- OpenClaw can silently execute dangerous actions while holding full access credentials
- Persistent tokens allow subtle manipulations to remain undetected across multiple sessions
- Running OpenClaw on standard workstations exposes critical data to invisible risks
Microsoft’s security researchers have warned OpenClaw should not run on ordinary personal or enterprise workstations.
A new Microsoft Security blog post outlines how the risk is tied to how the runtime operates — which blends untrusted instructions with executable code while using valid credentials.
That combination alters the traditional security boundary in ways most desktop environments are not built to handle.
What is OpenClaw
OpenClaw is a self-hosted AI agent runtime built to carry out tasks for individuals or teams. It is not limited to answering questions.
To function fully, users grant it broad software access, including online services, email accounts, login tokens, and local files.
Once connected, it can browse repositories, send messages, edit documents, call APIs, and automate workflows across SaaS platforms and internal systems.
It can also download and install external skills from public sources, and these skills expand what the agent can do.
The runtime keeps persistent tokens and stored state, allowing it to continue operating across sessions without repeated authentication.
When software can install new capabilities, process unpredictable input, and act with saved credentials, the device hosting it becomes part of an ongoing automation loop.
The concern is not simply that OpenClaw runs code. Many applications execute code safely every day - the difference here is that OpenClaw can retrieve third-party capabilities while processing instructions that may contain hidden manipulation.
This brings together both code supply and instruction supply risks in one environment, and unlike conventional software, OpenClaw can modify its working state over time.
Its stored memory, configuration settings, and installed extensions may be influenced by the content it reads.
In a lightly controlled environment, this can lead to credential exposure, data leakage, or subtle configuration changes that persist.
These outcomes do not require obvious malware, they can occur through normal API calls made with legitimate permissions.
Microsoft notes that persistence may appear as quiet configuration drift rather than a visible compromise.
An OAuth consent approval or a scheduled task may extend access without immediate warning signs.
Standard endpoint protection and a properly configured firewall reduce certain threats, yet they do not automatically block logic that uses approved credentials.
“OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation…” the company said in a blog post.
For organizations that still plan to test OpenClaw, Microsoft recommends strict isolation.
The runtime should operate inside a dedicated virtual machine or separate device with no primary work accounts attached.
Credentials should be limited, purpose-built, and rotated regularly, while continuous monitoring through Microsoft Defender XDR or similar tools is advised to detect unusual activity.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.