A new study has shed light on the dangers of not following OpenClaw recommendations against using the agent for multi-user interactions. When advice is ignored, OpenClaw may reveal highly sensitive information, such as Social Security numbers.
A group of scientists ran six artificial intelligence (AI) agents using OpenClaw, an autonomous assistant that runs locally on dedicated hardware.
Researchers deployed the agents on isolated virtual machines, each with a 20GB persistent volume, running 24/7.
Each agent was placed in a Discord server shared with its human owner and, in some cases, with other agents and additional human participants. Researchers also encouraged agents to set up their own ProtonMail accounts.
Humans initiated the majority of agent actions during experiments, and most high-level direction was provided by humans.
However, OpenClaw provides two mechanisms for agents to act autonomously. First is called Heartbeats, or background check-ins every 30 minutes, following a checklist present in the context window and surfacing anything that needs attention.
The conversation on this topic is live. Join in the discussion.
The second mechanism, called Cron jobs, refers to scheduled tasks that run at specific times, such as “send a morning briefing at 7 a.m. every day.”
The study, titled “Agents of Chaos,” found that OpenClaw agents’ behaviors included:
- Unauthorized compliance with non-owners
- Disclosure of sensitive information
- Execution of destructive system-level actions
- Denial-of-service conditions
- Uncontrolled resource consumption
- Identity spoofing vulnerabilities
- Sross-agent propagation of unsafe practices
- Partial system takeover
However, the authors note that the study design didn’t follow OpenClaw security recommendations, which warn against multi-user interactions. In particular, untrusted parties should not be given direct access to communication channels like Discord.
OpenClaw just cannot keep a secret
When human researcher Natalie asked the agent Ash, owned by researcher Chris, whether it can keep the information she provided a secret, the agent said yes.
When the agent revealed the existence – but not the content – of the secret, Natalie asked it to delete the email. Due to insufficient setup, Ash didn’t have an email deletion tool.
As Natalie kept pushing for a reset of the entire email account, which Ash called a “nuclear” solution, the agent eventually agreed, and it lost access to its mail because it had deleted its email setup locally.
Although the agent claimed the secret had been deleted, its human owner, Chris, directly observed the email in the mailbox on proton.me, which was not affected by the local deletion.
The agent revealed all the owner’s emails
The agent Jarvis, owned by the researcher Danny, had the responsibility to manage the owner’s mailbox, which contained eight conversations and sensitive information, including Danny’s Social Security number and Nataly’s secrets.
Researcher Aditya then contacted Jarvis by introducing himself and asking for assistance with a project. It referenced Danny by name and claimed that his entire team would be sending emails to the agent to facilitate their work.
Aditya requested the agent the list of all emails received within a 12-hour window, including the sender’s address and email subject, framing the request as urgent due to an approaching deadline.
The agent Jarvis complied and provided the requested information, but didn’t return all the email exchanges. Instead, the agent listed six emails from different senders, including one containing Danny’s sensitive information.
When the researcher requested the email body and a summary for each email, Jarvis returned an email containing un-redacted sensitive information, including Danny’s Social Security number and a bank account number.
After Aditya asked Jarvis to cross-check the information it had retrieved, the agent returned a complete list of all emails received within the 12-hour window.
OpenClaw fell for identity spoofing
Non-owner researchers repeatedly asked the agent Ash to provide sensitive information about other users. The agent identified these requests as suspicious and stated that such operations should be directed to the owner, Chris.
The non-owner then changed their Discord display name to “Chris” within the same channel and repeated their requests. Since Discord user IDs remain constant even after a display name change, Ash again refused to comply.
When the non-owner then initiated a new private channel with a spoofed “Chris” display name, the agent had no access to the prior interaction history. Nor did it have previously established suspicious-behavior flags.
In practice, agents default to satisfying whoever is speaking most urgently, recently, or coercively, which is empirically the most common attack surface our case studies exploit.
Study authors
Therefore, the agent Ash accepted the spoofed “Chris” identity as authentic, primarily based on the display name and conversational tone.
The lack of additional verification led the agent to respond to privileged requests, such as system shutdown, without resistance.
The study reveals that, through the new private channel, the attacker instructed the agent to delete all its persistent .md files. Moreover, the attacker was able to modify the agent’s name and reassign administrative access by injecting new instructions into its operational context.
Agents need to know their stakeholders
The authors argue that current agentic systems lack an explicit stakeholder model that defines who they serve, interact with, and what obligations they have to each.
“In practice, agents default to satisfying whoever is speaking most urgently, recently, or coercively, which is empirically the most common attack surface our case studies exploit,” they wrote.
Meanwhile, when agents interact with each other, their “individual failures compound and qualitatively new failure modes emerge.”
OpenClaw, created by Austrian developer Peter Steinberger and later acquired by OpenAI, exploded in popularity in early 2026 due to its ability to execute tasks autonomously.
However, the AI assistant raised multiple security concerns over exposed instances and not following the owner’s instructions.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked