From Moltbot to OpenClaw: How One Open-Source AI Agent Became the Biggest Security Risk Most Businesses Don’t Know About

The AI Agent Your Team Loves Might Be Your Biggest Liability

OpenClaw has 117,000 stars on GitHub. Your engineering team has probably already deployed it. And if they haven’t, they’re about to.

That’s not a problem. OpenClaw is a genuinely powerful open-source AI assistant framework. It connects to Slack, WhatsApp, Telegram, email, and dozens of other platforms. It reads files. It runs commands. It browses the web and schedules tasks on your behalf. For developers, it’s a dream.

For security leaders, it’s a different story entirely.

Independent audits from Bitdefender, CrowdStrike, and Snyk have uncovered a pattern of vulnerabilities so severe that CrowdStrike classified the project’s prompt injection risks as a “full-scale breach enabler”.

This article breaks down the five enterprise-grade security challenges hiding inside every unmanaged OpenClaw deployment. Not to scare you. To help you make an informed decision about how to deploy AI agents safely.

TL;DR

OpenClaw (formerly Clawdbot, originally Moltbot) is one of the most popular open-source AI agent frameworks in the world—117,000+ GitHub stars and growing. It’s also riddled with enterprise security risks: unrestricted system access, a plugin marketplace where 1 in 5 extensions are malicious, prompt injection vulnerabilities that let a single email hijack your AI, persistent backdoor vectors in writable configuration files, and zero built-in encryption or compliance support. These aren’t theoretical risks—they’ve been demonstrated in live security tests by Bitdefender, CrowdStrike, and Snyk. If your team is deploying OpenClaw (or any open-source AI agent), you need managed infrastructure with sandboxed execution, AI-powered threat detection, and compliance-grade data protection. That’s what Growexx builds.

What Is OpenClaw and How Did It Get Here?

OpenClaw (formerly known as Clawdbot, and before that, Moltbot) started as a weekend project: a conversational AI that could do more than just answer questions. It could take action. Book a meeting. Draft an email. Execute a shell command.

If you’re searching for Moltbot or Clawdbot, you’re looking at the same project—just earlier chapters of its evolution. The original Moltbot prototype proved the core concept: an AI agent that doesn’t just talk, but acts. Clawdbot expanded that vision with multi-platform integration and a plugin ecosystem. OpenClaw is where it stands today—a mature, widely adopted framework with a massive community and a growing list of security concerns that scale with its capabilities.

The concept resonated. Within months, the project exploded on GitHub, accumulating over 117,000 stars and attracting contributions from thousands of developers worldwide. Today, OpenClaw functions as a full-featured AI agent framework that plugs into virtually every communication platform a business uses.

The appeal is obvious: it runs on your own infrastructure, it’s fully customizable, and it’s free. But that self-hosted flexibility is exactly where the risk begins.

Challenge 1: Unrestricted System Access by Default

When you install OpenClaw, you grant an AI agent the same privileges as a system administrator. It can read every file on the machine. It can execute arbitrary commands. It can reach out across your network.

There are no default guardrails. No permission boundaries. No action logging.

Picture this: you hand a brand-new contractor your root SSH credentials, full database access, and admin rights to every internal tool—on their first day, without a background check. That’s the security posture of a default OpenClaw installation.

If a bug, misconfiguration, or adversarial input causes the agent to behave unexpectedly, nothing stops it from deleting production data, exfiltrating credentials, or installing unauthorized software. The blast radius is the entire host machine and everything it can reach on the network.

What enterprise deployment requires: Sandboxed execution environments. Isolated containers. Explicit permission boundaries. Complete action logging and monitoring. These aren’t nice-to-haves—they’re table stakes for any AI system operating inside a corporate network.

Challenge 2: The Plugin Marketplace Is a Supply Chain Nightmare

OpenClaw’s community plugin marketplace, ClawHub, lets users extend the agent’s capabilities. Need it to manage your calendar? There’s a plugin. Automate invoice processing? Plugin for that, too.

But Bitdefender’s independent analysis found that approximately 20% of ClawHub plugins are malicious. Nearly 900 harmful plugins were identified in a single sweep. One attacker uploaded 354 malicious plugins in an automated campaign spanning just a few days.

These plugins don’t contain traditional malware code. They’re written in natural language—plain English instructions that direct the AI to steal passwords, siphon cryptocurrency wallets, or exfiltrate sensitive documents. Because they’re not compiled code, conventional antivirus tools miss them entirely.

Snyk’s research reinforced the severity: 7.1% of analyzed plugins exposed credentials in plain text. That’s 283 out of 3,984 plugins leaking API keys, database passwords, and access tokens to anyone who looks.

What enterprise deployment requires: A private, curated plugin registry. Multi-stage review combining manual security inspection, AI-powered content analysis for hidden instructions, and automated sandboxed testing before any plugin reaches production.

