AI agents can automate mundane tasks and provide productivity shortcuts, but they can also be used by threat actors for illegitimate aims. OpenClaw, formerly known as ClawdBot and Moltbot, is an open source AI agent framework that was designed to be a helpful digital personal assistant. It runs locally on a computer and proactively takes actions on the user’s behalf without direct user input. In just five days, it amassed over 100,000 GitHub stars and now thousands of developers use it as their default assistant.Running on developers’ laptops, OpenClaw connects to their messaging apps, calendars, and developer tools and executes autonomous actions on their behalf. But its powerful convenience has also made it a significant cybersecurity threat due to its major security flaws and the resulting malicious outcomes. This blog focuses on how threat actors can abuse OpenClaw and turn it into an offensive tool, the risks posed when used in a malicious manner, and Zscaler’s lab-confirmed means of preventing it from compromising organizations’ environments and data.What is OpenClaw?Think of OpenClaw as a “super-assistant” for your computer. Unlike a standard Generative AI chatbot like ChatGPT that only talks to you, OpenClaw is an autonomous agent. This means it can actually do things on your behalf—like read your emails, browse the web, manage your calendar, or even run technical commands on your computer.OpenClaw is also referred to as “Shadow AI” because employees sometimes install it on their work computers to be more productive without their IT department knowing or approving it.How OpenClaw OperatesOpenClaw works by connecting your messaging apps (like Telegram, Slack, Discord, or WhatsApp) to your computer’s communication capabilities, including its network access. There are two major components of how OpenClaw operates: The “Skills” Hub: Users can download “skills” or plugins from a marketplace called ClawHub to give the assistant new abilities—tasks like “Summarize my emails,” “Book my next trip,” “Research this topic,” or “Order these groceries.”Autonomy: Once you give it a task, OpenClaw works in the background on your behalf. It can look at websites, download files, and interact with other software without the user clicking every button in the workflow for that task.How Threat Actors Leverage OpenClaw to Drive Malicious OutcomesBecause OpenClaw has so much power to act on your behalf, it has become a “wolf in sheep’s clothing.” There are three main ways it poses a threat:Threat Type How it WorksThe ResultFake “skills”Hackers have uploaded hundreds of malicious “skills” to the marketplace. A downloaded “bad” skill can silently steal passwords, credit card information and other sensitive information without the user’s knowledge.The “One-Click” TrapA major security hole (CVE-2026-25253) allows a hacker to take over the OpenClaw assistant with the click of a malicious link.Once a threat actor controls the assistant, they effectively control a computer and see everything you do.Hidden InstructionsAn attacker hides secret commands in an email or on a website.If the OpenClaw assistant reads that email or website, it might follow those hidden instructions—like “Send all my files to this address”—without the user knowing. How OpenClaw Compromises SecurityThe primary danger of OpenClaw is that it often has root access—the highest level of permission on a computer. Because it was designed to be helpful, on its own it doesn’t have a “safety cage” (or a sandbox) to stop it from doing something harmful. Even OpenClaw’s FAQ states that it’s both a product and an experiment and that “there is no ‘perfectly secure’ setup.”If an OpenClaw assistant on a work computer is compromised, a hacker doesn’t just get access to that one person’s files: they can potentially use that assistant to crawl through the entire company’s network, stealing sensitive data or planting more viruses.How Zscaler Can Prevent OpenClaw UseAs a comprehensive security platform built on zero trust principles, Zscaler’s Zero Trust Exchange offers several layers of defense-in-depth threat detection and prevention that can block the use of OpenClaw. Customers do not need to deploy all of these against malicious use of OpenClaw, but Zscaler provides these capabilities for defense-in-depth:Prevent download or execution of OpenClaw: Using a combination of URL and File Type Control, Zscaler can prevent unauthorized downloads of OpenClaw on endpoints. OpenClaw install files are typically .ps1, .sh, or Docker files. Block the download of additional playbooks: OpenClaw uses markdown for its skill files. Zscaler’s custom File Type Control can