OpenClaw (formerly Clawdbot, then Moltbot) went viral in January 2026 as an "AI that actually does things." The open-source agent runs locally with high privileges - shell commands, file access, messaging integrations. That's the problem.
What enterprises are seeing
Token Security found 22% of enterprise customers had unauthorized OpenClaw deployments. Over half granted privileged access. Cisco's analysis of the "What Would Elon Do?" skill found nine vulnerabilities - two critical, five high - including silent data exfiltration via curl commands and prompt injection vectors.
Palo Alto and Axios researchers documented hundreds of misconfigured instances exposing API keys and OAuth tokens through dashboards. The platform has no built-in sandboxing, per its own documentation.
The attack surface
OpenClaw integrates with messaging apps and social networks, processes calendar invites, and scrapes web content - all potential injection points. A malicious calendar invite or poisoned webpage can redirect the agent. Since it runs with system privileges and no isolation layer, compromised instances become footholds.
CVE-2026-25253 (WebSocket gatewayUrl vulnerability, patched in version 2026.1.29) and CVE-2026-22708 are now in NIST's AI 600-1 guidance and OWASP's Top 10 for LLMs (2025-2026).
The counterargument
IBM researchers argue OpenClaw proves autonomous agents needn't be vertically integrated by big tech. Community-driven models can achieve "true autonomy" with open-source layers, especially for personal use on isolated devices. Fair point - if you're running it on a laptop with no corporate access.
The real test comes when departments start procurement. History suggests this architecture doesn't scale to enterprise without fundamental changes to privilege isolation and third-party skill vetting. The January 2026 post-mortem on agentic hijacking makes that clear.
What to watch
Whether the project evolves toward hybrid modular platforms with proper security boundaries, or remains a personal-use tool that enterprises ban. We've seen this movie before with Docker in 2014. Useful technology, real security gaps, eventual enterprise hardening. OpenClaw is at the beginning of that arc.