As expected, after chatbots, the use of AI agents in an AI-centric industry is currently the hottest topic. AI already helps manage the largest companies, some of which employ more bots than people, and although the technology is still new, the enthusiasm resulting from the vision of significantly higher efficiency obscures a slightly broader perspective for many decision-makers.
However, what initially seemed to be the domain of people most closely associated with new technologies, i.e. those dealing with code, quickly began to spread to other areas. The project now called OpenClaw is largely responsible for this. Created according to the idea of vibe coding by Peter Steinberger, he was just starting out initially as ClawdBot in late 2025. At the beginning of January, it was thoroughly rebuilt and from that moment on, the tool, also called Moltbot, started to become a real sensation.
More and more people downloaded it on GitHub, but the real madness began in mid-February, when version 2.0 appeared and the name was changed again – this time to OpenClaw. The scale of this phenomenon is best illustrated by the so-called a system of stars awarded by users who recommend a given solution and find it useful.
In just three months after its premiere, OpenClaw gained over 330,000 of them, becoming 9th best-rated project on this platform. This is definitely the highest dynamics in the history of GitHub. Suffice it to say that Linux, the most popular free operating system, is expected to exceed the level of 200,000. It took 14 years to get the stars. OpenClaw broke this ceiling in just a few weeks.
As more language models are supported and new skills are acquired, the capabilities of the tool in its current form can be described as follows: after simple installation and configuration of OpenClaw, we gain an AI agent that is able to completely independently manage our device – a phone, tablet or computer. And do exactly what humans do, but without human intervention.
The fact that commands can be given to agents built inside OpenClaw via regular messengers, in simple language, as if we were talking to someone we knew, meant that the solution quickly attracted the interest of people who had not previously dealt with such technology. Jensen Huang, in a recent conversation about this tool with CNBC's Jim Cramer, admitted directly: This is undoubtedly the new ChatGPT.
An AI agent can do anything
However, OpenClaw itself is only an environment, and its real power is unlocked when we start teaching the agent built in it new skills. If he can't handle something, we can simply tell him to learn it and download the appropriate plug-in from a very wide catalog of specialized solutions created by users. The so-called ClawHub currently includes several tens of thousands of ready-made instructions that an OpenClaw agent can quickly learn. If we need AI to handle invoices, we will certainly find a suitable plug-in there. Do we need to conduct a market analysis, e.g. among available financial applications? Check which ones offer what, how much they earn, how many people have downloaded them? Of course, there is also a plug-in for this, which can be uploaded from ClawHub to our agent. The possibilities are virtually endless.
This sounds absolutely phenomenal and even if we take into account the costs of operating an agent – we can gain a lot. Unless we have a local model on our computer, we must use an API key from Google, OpenAI, or any other AI model provider, which incurs a small fee per query. Tokens used in this way, i.e. units of measurement of data processed by the model, today cost fractions of cents, which means that for an AI agent to perform a specific task – such as analyzing a report or booking tickets – you usually pay from a few to several dozen cents. This is really little, and the time freed up in this way is obviously much more valuable.
But if it's so great… that means There must be a catch somewhere in all this. And he is actually hiding.
Code red and OpenClaw's biggest problem
The biggest problem of OpenClaw, as well as all other tools related to AI agents, is their… security. To work effectively, an AI agent must be given very broad permissions, and by installing OpenClaw, we allow it to access our operating system and all its resources very deeply. Even though artificial intelligence can do a lot this way… it can break just as much. Or even delete it forever.
However, what is also problematic is the fact that more and more plugins with malicious code embedded in the ClawHub ecosystem appear. According to the Koi Security report, out of just over 2,800 plug-ins tested, as many as 341 contained malware. In turn, research conducted by Snyk showed that in as much as 36 percent Security vulnerabilities can be found in all AI agent plugins. Vulnerabilities that can be used, for example, to take control of a given system.
ClawHub – a place with skills that an AI agent can acquire
In an interview with Business Insider Polska, Łukasz Nowatkowski, Cybersecurity Advocate at Xopero Software SA, also draws attention to one more issue: – The greatest, unsaid threat is what we call “operational hallucinations”. (…) If the Agent misinterprets the context and as part of the optimization will delete the entire customer database instead of duplicating itwe are dealing with a disaster.
Such cases have already occurred, also in the largest technology companies in the world. Suffice it to say that the recent failure of Amazon Web Services resulted simply from the actions taken by an AI agent that, without proper supervision, undertook activities that disturbed the stability of the entire system.