detect markdown files and block downloads.Furthermore, Zscaler CASB can isolate, restrict, or block access to GitHub repositories to prevent users from duplicating repos and bypassing security by using custom repositories.Prevent callbacks to malicious malware: OpenClaw skill files that are malicious often call to Command and Control (C&C) servers. They can also use evasive techniques such as SSH tunnels or DOH tunnels. Zscaler can prevent these callbacks and executables/scripts that would trigger these callbacks.Protect against sensitive data leakage: Depending on how it’s deployed, OpenClaw will use the network for tool/skill and LLM access. During this time, Zscaler can inspect and perform data protection on these sessions. Block unauthorized LLM calls: Controls can be put in place so only sanctioned AIs are allowed from an organization’s network and this sanctioned AI will provide visibility and guardrails. Using URL and Cloud App controls, Zscaler AI Guard can block all LLMs and monitor and restrict prompt usage.Isolate rogue devices and prevent lateral movement: In open networks users can plug in devices that have OpenClaw running. If compromised or used maliciously, these devices can be used as an entry point into the enterprise network. A common example is plugging a MacMini into an open port. This is where Zscaler can help by isolating these devices. Restrict BYOD devices from accessing websites and enterprise data directly: Contractors often need to access SaaS applications such as Workday or Salesforce with their own devices. Devices with OpenClaw installed can download skills that would allow them to use the Chrome Dev Kit to scrape data from SaaS services. Zscaler’s Zero Trust Browser can prevent data loss at a mass scale by rendering web pages in a virtual browser as pixels only: this effectively sanitizes web pages by preventing server-side javascript, applet or other embedded content from reaching an endpoint for execution.Leverage Endpoint Context: Zscaler Endpoint Context also extends visibility to AI agents like OpenClaw, delivering real-time endpoint intelligence that strengthens multilayer protection—so security teams can detect threats sooner and enforce policies with greater precision.Real-World Validation of Zscaler’s OpenClaw Exploitation Prevention MethodsOur ThreatLabz team sought to validate and provide real-world examples of how Zscaler can protect customers against the various ways threat actors seek to compromise an organization’s devices and data using OpenClaw as the entry point. These are practical examples of how the Zero Trust Exchange with its multiple layers of protection works to detect and block communication between OpenClaw, its skills repository as well as file downloads via messaging apps like Telegram.Prevent OpenClaw access with Zscaler’s URL Category for “Online Chat” appsZscaler uses URL Categories to classify and group the URLs of various applications—these categories can be used as actionable criteria in Zscaler URL & Cloud App Control policies to block access to the websites in that category. To block access to the instant messaging apps like Telegram and Discord that OpenClaw could communicate with, a Zscaler administrator could implement a URL & Cloud App Control policy to block access to the domains and ports these messaging apps use. The above excerpt from Zscaler’s Web Insights report shows that communication has been disrupted between OpenClaw and the Telegram messaging app. By using a URL & Cloud App Control policy that specifies the “Online Chat” category, Zscaler customers can block users and apps from connecting to the domains and URLs that OpenClaw can use for malicious means. Subsequently, the OpenClaw interface running on a user’s local device shows that it cannot communicate externally:Similarly, Zscaler can prevent communication between OpenClaw and URLs and ports that OpenAI uses for communication with external apps and third-party clients via API. OpenAI offers various LLM models via its ChatGPT AI app. By specifying the URL Category “ai_ml_apps” in a Zscaler URL & Cloud App Control policy, all calls to api.openclaw.com and similar URLs that OpenClaw could seek to communicate with are blocked:Control access to ClawHub, OpenClaw’s “skills” repository: ClawHub is an open ecosystem that enables rapid innovation and customization of OpenClaw—but it provides threat actors a means to distribute disruptive malware or other files that create security risk. Zscaler empowers organizations to block access to ClawHub using Zscaler’s URL & Cloud App Control policy and specifying the Generative AI category to block access to