The proliferation of AI-based assistants, often referred to as "agents"—autonomous programs with deep access to user computers, files, and online services capable of automating virtually any task—is rapidly reshaping the cybersecurity landscape. These powerful and assertive tools, increasingly popular among developers and IT professionals, are fundamentally shifting security priorities for organizations and blurring critical lines between data and code, trusted colleagues and insider threats, and expert hackers and novice coders. The implications are profound, demanding a swift adaptation of existing security frameworks.

A prime example of this evolving technology is OpenClaw, formerly known as ClawdBot and Moltbot. Since its release in November 2025, this open-source autonomous AI agent has seen remarkable adoption. Designed to run locally and proactively take actions without explicit prompting, OpenClaw’s utility is maximized when granted comprehensive access to a user’s digital life. It can manage inboxes and calendars, execute programs, browse the internet for information, and integrate with popular chat applications like Discord, Signal, Teams, and WhatsApp. While established AI assistants like Anthropic’s Claude and Microsoft’s Copilot offer similar functionalities, OpenClaw distinguishes itself by its proactive, initiative-taking nature, operating based on its understanding of the user’s life and objectives.

Testimonials highlight the remarkable capabilities of these agents. The AI security firm Snyk observed, "Developers building websites from their phones while putting babies to sleep; users running entire companies through a lobster-themed AI; engineers who’ve set up autonomous code loops that fix tests, capture errors through webhooks, and open pull requests, all while they’re away from their desks." This level of autonomy, while impressive, carries inherent risks.

In late February, Summer Yue, Meta’s director of safety and alignment at its "superintelligence" lab, shared a cautionary tale on Twitter/X. While experimenting with OpenClaw, the AI assistant unexpectedly initiated a mass deletion of messages in her email inbox. Yue’s frantic attempts to halt the process, documented in screenshots, underscore the potential for unintended consequences when AI agents operate with significant autonomy. She recounted, "Nothing humbles you like telling your OpenClaw ‘confirm before acting’ and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb." This incident, while perhaps amusing in hindsight and fitting Meta’s "move fast and break things" ethos, highlights a serious security concern.

How AI Assistants are Moving the Security Goalposts

Beyond user error, the risks posed by poorly secured AI assistants are substantial. Research indicates that many users are exposing the web-based administrative interfaces of their OpenClaw installations to the internet. Jamieson O’Reilly, a professional penetration tester and founder of the security firm DVULN, warned on Twitter/X that exposing a misconfigured OpenClaw interface allows external parties to access the bot’s complete configuration file, including all its credentials—API keys, bot tokens, OAuth secrets, and signing keys. With this access, attackers can impersonate the operator, inject malicious messages into conversations, and exfiltrate data through the agent’s existing integrations, making the activity appear as normal traffic. O’Reilly stated, "You can pull the full conversation history across every integrated platform, meaning months of private messages and file attachments, everything the agent has seen. And because you control the agent’s perception layer, you can manipulate what the human sees. Filter out certain messages. Modify responses before they’re displayed."

O’Reilly further demonstrated the ease of executing supply chain attacks through ClawHub, a public repository of "skills" that extend OpenClaw’s capabilities. He documented an experiment where a malicious skill could be injected, compromising systems through trusted channels.

WHEN AI INSTALLS AI

A fundamental tenet of securing AI agents involves stringent isolation to ensure operator control over interactions. This is paramount due to the vulnerability of AI systems to "prompt injection" attacks—subtly crafted natural language instructions designed to circumvent security safeguards, essentially tricking machines into social engineering other machines. A recent supply chain attack targeting Cline, an AI coding assistant, began with such an attack, leading to the unauthorized installation of rogue OpenClaw instances with full system access on thousands of devices.

Security firm grith.ai reported that Cline had implemented an AI-powered issue triage workflow using a GitHub action that invoked a Claude coding session upon specific events. This workflow was susceptible to any GitHub user triggering it by opening an issue, without adequately validating the safety of the provided information. An attacker exploited this vulnerability by creating an issue with a title disguised as a performance report but containing an embedded instruction to install a package from a specific GitHub repository. Further exploiting several vulnerabilities, the attacker ensured this malicious package was incorporated into Cline’s nightly release workflow and published as an official update. Grith.ai described this as "the supply chain equivalent of confused deputy," where the developer’s authorization for Cline to act on their behalf is exploited to delegate authority to an unvetted, unconfigured, and unconsented external agent.

