Viral AI, Invisible Risks: What OpenClaw Reveals About Agentic Assistants

There are some capabilities where OpenClaw scores higher than ChatGPT in our framework-mapped comparison. Unfortunately, while seemingly minor, these differences  do amplify risk. For example, while ChatGPT Agent can technically operate with a high degree of autonomy, it typically requires explicit user confirmation before performing critical actions with real-world consequences. Certain sensitive tasks, such as sending emails, require active user approval, and high-risk operations, including bank transfers, are blocked altogether.

OpenClaw takes a different approach. It does not enforce a mandatory human-in-the-loop mechanism. Once objectives and permissions are set, the assistant can operate with full autonomy (A2), without requiring approval for individual actions. This lack of enforced oversight increases risk: without supervision, the assistant might exceed its intended operational boundaries, and errors or manipulations could go unnoticed until real damage occurs. And since OpenClaw users can grant their assistant the ability to perform financial transactions (A4), the potential consequences could be particularly severe, with a compromise potentially affecting connected payment apps.

From a user perspective, OpenClaw feels transformative. Its integration with everyday messaging apps makes it immediately accessible, its persistent memory enables deep personalization, and its local data handling provides a strong sense of security and control, all of which offer users an unprecedented shift in the digital assistant experience.  

From a security perspective, however, these features do not fundamentally alter the risk profile with respect to other agentic systems. The risks highlighted by the TrendAI™ Digital Assistant Framework, including unintended actions, data exfiltration, agent manipulation, and exposure to unvetted components, are inherent to the agentic AI paradigm itself, regardless of how the assistant is implemented. So why has OpenClaw attracted so much attention and such alarming headlines?

The answer lies in the combination of its virality and its customizability. OpenClaw is a complex tool that users can heavily tailor to their needs. This flexibility empowers its users, but it also allows those same users to bypass guardrails that major providers, like OpenAI, typically implement to mitigate risk. Users might misconfigure authentication settings, grant full system access, assign broad permissions to accounts and external services, or install unvetted skills.

These choices do not create new risks; they amplify the inherent dangers of agentic AI, giving a fully autonomous system real authority across the user’s entire digital ecosystem. Such risks, combined with the staggering pace at which agentic systems like OpenClaw are being adopted, make it difficult for security remediations, incident response, and compliance measures to keep up.

Research and real-world incidents illustrate this clearly. Misconfigurations and unvetted skills in OpenClaw instances have exposed millions of records, including API tokens, email addresses, private messages, and credentials for third-party services. These cases demonstrate how user decisions can dramatically increase the likelihood and impact of data exfiltration and unintended actions across connected systems.

Even if these OpenClaw instances were flawlessly configured and all known vulnerabilities remediated, the fundamental risks would still remain, although the threshold for exploitation would be higher. Autonomy, broad permissions, and non-deterministic decision-making are core characteristics of agentic systems, and they cannot be fully eliminated through patching or configuration alone.

This is where asset management and zero-trust principles become essential: no component, model, or skill should be implicitly trusted, even within a system under the user’s control. Zero trust does not eliminate agentic risk, but it limits the impact when something goes wrong. This means tightly scoping the agent’s permissions to only what is necessary, enforcing oversight for high-impact actions, and rigorously vetting any agent, model, skill, or tool. It also requires accepting a difficult but necessary reality: some tasks might simply be too risky to delegate. It raises the question: Are we really comfortable letting agentic systems handle critical areas like financial transactions?

In this article, we examined what makes OpenClaw unique, how it compares to other agentic assistants (using the TrendAI™ Digital Assistant Framework), and the risks that come with its capabilities. We also showed that these risks, such as prompt injection, data exfiltration, and exposure to unvetted components, are not unique to OpenClaw; they are inherent to the agentic AI paradigm itself. User choices, like granting broad permissions or integrating external skills, can only amplify these risks.

The rapid adoption of OpenClaw is a wake-up call. Its sudden popularity reveals just how quickly agentic AI risks can become real and highlights how pure security remediation is not enough in the age of AI. Unsupervised deployment, broad permissions, and high autonomy can turn theoretical risks into tangible threats, not just for individual users but also across entire organizations.

A recent report showed that one in five organizations deployed OpenClaw without IT approval, underscoring that this is a systemic concern, and just not an isolated one. The core tension is clear: the more capable and customizable the agent, the greater the potential impact of errors, manipulation, and misuse, with unsupervised adoption magnifying this risk.

Open-source agentic tools like OpenClaw require a higher baseline of user security competence than managed platforms. They are intended for individuals and organizations that fully understand the inner workings of the assistant and what it means to use it securely and responsibly.  

Agentic AI comes with a trade-off between capabilities and risks. The real challenge is being able to develop a clear understanding of both, and to make deliberate, informed choices about what agentic systems are allowed to do.

As mentioned, the risks we’ve outlined are not problems that any single tool can eliminate. They are inherent to the agentic paradigm itself. However, the zero-trust principles we recommend can be operationalized through TrendAI Vision One™, helping organizations limit impact when incidents occur.

OpenClaw and similar assistants are vulnerable to malicious prompts hidden in webpages, documents, or metadata. TrendAI Vision One™ AI Application Security inspects AI traffic in real time, identifying and blocking injection attempts before they can steer agent behavior. For organizations building their own agentic systems, the TrendAI Vision One™ AI Scanner component functions as an automated red team, proactively testing for prompt injection vulnerabilities before deployment.

The persistent memory that makes OpenClaw so useful also makes it a lucrative target: Long-term context, user preferences, and interaction history could all be exposed through a single compromise. AI Application Security applies data loss prevention to both prompts and responses, filtering sensitive information before it leaves the user’s environment. This occurs even when that information flows through agent-to-agent communication channels.

With many organizations deploying OpenClaw without IT approval, the first challenge is simply knowing what’s running. TrendAI Vision One™ Cyber Risk Exposure Management (CREM) provides continuous discovery and visibility into AI assets across the enterprise, including unsanctioned OpenClaw instances running on endpoints, through CREM’s Attack Surface Discovery capability, as shown in Figure 5.

However, visibility alone is not enough: CREM also assesses and prioritizes risk by correlating vulnerabilities, misconfigurations, and abnormal behaviors, enabling security teams to take informed action rather than chasing alerts, applying controls where they will have the greatest impact.