Clawhub.ai.Prevent malicious file downloads, including the “skill” archive downloads for OpenClaw: Zscaler’s Zero Trust Browser isolates users from potentially harmful content on the internet. This is done by loading the accessed web page in a virtualized remote browser in any one of 160+ Zscaler data centers across the globe, and streaming the rendered content as only pixels to the user’s native browser on the endpointLoading the OpenClaw website or ClawHub, the “skills” marketplace, can be done in isolation with the Zero Trust Browser with the option to block file downloads from isolated web sites: this ensures that any potentially harmful active content in a web page is blocked from reaching the endpoint, effectively sanitizing these websites and controlling how the user interacts with them.Zscaler customers can allow users to access Generative AI apps but prevent any potentially harmful file downloads. Below, the Zero Trust Browser displays a user notification confirming access to the OpenClaw website but in read-only mode: text input is not allowed nor are the download of skill archive files:The proxy architecture that is foundational to the Zero Trust Exchange provides a powerful means of enforcing security policy consistently for all users in every location, no matter where they are in the world—this includes preventing malicious file downloads. When users attempt to download a malicious file using the OpenClaw agent, the Zscaler proxy intercepts and blocks the download. However, Zscaler customers can enable exceptions for Generative AI downloads they deem necessary for their users—this provides flexible and granular policy criteria to allow legitimate files to also be downloaded. In this screenshot from Zscaler’s Web Insights reporting, we see that the eicar_com.zip file has been blocked from download since it’s classified as malicious malware:As a result, the user sees an error message in the Telegram app stating it cannot download the eicar_com.zip file, preventing exploitive action by a threat actor using OpenClaw to distribute malware:Learn more about how Zscaler can help your organization provide secure access to the internet, apps and workloads without compromising productivity: schedule a demo with our security professionals who can show you how to act fast and stay secure.
[#item_full_content] AI agents can automate mundane tasks and provide productivity shortcuts, but they can also be used by threat actors for illegitimate aims. OpenClaw, formerly known as ClawdBot and Moltbot, is an open source AI agent framework that was designed to be a helpful digital personal assistant. It runs locally on a computer and proactively takes actions on the user’s behalf without direct user input. In just five days, it amassed over 100,000 GitHub stars and now thousands of developers use it as their default assistant.Running on developers’ laptops, OpenClaw connects to their messaging apps, calendars, and developer tools and executes autonomous actions on their behalf. But its powerful convenience has also made it a significant cybersecurity threat due to its major security flaws and the resulting malicious outcomes. This blog focuses on how threat actors can abuse OpenClaw and turn it into an offensive tool, the risks posed when used in a malicious manner, and Zscaler’s lab-confirmed means of preventing it from compromising organizations’ environments and data.What is OpenClaw?Think of OpenClaw as a “super-assistant” for your computer. Unlike a standard Generative AI chatbot like ChatGPT that only talks to you, OpenClaw is an autonomous agent. This means it can actually do things on your behalf—like read your emails, browse the web, manage your calendar, or even run technical commands on your computer.OpenClaw is also referred to as “Shadow AI” because employees sometimes install it on their work computers to be more productive without their IT department knowing or approving it.How OpenClaw OperatesOpenClaw works by connecting your messaging apps (like Telegram, Slack, Discord, or WhatsApp) to your computer’s communication capabilities, including its network access. There are two major components of how OpenClaw operates: The “Skills” Hub: Users can download “skills” or plugins from a marketplace called ClawHub to give the assistant new abilities—tasks like “Summarize my emails,” “Book my next trip,” “Research this topic,” or “Order these groceries.”Autonomy: Once you give it a task, OpenClaw works in the background on your behalf. It can look at websites, download files, and interact with other software without the user clicking every button in the workflow for that task.How Threat Actors