OWASP and OpenClaw: why AI agents are becoming a new security problem
AI agents are becoming not only more useful, but also more dangerous: they can now do more than just respond — they can send emails, call APIs, and change…
AI-processed from KDnuggets; edited by Hamidun News
AI-agents are rapidly transitioning from "smart chat" mode to autonomous action mode, and this is exactly what transforms them into a new class of risks for companies. This review examines why the main problem is no longer in the model's responses, but in which systems the agent gets access to and what it can do without a human.
Why risks are growing Until recently, most LLM tools were limited to text exchanges with users.
Now agentic systems can plan steps, call external tools, work with corporate APIs, send emails, modify database records, and interact with internal platforms. Once a model gains the right not only to advise but also to act, the standard cybersecurity loop begins to crack: an error, instruction substitution, or excessive permission no longer leads to a strange response, but to a real action in production. A separate issue is the shadow deployment of such tools within companies.
The author cites OpenClaw as an example—an open-source self-hosted agent for managing personal and work accounts. According to reports from early 2026, thousands of its instances turned out to be accessible from the internet without proper authentication. This is an illustrative scenario: an employee installs a convenient agentic tool "to speed up work," and the IT department only learns about it after an incident.
The threat does not arise from the fact of using AI itself, but from the lack of control over where the agent is deployed and what permissions it received.
Four weak spots
The problem with agentic systems rarely comes down to a single vulnerability or a single failed prompt. The risk consists of several layers at once: unauthorized deployment in the company, dependency on external modules, new attack techniques against the agent, and weak monitoring of what it does between steps. In the article, these vulnerabilities are collected into four basic groups that are already beginning to define the practical security agenda for agentic software.
Shadow AI and excessive freedom. An agent operating outside company policy quickly gains broader access than it actually needs. **Supply chain risks.
Plugins, skills, and extensions can masquerade as useful integrations and then execute remote code, steal data, or install malware. New attack vectors.* OWASP already counts agent goal hijack as a notable threat—a situation where an attacker substitutes the agent's goal with hidden instructions through web content or external data.
* Memory and error accumulation. If an agent stores short-term and long-term memory between sessions, malicious or false data can be introduced into it, which will then distort decisions. The problems don't end there.
When multiple agents and services are connected to each other, an attack unfolds at machine speed rather than human pace. The author particularly emphasizes the lack of circuit breakers—mechanisms that can detect suspicious behavior at runtime and automatically stop the process. Perimeter defense is no longer enough: if an agent starts executing a malicious chain of actions inside a trusted network, ordinary firewalls are almost useless.
How protection should change
The main conclusion of the article sounds harsh: an agent cannot be protected the same way as a chatbot or ordinary SaaS integration. Companies need runtime observability—understanding which tools the agent calls, what data it reads, what actions it tries to perform, and what path it took to reach a decision. This is no longer about theory, but about practical operational discipline. Without this, investigating incidents is almost impossible, and therefore, it's impossible to properly limit risks.
"You cannot protect what you cannot see."
The practical minimum looks like this: give agents only necessary privileges, treat them as separate digital identities, label trust levels, log all API calls, and have an emergency stop button. This doesn't make agentic systems safe by default, but it moves them from the category of "unmanaged experiment" to the category of a controlled tool. Otherwise, companies will get not an assistant for automation, but an opaque process with access to critical systems.
What this means AI-agents don't have to become a "security nightmare,"
but the market has already moved past the stage where you can get by with prompt filtering and basic access policies. For business, the question is no longer whether to use agents or not, but how quickly to integrate separate identification, monitoring, and emergency shutdown rules for them.
Want to stop reading about AI and start using it?
AI News is a curated feed of AI/tech news. Hamidun Academy teaches you to use AI systematically in your work.
The AI world, distilled — once a week
Seven stories that actually mattered, hand-picked. No noise, no reposts, no press releases.
Done! Check your inbox for a confirmation.