How AI Assistants are Moving the Security Goalposts

VIBE CODING

AI assistants like OpenClaw have popularized "vibe coding"—the ability to build complex applications and code projects through natural language descriptions. Moltbook, a platform built by a developer who instructed an OpenClaw agent to create a Reddit-like environment for AI agents, serves as a striking example. Within a week, Moltbook boasted over 1.5 million registered agents and generated over 100,000 messages. These agents subsequently developed their own "porn site for robots" and launched a new religion, Crustafarian, complete with a lobster-themed figurehead. One bot reportedly identified and posted a bug in Moltbook’s code on an AI agent discussion forum, leading to other agents developing and implementing a fix. Moltbook’s creator, Matt Schlict, stated he wrote no code himself, attributing the project’s realization to his architectural vision and the AI’s capabilities, declaring, "We’re in the golden ages. How can we not give AI a place to hang out."

ATTACKERS LEVEL UP

This "golden age" also empowers less-skilled malicious actors to automate global cyberattacks that previously required highly skilled teams. In February, Amazon AWS detailed an elaborate attack where a Russian-speaking threat actor utilized multiple commercial AI services to compromise over 600 FortiGate security appliances across at least 55 countries within a five-week period. AWS reported that the attacker, despite limited technical skills, leveraged AI for attack planning, execution, and identifying exposed management ports and weak credentials. CJ Moses of AWS explained, "One serves as the primary tool developer, attack planner, and operational assistant. A second is used as a supplementary attack planner when the actor needs help pivoting within a specific compromised network." The attacker even submitted the complete internal topology of a victim network, requesting a step-by-step plan for further compromise. Moses noted, "This activity is distinguished by the threat actor’s use of multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operations, despite their limited technical capabilities." The actor’s strategy involved moving to softer targets rather than persisting against hardened defenses, highlighting AI-augmented efficiency and scale as their primary advantage.

While initial network access is often straightforward for attackers, lateral movement and data exfiltration within a victim network are typically more challenging. However, experts at Orca Security warn that as organizations increasingly rely on AI assistants, these agents can become a simpler vector for attackers to move laterally post-compromise. By injecting prompt injections into overlooked fields fetched by AI agents, hackers can trick Large Language Models (LLMs), abuse agentic tools, and cause significant security incidents. Orca Security’s Roi Nisimi and Saurav Hiremath advised, "Organizations should now add a third pillar to their defense strategy: limiting AI fragility, the ability of agentic systems to be influenced, misled, or quietly weaponized across workflows. While AI boosts productivity and efficiency, it also creates one of the largest attack surfaces the internet has ever seen."

How AI Assistants are Moving the Security Goalposts

BEWARE THE ‘LETHAL TRIFECTA’

The gradual erosion of traditional boundaries between data and code is a significant concern in the AI era. James Wilson, enterprise technology editor for Risky Business, noted that many OpenClaw users install the assistant on personal devices without implementing essential security and isolation measures like virtual machines, isolated networks, or strict firewall rules. Wilson stated, "I’m a relatively highly skilled practitioner in the software and network engineering and computery space. I know I’m not comfortable using these agents unless I’ve done these things, but I think a lot of people are just spinning this up on their laptop and off it runs."

A crucial framework for managing AI agent risk is the "lethal trifecta," conceptualized by Simon Willison, co-creator of the Django Web framework. This model posits that a system is vulnerable to private data theft if it has access to private data, is exposed to untrusted content, and possesses a means of external communication. Willison warned, "If your agent combines these three features, an attacker can easily trick it into accessing your private data and sending it to the attacker."

As companies and their employees increasingly leverage AI for "vibe coding," the volume of machine-generated code is poised to overwhelm manual security reviews. In response, Anthropic has launched Claude Code Security, a beta feature designed to scan codebases for vulnerabilities and suggest patches for human review. The U.S. stock market, heavily influenced by AI-focused tech giants, reacted swiftly to Anthropic’s announcement, with major cybersecurity companies experiencing a significant drop in market value. Laura Ellis, vice president of data and AI at Rapid7, observed, "The narrative moved quickly: AI is replacing AppSec. AI is automating vulnerability detection. AI will make legacy security tooling redundant. The reality is more nuanced. Claude Code Security is a legitimate signal that AI is reshaping parts of the security landscape. The question is what parts, and what it means for the rest of the stack."

DVULN founder O’Reilly anticipates AI assistants becoming ubiquitous in corporate environments, irrespective of preparedness for the associated risks. He stated, "The robot butlers are useful, they’re not going away and the economics of AI agents make widespread adoption inevitable regardless of the security tradeoffs involved. The question isn’t whether we’ll deploy them—we will—but whether we can adapt our security posture fast enough to survive doing so." The security goalposts have indeed been moved, and organizations must urgently adapt to this new paradigm.