Leverage OpenClaw to Drive Malicious OutcomesBecause OpenClaw has so much power to act on your behalf, it has become a “wolf in sheep’s clothing.” There are three main ways it poses a threat:Threat Type How it WorksThe ResultFake “skills”Hackers have uploaded hundreds of malicious “skills” to the marketplace. A downloaded “bad” skill can silently steal passwords, credit card information and other sensitive information without the user’s knowledge.The “One-Click” TrapA major security hole (CVE-2026-25253) allows a hacker to take over the OpenClaw assistant with the click of a malicious link.Once a threat actor controls the assistant, they effectively control a computer and see everything you do.Hidden InstructionsAn attacker hides secret commands in an email or on a website.If the OpenClaw assistant reads that email or website, it might follow those hidden instructions—like “Send all my files to this address”—without the user knowing. How OpenClaw Compromises SecurityThe primary danger of OpenClaw is that it often has root access—the highest level of permission on a computer. Because it was designed to be helpful, on its own it doesn’t have a “safety cage” (or a sandbox) to stop it from doing something harmful. Even OpenClaw’s FAQ states that it’s both a product and an experiment and that “there is no ‘perfectly secure’ setup.”If an OpenClaw assistant on a work computer is compromised, a hacker doesn’t just get access to that one person’s files: they can potentially use that assistant to crawl through the entire company’s network, stealing sensitive data or planting more viruses.How Zscaler Can Prevent OpenClaw UseAs a comprehensive security platform built on zero trust principles, Zscaler’s Zero Trust Exchange offers several layers of defense-in-depth threat detection and prevention that can block the use of OpenClaw. Customers do not need to deploy all of these against malicious use of OpenClaw, but Zscaler provides these capabilities for defense-in-depth:Prevent download or execution of OpenClaw: Using a combination of URL and File Type Control, Zscaler can prevent unauthorized downloads of OpenClaw on endpoints. OpenClaw install files are typically .ps1, .sh, or Docker files. Block the download of additional playbooks: OpenClaw uses markdown for its skill files. Zscaler’s custom File Type Control can detect markdown files and block downloads.Furthermore, Zscaler CASB can isolate, restrict, or block access to GitHub repositories to prevent users from duplicating repos and bypassing security by using custom repositories.Prevent callbacks to malicious malware: OpenClaw skill files that are malicious often call to Command and Control (C&C) servers. They can also use evasive techniques such as SSH tunnels or DOH tunnels. Zscaler can prevent these callbacks and executables/scripts that would trigger these callbacks.Protect against sensitive data leakage: Depending on how it’s deployed, OpenClaw will use the network for tool/skill and LLM access. During this time, Zscaler can inspect and perform data protection on these sessions. Block unauthorized LLM calls: Controls can be put in place so only sanctioned AIs are allowed from an organization’s network and this sanctioned AI will provide visibility and guardrails. Using URL and Cloud App controls, Zscaler AI Guard can block all LLMs and monitor and restrict prompt usage.Isolate rogue devices and prevent lateral movement: In open networks users can plug in devices that have OpenClaw running. If compromised or used maliciously, these devices can be used as an entry point into the enterprise network. A common example is plugging a MacMini into an open port. This is where Zscaler can help by isolating these devices. Restrict BYOD devices from accessing websites and enterprise data directly: Contractors often need to access SaaS applications such as Workday or Salesforce with their own devices. Devices with OpenClaw installed can download skills that would allow them to use the Chrome Dev Kit to scrape data from SaaS services. Zscaler’s Zero Trust Browser can prevent data loss at a mass scale by rendering web pages in a virtual browser as pixels only: this effectively sanitizes web pages by preventing server-side javascript, applet or other embedded content from reaching an endpoint for execution.Leverage Endpoint Context: Zscaler Endpoint Context also extends visibility to AI agents like OpenClaw, delivering real-time endpoint intelligence that strengthens multilayer protection—so security teams can detect threats sooner and enforce policies with greater precision.Real-World Validation of Zscaler’s OpenClaw Exploitation Prevention MethodsOur