OpenClaw Agentic AI Assistant Poses Novel Security Risks, Trend Micro Warns
Trend Micro researchers analyze OpenClaw, a new agentic AI system, highlighting its high autonomy and lack of human oversight as key security risks that could enable automated attacks and data exfiltration.
Trend Micro researchers have published a detailed analysis of OpenClaw (also known as Clawdbot/Moltbot), a new agentic AI assistant that combines high autonomy with ease of use, warning that its design introduces significant security risks. The research, released on February 6, 2026, compares OpenClaw to predecessors like ChatGPT Agent and highlights how its capabilities could be abused by threat actors for automated attacks, data exfiltration, and social engineering campaigns.
OpenClaw scores higher than ChatGPT Agent in several key areas, including autonomous decision-making (A2) and the ability to perform financial transactions (A4). Unlike ChatGPT Agent, which requires explicit user confirmation for sensitive actions, OpenClaw does not enforce a mandatory human-in-the-loop mechanism. Once objectives and permissions are set, the assistant can operate with full autonomy, increasing the risk that errors or manipulations could go unnoticed until real damage occurs.
The assistant's persistent memory and ability to communicate with other agents amplify these risks. OpenClaw maintains long-term context, user preferences, and interaction history, which could be shared with malicious agents if compromised. Its integration with external services also expands the attack surface, making it vulnerable to supply chain attacks through unvetted skills or tools. Trend Micro notes that malicious skills have already appeared in OpenClaw's hub, and criminal forums like Exploit.in are discussing the deployment of OpenClaw skills for botnet operations.
Like other LLM-driven agents, OpenClaw is susceptible to prompt injection attacks, where an attacker embeds malicious instructions in webpages or documents to steer the agent toward harmful actions. The combination of high autonomy, persistent memory, and ecosystem integration makes OpenClaw particularly dangerous if compromised, as it could exfiltrate sensitive data, execute unauthorized commands, or propagate attacks across connected systems.
The researchers emphasize that the risks are not hypothetical. Reports have already shown the emergence of malicious skills in OpenClaw's hub, and underground forums are actively discussing its abuse. Trend Micro's analysis underscores the need for organizations to carefully evaluate the security implications of deploying agentic AI assistants, especially in enterprise environments where unsupervised access to sensitive systems and data could lead to severe consequences.
As agentic AI assistants become more prevalent, the security community must develop new frameworks for assessing and mitigating their risks. Trend Micro's research provides a valuable starting point, mapping OpenClaw's capabilities against a structured framework to identify where risks are amplified. The findings serve as a warning that the convenience of autonomous AI agents must be balanced with robust security controls to prevent misuse.