Microsoft’s AI assistant OpenClaw should not be operated on a standard personal or enterprise workstation, as it has limited built-in security controls. Therefore, it should only be deployed in a fully isolated environment.
OpenClaw is an AI assistant that can perform tasks autonomously for users. To do this, users must give the AI assistant full access to their computer and software, including email, files, and online services, as well as login details.
According to Microsoft, this means that credentials and accessible data may be exposed or exfiltrated. In addition, the agent’s persistent state or “memory” can be modified, causing it to follow attacker-supplied instructions over time.
Lastly, the host’s environment can be compromised if the agent is induced to retrieve and execute malicious code or malware.
“Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation,” Microsoft’s Defender Security Research Team said in a blog post.
Organizations that really want to test and evaluate OpenClaw should do so in a fully isolated environment, such as a dedicated virtual machine or separate physical system.
“The runtime should use dedicated, non-privileged credentials and access only non-sensitive data. Continuous monitoring and a rebuild plan should be part of the operating model,” Microsoft recommends.
According to the Redmond-based tech company, there are two main types of security problems with OpenClaw. First, attackers can hide malicious instructions within content an agent reads, which can either steer tool use or modify its memory to affect its behavior over time, unless users put strong boundaries in place. This is called an indirect prompt injection.
Curious what others think about this story? Contribute your thoughts to the debate below.
Secondly, agents acquire skills from a variety of sources, primarily by downloading and running code from the internet, which may contain malicious code. This risk is called skill malware.
Microsoft notes that a successful attack doesn’t always have to involve the installation of malware, but can also involve subtle configuration changes.
Recently, the SecurityScorecard STRIKE Threat Intelligence Team identified tens of thousands of exposed OpenClaw instances, putting users at risk of account takeover.
A study identified over 42,000 unique IP addresses hosting exposed OpenClaw control panels with full system access across 82 countries. Approximately 50,000 exposed instances were vulnerable to remote code execution (RCE), meaning attackers can take control of the host’s machine.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked