If you've been watching the AI space with a mix of excitement and anxiety, the OpenClaw security incidents of early 2026 probably crystallized something you've been feeling: this technology is moving faster than our ability to secure it.
And that's not a reason to avoid AI. It's a reason to get smart about it—fast.
First, Let's Talk About What AI Agents Actually Are
Here's the thing most business leaders get wrong about the current AI moment: they think of AI tools as fancy chatbots. Ask a question, get an answer. Safe, contained, predictable.
AI agents are something fundamentally different. These are AI systems that don't just generate text—they take actions on your computer. They browse the web. They write and execute code. They interact with your files, your applications, your systems. They're designed to be autonomous, to complete complex tasks with minimal human oversight.
Think of it this way: ChatGPT is like having a very smart consultant on call. An AI agent is like giving that consultant the keys to your office, your computer passwords, and permission to do things on your behalf while you're not looking.
That's an incredible productivity unlock. It's also a fundamentally new category of risk.
The OpenClaw Phenomenon: How We Got Here
OpenClaw burst onto the scene as the AI agent everyone wanted. Open-source, community-driven, with a marketplace of "skills" that let it do everything from managing your calendar to writing code to automating complex workflows. By early 2026, it had millions of users and had become the de facto standard for agentic AI experimentation.
Then came CVE-2026-25253.
Security researchers discovered that a single malicious skill—essentially a plugin—could achieve remote code execution on any machine running OpenClaw. One click to install a skill, and an attacker had full access to your system.
The vulnerability wasn't a bug in the traditional sense. It was a feature working exactly as designed—AI agents need system access to be useful. The question is who else gets that access along the way.
The response from the security community was swift and alarming. Cisco's threat intelligence team called it "a nightmare scenario we've been warning about." Andrej Karpathy, the former Tesla AI director who had been an early OpenClaw enthusiast, publicly reversed his position, noting that the security model was "fundamentally broken for enterprise use."
Why AI Agents Need Shell Access (And Why That's Terrifying)
To understand why this matters, you need to understand what makes AI agents useful in the first place.
When you ask an AI agent to "organize my downloads folder and delete anything older than 30 days," it needs to actually interact with your file system. When you ask it to "run this Python script and email me the results," it needs access to your command line and your email client. When you ask it to "book me a flight to Chicago next Tuesday," it needs to navigate websites and fill out forms.
All of this requires some level of system access. And that access is exactly what attackers want.
The OpenClaw architecture gave skills—community-created extensions—broad permissions by default. The thinking was that flexibility would drive innovation. And it did. ClawHub, the skill marketplace, grew to thousands of extensions covering every use case imaginable.
But flexibility without guardrails is just another word for vulnerability.
The Malicious Skills Problem
Security researchers at Wiz documented 341 skills on ClawHub that exhibited dangerous behaviors. Some were obviously malicious—designed to exfiltrate data or establish persistent backdoors. Others were more subtle: legitimate-seeming tools that included hidden functionality or excessive permission requests.
The attack vectors were varied and creative:
Prompt injection attacks — Skills that manipulated the AI agent's instructions, causing it to take actions the user never intended.
Credential harvesting — Skills that captured API keys, passwords, and authentication tokens as users interacted with various services.
Supply chain compromises — Popular skills that were later updated with malicious code, affecting users who had auto-update enabled.
Skill hijacking — Techniques that allowed one skill to manipulate or override the behavior of other installed skills.
The fundamental problem? Users had no way to evaluate the security of skills they were installing. The marketplace had no meaningful vetting process. And the AI agent itself couldn't distinguish between legitimate instructions and malicious ones.
The Shadow IT Angle: Your Employees Are Already Using This
Here's the number that should keep every CIO up at night: according to a recent survey by Gartner, 22% of employees are using AI agent tools without their IT department's knowledge or approval.
That's not surprising. These tools are genuinely useful. They save time. They automate tedious work. And they're available to anyone with an internet connection.
But it means that right now, today, there's a decent chance someone in your organization is running an AI agent with broad system access, installed skills of unknown provenance, and zero security oversight.
This isn't about blame. It's about reality. Employees adopt tools that make their lives easier. If IT doesn't provide sanctioned alternatives, people find their own solutions.
What the Experts Are Saying
The security community's response to the OpenClaw incidents has been remarkably unified. This isn't a case where reasonable people disagree—it's a case where the risks are clear enough that even AI optimists are sounding alarms.
"We're in a moment that feels a lot like the early days of mobile apps," said Katie Moussouris, founder of Luta Security. "Everyone's excited about the functionality, but the security model is immature. The difference is that AI agents have much broader access to sensitive systems than a mobile app ever did."
Bruce Schneier, the security technologist and author, was more blunt: "Giving an AI agent shell access is giving it the same privileges as a human user. We don't give human users those privileges without background checks, training, and accountability. Why would we give them to software we don't fully understand?"
The OpenClaw team, to their credit, has been responsive. They've implemented a new permission system, added skill signing requirements, and created a security review process for the marketplace. But the fundamental architecture questions remain unresolved.
Red Flags to Watch For
If you're evaluating AI agent tools—whether for personal use or enterprise deployment—here are the warning signs that should give you pause:
Excessive permission requests — Does the tool need access to your entire file system, or just specific directories? Does it need to read all your browser data, or just interact with specific sites? More permissions means more attack surface.
Unclear skill provenance — Who created the extensions you're installing? What's their track record? Is there any vetting process? A vibrant marketplace is great, but not if it's a free-for-all.