ThreatLabz team sought to validate and provide real-world examples of how Zscaler can protect customers against the various ways threat actors seek to compromise an organization’s devices and data using OpenClaw as the entry point. These are practical examples of how the Zero Trust Exchange with its multiple layers of protection works to detect and block communication between OpenClaw, its skills repository as well as file downloads via messaging apps like Telegram.Prevent OpenClaw access with Zscaler’s URL Category for “Online Chat” appsZscaler uses URL Categories to classify and group the URLs of various applications—these categories can be used as actionable criteria in Zscaler URL & Cloud App Control policies to block access to the websites in that category. To block access to the instant messaging apps like Telegram and Discord that OpenClaw could communicate with, a Zscaler administrator could implement a URL & Cloud App Control policy to block access to the domains and ports these messaging apps use. The above excerpt from Zscaler’s Web Insights report shows that communication has been disrupted between OpenClaw and the Telegram messaging app. By using a URL & Cloud App Control policy that specifies the “Online Chat” category, Zscaler customers can block users and apps from connecting to the domains and URLs that OpenClaw can use for malicious means. Subsequently, the OpenClaw interface running on a user’s local device shows that it cannot communicate externally:Similarly, Zscaler can prevent communication between OpenClaw and URLs and ports that OpenAI uses for communication with external apps and third-party clients via API. OpenAI offers various LLM models via its ChatGPT AI app. By specifying the URL Category “ai_ml_apps” in a Zscaler URL & Cloud App Control policy, all calls to api.openclaw.com and similar URLs that OpenClaw could seek to communicate with are blocked:Control access to ClawHub, OpenClaw’s “skills” repository: ClawHub is an open ecosystem that enables rapid innovation and customization of OpenClaw—but it provides threat actors a means to distribute disruptive malware or other files that create security risk. Zscaler empowers organizations to block access to ClawHub using Zscaler’s URL & Cloud App Control policy and specifying the Generative AI category to block access to Clawhub.ai.Prevent malicious file downloads, including the “skill” archive downloads for OpenClaw: Zscaler’s Zero Trust Browser isolates users from potentially harmful content on the internet. This is done by loading the accessed web page in a virtualized remote browser in any one of 160+ Zscaler data centers across the globe, and streaming the rendered content as only pixels to the user’s native browser on the endpointLoading the OpenClaw website or ClawHub, the “skills” marketplace, can be done in isolation with the Zero Trust Browser with the option to block file downloads from isolated web sites: this ensures that any potentially harmful active content in a web page is blocked from reaching the endpoint, effectively sanitizing these websites and controlling how the user interacts with them.Zscaler customers can allow users to access Generative AI apps but prevent any potentially harmful file downloads. Below, the Zero Trust Browser displays a user notification confirming access to the OpenClaw website but in read-only mode: text input is not allowed nor are the download of skill archive files:The proxy architecture that is foundational to the Zero Trust Exchange provides a powerful means of enforcing security policy consistently for all users in every location, no matter where they are in the world—this includes preventing malicious file downloads. When users attempt to download a malicious file using the OpenClaw agent, the Zscaler proxy intercepts and blocks the download. However, Zscaler customers can enable exceptions for Generative AI downloads they deem necessary for their users—this provides flexible and granular policy criteria to allow legitimate files to also be downloaded. In this screenshot from Zscaler’s Web Insights reporting, we see that the eicar_com.zip file has been blocked from download since it’s classified as malicious malware:As a result, the user sees an error message in the Telegram app stating it cannot download the eicar_com.zip file, preventing exploitive action by a threat actor using OpenClaw to distribute malware:Learn more about how Zscaler can help your organization provide secure access to the internet, apps and workloads without compromising productivity: schedule a demo with our security professionals who can show you how to act fast and stay secure.
