System compromises, leakage of sensitive data, potentially destructive actions… The risks posed by OpenClaw are well known and acknowledged.
The CERT-FR has recently synthesized these into an alert bulletin. It broadens its message to cover the entire category of “AI agentic automation products on desktop workstations.” Beyond OpenClaw, Claude Cowork is mentioned.
Guidance: as things stand, deploying these assistants in production is out of the question. We will strictly adhere to isolated test environments, without sensitive data. We will also limit the actions and tools accessible, while defining lists of communication channels and authorized contacts. Activation could be restricted, for example by mandating explicit invocation of the assistants (such as @ mentions). And the use of system commands should be subject to human validation.
The defensive framing of prompts can help reduce risks, even though injection attacks can circumvent them, CERT-FR notes.
The Chinese CERT laments an “extremely fragile” OpenClaw
A few weeks ago, the Chinese CERT issued a warning of a similar nature, though focused on OpenClaw. It highlighted its “extremely fragile default configuration.” And it recalled the high privileges the tool can possess (access to the local file system, reading environment variables, installing plug-ins…).
Its alert did not formally ban deployment in production. It nevertheless established prerequisites including:
- Strengthen network controls and do not expose the default management port to the Internet
- Isolate the execution environment and use technologies such as containers to limit excessive privileges
- Do not store keys in environment variables
- Strictly manage the sources of plug-ins and disable their automatic updates
For further reading:
Why Peter Steinberger left OpenClaw for OpenAI
From OpenShell to NanoClaw, a sprawling NVIDIA footprint in agent tech
Google Workspace opens to AI agents via the CLI
OpenAI’s billions also fuel acquisitions
