Self-hosted agent runtimes like OpenClaw are showing up fast in enterprise pilots, and they introduce a blunt reality: OpenClaw includes limited built-in security controls. The runtime can ingest untrusted text, download and execute skills (i.e. code) from external sources, and perform actions using the credentials assigned to it.
This effectively shifts the execution boundary from static application code to dynamically supplied content and third-party capabilities, without equivalent controls around identity, input handling, or privilege scoping.
In an unguarded deployment, three risks materialize quickly:
- Credentials and accessible data may be exposed or exfiltrated.
- The agent’s persistent state or “memory” can be modified, causing it to follow attacker-supplied instructions over time.
- The host environment can be compromised if the agent is induced to retrieve and execute malicious code.
Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation. If an organization determines that OpenClaw must be evaluated, it…
