The open source agentic AI assistant OpenClaw, which is accessible through GitHub, is gaining popularity. Dane Sherrets, a staff innovation architect at HackerOne, chose to test the software, like many tech-savvy employees. He set it up on a virtual private server, assigned a Slack channel to the group of apps and agents, and restricted its access to any private information.

OpenClaw impressed even with limited access: Sherrets gave the AI assistant an API key and instructed it to develop the ability to make phone calls, and the AI assistant succeeded in doing so after Sherrets reserved a virtual phone number for it. OpenClaw, however, is "a good preview of things to come...

According to him, "with OpenClaw, practically all of the ways that the model can interact with the system are through both untrusted external input and communicating externally." "It can be attacked using any of the Web requests it can perform, as well as any chat messages it can read and write. It has access to all of your data and can transmit data in those ways.

Skills: Anthropic's Claude Skills, a straightforward technique for connecting particular code and commands with natural language requests, are heavily utilized by the New Vulnerable Supply Chain OpenClaw. Through ClawHub, its open-access skills registry, OpenClaw permits the use of skills.

However, according to Michal Salát, threat intelligence director at cybersecurity company Gen, whose researchers are running multiple instances of the agentic AI assistant in separate testing environments, such extensible architecture adds serious risks by enabling third parties to conceal malicious functionality in the plug-in-like skills. "You need better system design and stronger guardrails if we do want to move forward toward something like JARVIS," he says. "The distinction between security and usability is never entirely clear."

Peter Steinberger, the man behind OpenClaw, implicitly acknowledged the problems but did not reply to requests for comment. "Security is a process, not a product," concludes the OpenClaw website's security discussion. Additionally, lobsters with shell access should not be trusted.