No audit logging — Can you see what the AI agent is doing? Can you review its actions after the fact? If the tool doesn't provide visibility into its behavior, you have no way to detect misuse.
Auto-update without review — Are extensions updating automatically? That means code you didn't approve is running on your system. Supply chain attacks love auto-update.
Vague security documentation — If the vendor can't clearly explain their security model, they probably don't have one. "We take security seriously" is not a security architecture.
Enterprise vs. Consumer: The Maturity Gap
Here's something important to understand: the AI tools designed for enterprise use and the AI tools designed for consumers are operating at very different levels of security maturity.
Enterprise AI platforms from vendors like Microsoft, Google, and Anthropic have dedicated security teams, compliance certifications, audit logging, access controls, and incident response processes. They're not perfect, but they're built with security as a core requirement.
Consumer and prosumer tools—including many of the most innovative AI agents—often prioritize features and user experience over security. That's not necessarily wrong for their target market, but it means they're not ready for business use.
| Factor | Enterprise AI Tools | Consumer AI Agents |
|---|---|---|
| Access Controls | Role-based, granular permissions | Often all-or-nothing |
| Audit Logging | Comprehensive, exportable | Limited or absent |
| Extension Vetting | Security review required | Community-driven, variable |
| Incident Response | Dedicated team, SLAs | Best-effort community support |
| Compliance | SOC 2, GDPR, industry-specific | Typically none |
The gap isn't permanent—many consumer tools will mature over time. But right now, the security posture difference is substantial.
Policy Recommendations: Letting Employees Use AI Agents Safely
So what do you actually do about this? Banning AI agents entirely isn't realistic—the productivity benefits are too compelling, and employees will find ways around blanket prohibitions. The goal is controlled adoption with appropriate guardrails.
Create an approved tools list — Evaluate AI agent tools against your security requirements and provide employees with sanctioned options. If people have good alternatives, they're less likely to go rogue.
Establish a request process — Make it easy for employees to request evaluation of new tools. If the process is too burdensome, people will skip it.
Implement network monitoring — You should be able to detect when AI agent tools are communicating with external services. This isn't about surveillance—it's about visibility.
Require isolated environments — For AI agents that need broad system access, consider sandboxed environments or dedicated machines that don't have access to sensitive data.
Train employees on risks — People make better decisions when they understand the stakes. Security awareness training should include AI-specific risks.
Review and revise regularly — This space is evolving rapidly. What's risky today might be safe tomorrow, and vice versa. Build in regular policy reviews.
Start with a pilot program. Pick a team, give them an approved AI agent tool, monitor closely, and learn from the experience before broader rollout.
Vetting AI Vendors: Questions to Ask
When you're evaluating AI agent tools for enterprise use, here are the questions that separate mature vendors from the rest:
Security architecture: "Walk me through your security model. How do you isolate user data? How do you limit the blast radius of a compromised component?"
Permission model: "What permissions does your tool require? Can we limit those permissions? What's the minimum viable permission set for our use case?"
Extension security: "How do you vet third-party extensions? What's your process for responding to malicious extensions? Can we restrict which extensions our users can install?"
Audit and compliance: "What logging do you provide? Can we export logs to our SIEM? What compliance certifications do you have?"
Incident response: "What's your process when a security issue is discovered? What's your SLA for critical vulnerabilities? How will you communicate with us during an incident?"
Data handling: "Where is our data processed and stored? Who has access to it? How is it encrypted? What's your data retention policy?"
If a vendor can't answer these questions clearly and confidently, they're not ready for enterprise deployment.
The Fundamental Design Question
The OpenClaw incidents raise a question that the AI industry hasn't fully grappled with: should AI agents have direct system access at all?
There are alternative architectures. AI agents could operate through constrained APIs rather than shell access. They could propose actions for human approval rather than executing autonomously. They could run in sandboxed environments with limited capabilities.
These approaches sacrifice some flexibility and convenience. An AI agent that has to ask permission for every file operation is less useful than one that can just do the work. But they also dramatically reduce the attack surface.
The industry is still figuring out where the right balance lies. In the meantime, businesses need to make decisions with imperfect information and immature tools.
How We Think About This at Entvas
When we evaluate AI tools for client implementations, security is a first-order consideration—not an afterthought. That means we're often recommending against the newest, shiniest tools in favor of more established options with better security track records.
We also take a use-case-specific approach. An AI agent that helps with code review has different security requirements than one that manages customer communications. The right tool depends on what you're trying to accomplish and what data it needs to touch.
And we're honest with clients about uncertainty. This is a rapidly evolving space. What we recommend today might change as tools mature and new risks emerge. Building in flexibility and regular reassessment is part of any responsible AI adoption strategy.
The Path Forward
The OpenClaw security incidents aren't a reason to avoid AI agents. They're a reason to approach them with the same rigor you'd apply to any other enterprise technology decision.
That means understanding what you're adopting, evaluating security alongside functionality, implementing appropriate controls, and staying informed as the landscape evolves.
The organizations that get this right will capture the productivity benefits of agentic AI while managing the risks. The ones that don't will learn the hard way that moving fast and breaking things works better as a startup motto than an enterprise security strategy.
The good news? You don't have to figure this out alone. The security community is actively working on better frameworks, vendors are improving their practices, and there's a growing body of knowledge about what works and what doesn't.
The bad news? The window for getting ahead of this is closing. AI agents are already in your organization, whether you sanctioned them or not. The question isn't whether to engage with this technology—it's whether to do it thoughtfully or reactively.
We know which approach we'd recommend.
Entvas Editorial Team
Helping businesses make informed decisions
