- OpenClaw can silently execute dangerous actions while holding full access credentials
- Persistent tokens allow subtle manipulations to go undetected across multiple sessions
- Running OpenClaw on standard desktops exposes critical data to invisible risks
Microsoft security researchers have warned that OpenClaw should not run on ordinary personal or corporate workstations.
A new Microsoft Security blog post describes how the risk relates to the operation of the execution engine, which associates untrusted instructions with executable code while using valid credentials.
This combination changes traditional security boundaries in ways that most office environments are not designed to handle.
What is OpenClaw
OpenClaw is a self-hosted AI agent runtime designed to perform tasks for individuals or teams. It’s not just about answering questions.
To function fully, users grant it broad access to software, including online services, email accounts, login tokens, and local files.
Once connected, it can browse repositories, send messages, edit documents, call APIs, and automate workflows across SaaS platforms and internal systems.
It can also download and install external skills from public sources, and these skills expand the agent’s capabilities.
The runtime maintains persistent tokens and stored state, allowing it to continue running from session to session without repeated authentication.
When software can install new features, process unpredictable input, and act on saved credentials, the device hosting it becomes part of a continuous automation loop.
The problem isn’t just that OpenClaw is executing code. Many applications execute code securely every day. The difference here is that OpenClaw can grab third-party functionality while still processing instructions that may contain hidden manipulations.
This brings together the risks of delivering code and delivering instructions into a single environment, and unlike conventional software, OpenClaw can change its operating state over time.
Its stored memory, configuration settings, and installed extensions may be influenced by the content it plays.
In a loosely controlled environment, this can result in credential exposure, data leakage, or subtle configuration changes that persist.
These results do not require obvious malware; they can occur through normal API calls made with legitimate permissions.
Microsoft notes that persistence may appear as a discrete configuration drift rather than a visible compromise.
An OAuth consent approval or scheduled task can expand access without immediate warning signs.
Standard endpoint protection and a properly configured firewall reduce some threats, but they do not automatically block logic that uses trusted credentials.
“OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run it on a standard personal or enterprise workstation…” the company said in a blog post.
For organizations still considering testing OpenClaw, Microsoft recommends strict isolation.
The runtime should run inside a dedicated virtual machine or a separate device without any primary business account attached.
Credentials should be limited, specially designed and rotated regularly, while continuous monitoring via Microsoft Defender XDR or similar tools is advised to detect any unusual activity.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
