hallucinate and inadvertently be exposed since the AI had unrestricted control leading to irreversible damage.


  1. Reliability Risks 

Imagine you’re an executive with all your API keys and secrets stored on your laptop. Curious, you install Clawdbot and tell it to “clean up your computer.” In seconds, it runs rm -rf wiping everything! The reason? It could be a malicious ‘skill’  downloaded from the internet or hallucination by the Agent misunderstanding the user request. 

Clawdbot’s decisions are driven by automated reasoning and external integrations, which makes its behavior dependent on the quality and correctness of its inputs, plugins, and models. The primary concern observed in Clawdbots case was Hallucinations. 

Any incorrect assumptions made can cause execution of unintended actions, modify files incorrectly or disrupt workflows which can become chaotic and become catastrophic if it's installed on a VIPs machine.

You might say “Clawbot, please summarize the details of my last meeting” and Clawdbot might make stuff up, confusing all your teammates the next day!


  1. Violation of PoLP

Clawdbot typically requires broad system and application permissions, often far more than necessary for a specific task. This violates the Principle of Least Privilege, which states systems should only have the minimum access required. 

When a single agent has unrestricted access to files, networks, APIs, and credentials, any compromise creates a disproportionately large blast radius, meaning one failure can lead to full system compromise.


  1. Accountability and identity

Clawdbot acts with agency and performs tasks according to the skills you have assigned to it. This means that any action is ultimately tied to the person who deployed and configured it!

If Clawdbot makes a mistake or hallucinates, the person who deployed it is fully responsible as the Agent acts on your behalf. If installed in an organization as a whole, it then acts under your corporate identity, any breach or error can put the organization at risk of reputational damage and legal or regulatory penalties.


Mitigation strategy

As of the first writing of this article, we do not encourage exploration of Clawdbot on corporate machines. We are keeping track of security developments and this strategy may be updated as security improves. For now, we recommend the following mitigation strategies.

  • For starters, review and update your organization’s IT and security policies to block Clawdbot and similar software. This establishes a clear approval and restriction process, ensuring that any violations can be addressed through disciplinary measures.

  • If Clawdbot has already been installed, disconnect the affected devices immediately from the network which would prevent unauthorized access to company servers or sensitive data.

  • Notify your IT team promptly as it would initiate incident response procedures, contain the unwanted threat and delete residual files. (Yes, it is that serious)

  • Run security scans via any Endpoint protection tools which would pinpoint malicious or unwanted actions taken by Clawdbot


This development shows how powerful and out-of-control things can get if an unbound AI or unbound Agentic AI is installed on your system without any foresight. At first, it might seem like bliss as it automates all the repetitive tasks you perform, but its broad access and autonomy can quickly expose sensitive data and disrupt systems without you even knowing.

If your employees are installing Clawdbot or now known as OpenClaw and you're unsure how many people have “hired” AI help, Invi Grid can help. 


Organizations should enforce clear policies, have continuous monitoring in place and most importantly have an Incident Response plan in place to stay safe in this rapidly evolving AI landscape.


 
 
bottom of page