Nowatkowski also draws attention to the fact that although people also make this type of mistakes, by their very nature the scope of their actions is… limited. AI agents deployed carelessly in an organization do not have them:- We give agents powerful powers, completely bypassing the security processes we apply to humans. The employee has two-factor login and limited working hours. The AI agent often receives a hard-coded password and 24/7 access. If it is “hijacked” or manipulated by a malicious bot, the attacking criminal receives unrestricted access to the interior of our organization.
Cybersecurity experts warn against OpenClaw
This is directly related to a very dangerous and currently difficult to block phenomenon that uses attacks from the so-called prompt injection, which can easily force both chatbots and AI agents to perform operations that harm the attack victim.
This is a very big problem, which in the eyes of people who understand the operation of these systems and deal with cybersecurity, may not disqualify these solutions but rather cause serious concerns. And when they use them in any way, they use a number of other safeguards, but they do not guarantee anything.
Suffice it to say that when asked about OpenClaw, then under a different name, the head of the security department at Google, Heather Adkins, said directly: – Don't use Clawdbot.
Since then, over the last few weeks, a lot has changed in this matter, OpenClaw has had further system restrictions imposed in subsequent versions, but… it is still very far from perfect. There are also additional environments that somehow “tie” his hands in a situation in which an AI agent would be used to cause damage. One such example is NemoClaw, recently created by Nvidia.
Agents built within this solution are still supposed to be able to perform most of the tasks assigned to them, but limited access to key system elements and better protection against external interference they are intended to make the whole thing simply safer to use. For all this to function properly, however, it is necessary to have Nvidia systems, which in itself will be a significant limitation for some entities. At this stage, it is obviously too early to assess how NemoClaw works in real conditions and how “safe” it is, but the direction of development is understandable. Agents created within OpenClaw were, are and will be dangerous. And for further development of this technology, it is necessary to significantly improve this area.
How to safely implement an AI agent in your company?
Łukasz Nowatkowski, asked whether it is possible to actually make this solution safe, indicated four pillars that every organization should strive for when including agents in its structure. These are:
- Dynamic secret management (the agent uses only short-term authorizations that expire automatically after completing a specific task)
- Real-time behavioral surveillance (constantly analyzing the agent's thought process and immediately blocking it in case of detecting anomalies or unauthorized data export attempts)
- Physical Kill-Switch (administrator tools to quickly disconnect the agent from the API without having to interrupt the operation of other company systems)
- Model Context Protocol security (rigorous validation of commands at the interface between the agent and the tools to prevent prompt injection attacks common in this protocol)
Implementations without taking into account these principles are a huge risk and Nowatkowski admits directly – it opens the door wide for cybercriminals.
By following these four principles, the company significantly minimizes the risk of disaster related to agent malfunction. However, since this risk cannot be completely eliminated if competences are transferred to AI at this stage of technology development, many entities – especially those related to state administration, operating on very sensitive data – completely prohibit the use of this type of tools. This is not a coincidence, but rather a manifestation of responsibility that many businesses currently do not show… for a very simple reason – the potential profits outweigh the risks. The productivity benefits are too great for businesses to give up – Nowatkowski admitted in an interview with Business Insider Polska. When asked what he would advise companies that have already fallen into agent madness and are introducing AI into their structures, he said directly: – Keep doing it, but fasten your seat belts, prepare your lawyers, because you are treading on thin ice.
He also predicts that the current phenomenon of many companies adopting AI agents may soon bring unpleasant consequences: – Business will soon realize that the cost of downtime caused by a “rogue” or hacked Agent, combined with penalties under NIS2/GDPR, drastically outweighs the profits from this rash automation.
Who is responsible for mistakes made by AI agents?
The issue of liability for errors that will sooner or later begin to appear in companies that are already implementing AI agents is a very complex issue… although already partially regulated by law. When an AI agent makes a mistake and deletes company assets or gives them away during an attack, who is responsible? Code creators? The creator of the plugin that gave him new skills? The person implementing the agent into the organization? Since the implementation of the European NIS2 directive in 2022 and the amendment of the Polish Act on the National Cybersecurity System, the law is clear – liability for incidents resulting from the activities of AI agents within the company structure falls entirely on the management board of the entity that implemented the given agent.
If you deploy OpenClaw to serve your customers, then OpenClaw becomes your supply chain. If an agent causes a data leak, the supervisory authorities will consider it as gross negligence on the part of the company – explains Łukasz Nowatkowski.
At the same time, it indicates that this is accompanied by financial responsibility: – Penalties amount to millions of euros, and in extreme cases, management board members are liable with their personal assets or are banned from holding managerial positions. It's not the algorithm that's going to jail – it's the CEO who allowed its implementation without supervision.