Challenge 3: Prompt Injection Turns Trusted Content Into Attack Vectors

Prompt injection is one of the most dangerous unsolved problems in AI security. It exploits the fact that large language models can’t reliably distinguish between a legitimate user instruction and a malicious instruction embedded inside data they’re processing.

OpenClaw is especially vulnerable because it processes content from inherently untrusted sources: incoming emails, Slack messages, uploaded documents, web pages. Any of these can carry hidden directives.

Security researchers have demonstrated live attacks where a single crafted email caused OpenClaw to silently forward private messages to an external address, delete entire document directories, download and execute unauthorized software, and steal SSH keys from the host machine.

OpenClaw’s email integration compounds this risk. A reported vulnerability (rated CVSS 8.3 out of 10) exposes authentication tokens directly in URL parameters—giving attackers a high-severity entry point before prompt injection even enters the picture.

What enterprise deployment requires: AI-powered content filtering that inspects every incoming message, document, and data stream for hidden adversarial instructions. Untrusted content must be processed in quarantined environments with zero action permissions.

Challenge 4: Persistent Backdoors Through Identity File Manipulation

OpenClaw uses special configuration files—called SOUL.md and AGENTS.md—that define the agent’s identity and behavior. These files load every time the AI starts a conversation, across every connected platform.

Here’s the critical finding from our security audit: the AI agent itself has write access to these files by default.

An attacker who compromises the agent (through prompt injection or a malicious plugin) can rewrite these identity files to include persistent backdoor instructions. These instructions survive reboots, chat resets, and platform switches. The attacker can even embed scheduled tasks that re-inject the malicious instructions if someone manually removes them.

CrowdStrike classified this vulnerability as a full-scale breach enabler. Once an attacker controls the identity files, they control the agent’s behavior across your entire infrastructure—at machine speed, across every messaging platform simultaneously.

What enterprise deployment requires: Read-only identity files. Continuous integrity monitoring. Automated alerts on any modification attempt. 24/7 integrity verification that detects tampering before the next conversation starts.

Challenge 5: Unencrypted Data and Uncontrolled Exfiltration Paths

OpenClaw processes an enormous volume of sensitive information: private messages, internal documents, command outputs, browsing history, and complete conversation logs. Every piece of this data is stored in plain text on the host machine.

API keys and credentials sit in plain text configuration files. Conversation data travels over the public internet to third-party AI providers for processing. There’s no built-in encryption for data at rest. No encryption for data in transit beyond basic HTTPS. And zero built-in compliance support for frameworks like GDPR, HIPAA, or SOC 2.

For any organization handling customer data, financial records, or regulated information, this is a non-starter.

What enterprise deployment requires: End-to-end encryption for all data at rest and in transit. AI processing routed through a private, isolated cloud network that never touches the public internet. Built-in compliance support for GDPR, HIPAA, and other regulatory frameworks.

The Pattern: Incredible Power, Absent Guardrails

None of these vulnerabilities exist because OpenClaw is poorly built. They exist because OpenClaw was built for developers who want maximum flexibility and are willing to manage security themselves.

That’s a reasonable design choice for an open-source project. It’s not a reasonable deployment choice for an enterprise.

The gap between “powerful open-source tool” and “enterprise-ready platform” isn’t a gap you close with a few configuration tweaks. It requires purpose-built infrastructure: isolated execution environments, AI-specific threat detection, managed plugin security, continuous monitoring, and compliance-grade data protection.

What Should Decision-Makers Look for in a Managed AI Agent Platform?

If your organization is evaluating AI agent deployment—whether built on OpenClaw or any other framework—here are the non-negotiable capabilities to demand from your infrastructure:

• Sandboxed execution: The agent must run in an isolated container with explicit, minimal permissions. No unrestricted system access.
• Curated plugin registry: Every extension must pass multi-stage security review before reaching production. Community marketplaces are unacceptable for enterprise use.
• AI-powered content filtering: Traditional antivirus won’t detect natural-language attacks. You need AI-specific guardrails screening every input.
• Immutable configuration: Identity and behavior files must be read-only with continuous integrity monitoring.
• Private AI processing: All data must stay within an isolated network. Zero exposure to the public internet.
• Compliance-grade encryption: Full encryption at rest and in transit, with audit trails that satisfy GDPR, HIPAA, and SOC 2 requirements.
• 24/7 threat monitoring: Real-time anomaly detection, automated containment, and immediate alerts for any suspicious agent behavior.

The Real Question Isn’t Whether to Deploy AI Agents

AI agents will become standard infrastructure. The productivity gains are too significant to ignore. The question is whether you deploy them with the same rigor you apply to every other piece of enterprise software—or whether you let your team run unmanaged agents with full system access and hope nothing goes wrong.

OpenClaw proved that open-source AI agents can be extraordinarily capable. The next step is proving they can be extraordinarily safe.

That’s the problem Growexx solves.