When I began writing about the potential dangers and benefits of AI a few years ago, I quickly came to the conclusion that the two are very closely tied and both directions present new challenges for enterprise IT managers. The latest development of Clawdbot (AKA Molt.bot or now called OpenClaw) are a very instructive case study. So what does it do, and what is the threat?

Basically, it is a powerful way to automate your digital life using a variety of AI agents. It is an AI-based assistant, and its use is spreading like wildfire. The top line is that OpenClaw is taking over — Token Security has found it has collected more than 60,000 Github reviews and nearly a quarter of its enterprise customers are using it and running it mostly from their personal accounts. They say “It is also a security nightmare, with exposed control servers that can lead to credential theft and remote execution over the internet.” This is no Chicken Little deal — “This rapid adoption signals a significant shadow AI trend that security teams need to address immediately.”

Here are two places that provide a deeper dive: First is security blogger Samuel Gregory, who has an excellent 15 minute demo video where he says “If you don’t know what you are doing, you can cause a lot of damage.” He shows you some of the guardrails you need to install, explains a bit of the bot’s history, and is well worth watching. But many of his suggestions mean you have to do a lot more work to isolate the bot from your online life — which shows quite starkly the tradeoff of security with ease of use.

Shelly Palmer, who actually uses the tech he writes about has this post where he documents what it took to get it up and running across his digital life. The bot connects his Slack, iMessage, WeChat, and Discord accounts. He has spent several hundred dollars in tokens to fine-tune it, and says it costs him anywhere from $10-$25 a day — “the bot just eats tokens.”

Part of OpenClaw’s problem is that you can run it on your local hard drive, but that it sends its feelers deep into your corporate SaaS infrastructure. For this to work, the bot needs access to your accounts and credentials. The bot’s website (mentioned above) is proud of this connectivity, saying up front that it “Clears your inbox, sends emails, manages your calendar, checks you in for flights. All from WhatsApp, Telegram, or any chat app you already use.” A story in El Reg goes into further details about the security implications. Not surprisingly, as they mention, “Users are handing over the keys to their encrypted messenger apps, phone numbers, and bank accounts to this agentic system.” Gulp.

The bot has its own package registry where you can download various “skills” as they are called to do various tasks for you. This sounds great until you realize — as this one researcher describes (sorry it is a Tweet, forgive me), there is absolutely no vetting, and 100% chance that something you have downloaded has evil intent.  Daniel Miessler Tweeted this warning shown below on how to harden any Clawdbot implementation. But many of the fixes depend on personal choices deeply rooted in the realm of Shadow IT. The issue is that it is easy to install, but difficult to install securely, something that many users might not realize in their joy of having a clean inbox and automatically delegating their mundane tasks.

SOCPrime used its own tool to find users who have jumped on the Clawdbot bandwagon, and I am sure other threat intel tools will soon have similar posts.

“Yes, there are real issues: plain-text secret storage, misconfigured admin UIs on the open internet, and a skills ecosystem where people blindly install untrusted code,” says Matt Johansen. So keep your eyes open, scan your networks for the appropriate indicators, and educate yourself and your end users on what they are doing and how they do it more securely.

When spreadsheets first entered businesses, I recall how hard IT had to work to stay ahead of our users who were enamored with the new tech. But that was a single piece of software. With OpenClaw, we have an entirely new layer of digital infrastructure, and one that is complex and could be costly as well as open up multiple security sinkholes. Proceed with caution.