%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
According to AIbase, Microsoft recently issued an important security warning regarding its artificial intelligence assistant, OpenClaw, clearly stating that the tool should not be run on standard personal or corporate workstations but should only be deployed in fully isolated environments.
OpenClaw is designed as an AI agent capable of performing tasks autonomously. To achieve automated operations, users must grant it full access to computer systems and software, including email, files, online services, and login credentials. This "high-privilege + persistent state (memory)" operating mode makes it powerful but also poses significant security risks.
The Microsoft Defender Security Research team stated in their official blog that OpenClaw should be considered an "untrusted code execution with persistent credentials." Once exploited, attackers could not only steal credentials and sensitive data but also manipulate the agent's persistent memory, making it execute malicious instructions in subsequent runs.
Microsoft disclosed that OpenClaw currently faces two core threats:
First, Indirect Prompt Injection.
Attackers can hide malicious instructions within the content that the agent reads, thereby controlling its tool calls or tampering with its memory, which can have long-term effects on its behavior. If strict security boundaries are not set, the agent may unknowingly perform actions according to the attacker's intent.
Second, Skill-based Malware.
OpenClaw can download and run code from the internet to expand its functionality, a mechanism that could become an attack vector. Attackers can deliver "skill" modules containing malicious code to achieve remote control or implant backdoors. Microsoft emphasized that successful attacks do not necessarily rely on traditional malware but could also be achieved through subtle configuration changes.
The security risks are not theoretical. Recently, the STRIKE threat intelligence team under SecurityScorecard found that OpenClaw's control panel was exposed on over 42,000 independent IP addresses across 82 countries, with approximately 50,000 instances having remote code execution (RCE) vulnerabilities, allowing attackers to directly control the host system, putting user accounts at risk of being compromised.
Given these risks, Microsoft recommends that organizations conduct testing and evaluation in dedicated virtual machines or independent physical systems, using dedicated, non-privileged credentials for the runtime environment, limiting access to non-sensitive data, and establishing continuous monitoring and regular reconstruction mechanisms to avoid direct deployment in core production systems.
As autonomous agent-type AI tools gradually enter practical application scenarios, their security boundaries and governance frameworks are becoming issues that the industry must address. The case of OpenClaw once again reminds enterprises: while embracing AI's automation capabilities, they must simultaneously build strict isolation, permission, and monitoring frameworks; otherwise, powerful execution capabilities could also become an entry point for attacks.