Why OpenClaw (Formerly Known as Clawdbot) Is a Wake-Up Call for AI Agent Security

In January, just two months after its launch, an open-source AI assistant called Clawdbot went viral. In a matter of days, the project hit a fever pitch: between January 26 and February 1, its GitHub stars exploded from 9,000 to more than 100,000.

Developers were hooked. The promise was irresistible: a personal AI with “hands.” It could read your emails, browse the web, execute shell commands, and develop new skills on the fly.

But the autonomy that makes it useful is exactly what makes it a liability.

Security researchers quickly discovered the fallout: more than 4,500 instances were exposed to the public internet, and hundreds of malicious “skills” had already flooded the project’s plugin repository. Remote code execution (RCE) vulnerabilities effectively turned any Clawdbot installation into a new attacker foothold.

Further muddying the waters, the project was forced to rebrand twice in a matter of days — first to Moltbot, then to OpenClaw — amid trademark issues. The instability created a perfect opening for crypto scammers and hackers, who hijacked social accounts and published fake plugins to exploit the confusion.

OpenClaw is a modern-age cautionary tale. It’s also a preview of the next great enterprise security challenge. That’s because AI agents aren't just chatting anymore — they’re acting. They need deep access to do their jobs, and that access makes them the ultimate insider threat.

AI agents are the new insider threat

The shift is happening faster than most security teams realize. Gartner projects that 40% of enterprise applications will embed AI agents by the end of 2026, up from under 5% in 2025. According to PwC, 79% of organizations have already adopted AI agents to some degree. Enterprises now face an 82-to-1 ratio of machine identities to human identities.

These agents aren’t mere chatbots. They act. They connect to databases, call APIs, access file systems, send emails, and trigger workflows. They operate with credentials and permissions that let them reach deep into enterprise infrastructure.

According to Palo Alto Networks Chief Security Intelligence Officer Wendi Whitmore, AI agents represent the new insider threat. Speaking to tech news site The Register, she said when attackers compromise an environment today, they’ll no longer only follow the traditional playbook of moving laterally to a domain controller and dumping Active Directory credentials. Instead, they go straight to the internal LLM and start querying it to do the reconnaissance work for them.

“It's probably going to get a lot worse before it gets better,” she said.  

The OWASP Foundation recognized this shift when it released the Top 10 for Agentic Applications in late 2025. The list identifies risks like agent goal hijacking, tool misuse, identity abuse, and rogue agents operating outside their intended boundaries.  

AI agent security is no longer a theoretical concern. Security researchers have already documented real-world attacks exploiting each category.

You can’t secure the AI you can’t see

The fact is that most organizations have no idea what their AI agents are connecting to.

Microsoft's 2026 Data Security Index found that organizations are deploying generative and agentic AI faster than their security controls can adapt.  

The research discovered that generative AI is now involved in 32% of data security incidents. When asked about their biggest challenge, 29% of respondents cited weak integration between data security and data management platforms as their top visibility gap.

This is the foundational problem.  

Agents span clouds, SaaS applications, and on-premises systems. They bypass standard identity monitoring. They create blind spots across the security posture.  

Without visibility into what agents are doing and where they are connecting, security teams are flying blind.

This is where Illumio Insights fills a critical visibility gap. By observing real traffic and communication behavior across hybrid environments, Insights shows how agents, workloads, and services truly communicate — not how teams assume they do.

You can’t build effective security policies for AI agents without first understanding their actual behavior. What APIs do they call? What databases do they query? What services do they reach?  

The answers to these questions must come from observation, not assumption.

Limiting lateral movement for legitimate agents

Legitimate AI agents need network access.  

A sales agent needs to reach the CRM. A support agent needs access to the ticketing system. A coding assistant needs to interact with repositories and CI/CD pipelines.  

Blocking all access defeats the purpose of deploying agents in the first place.

The answer isn’t to block all access. It’s to scope access precisely based on what each agent actually needs.

This is where microsegmentation from solutions like Illumio Segmentation becomes essential. Through segmentation, organizations can limit agents to specific network zones, databases, or services required for their tasks.  

If an agent is compromised through prompt injection or any other attack vector, the blast radius is contained. The agent can only reach what it was explicitly allowed to reach.

The principle is that agents should have the minimum access necessary to accomplish their tasks. Just as every contractor isn’t given full network access, agent permissions should be limited to what they demonstrably need.  

This means that when breaches do occur, they cost significantly less. Attackers can’t pivot from the initial foothold to high-value assets.

How to secure AI agents: visibility first, then enforcement

The right approach to securing AI agents follows a clear sequence.  

Start with visibility. Inventory all agents, the APIs they call, and the data they access. Map their actual communication patterns. Understand what normal behavior looks like.

Then build policies based on what you observe. Apply least-privilege access to every agent identity. Create segmentation rules that allow agents to reach only the resources they need. Replace static credentials with short-lived tokens where possible.

Finally, enforce those policies in real time. Monitor for anomalies. Detect when an agent attempts to reach something outside its allowed scope. Have the ability to contain or shut down agents that behave unexpectedly.

This is the same approach that works for securing any workload. AI agents are simply another workload type, one that happens to be autonomous and potentially more dangerous if compromised.  

The fundamentals of segmentation apply directly: see everything, understand dependencies, build policy based on reality, and enforce boundaries that limit lateral movement.

OpenClaw was the warning. AI agent risk is the reality.

OpenClaw was a warning shot. The vulnerabilities discovered in that project exist in countless AI agent deployments across the enterprise landscape.  

The difference between a contained incident and a catastrophic breach often comes down to one question: when the agent was compromised, what could it reach?

Organizations deploying AI agents need to answer that question before attackers do.  

The path forward starts with visibility into what agents are actually connecting to. It continues with policies that enforce least privilege at the network level. And it results in segmentation that contains the blast radius when something goes wrong.

Your agents are already connecting to things. The question is whether you know what, and whether you have the controls to limit the damage if one of them turns against you.

Worried about everything your AI agents can reach? Try Illumio Insights free today to get complete, real-time observability across your environments.