SINGAPORE: OpenClaw users should avoid deploying its open-source form in systems that are essential for an organisation’s function, the Infocomm Media Development Authority (IMDA) said in an advisory on Thursday (May 14).
Given its experimental nature, deploying OpenClaw in systems that handle sensitive data could lead to errors with serious consequences, it said.
Users should also avoid creating a single “all-powerful” OpenClaw agent with unrestricted access, and instead use multiple AI agents with narrow and clearly defined roles.
Here’s what you need to know about the risks associated with OpenClaw and how it can be used safely.
Show More Show Less
OpenClaw is an AI agent. Unlike large language models such as ChatGPT and Claude that mainly answer questions, AI agents are designed to carry out tasks.
With permission from the user, these agents can open applications, search for information, generate documents and complete multi-step processes with little supervision.
It can automate everyday tasks – compiling research from multiple websites, drafting reports or emails, and coordinating schedules.
For example, businesses can monitor a dashboard and create reports, or respond to customer enquiries on messaging platforms.
OpenClaw was created by Austrian developer Peter Steinberger. Since it was released in November 2025, it has exploded in popularity.
One factor contributing to this is OpenClaw’s ease of use out of the box, IMDA said in its report.
The AI agent’s ability to access files and systems, integrate with messaging platforms and develop skills, make it highly attractive as a productivity assistant, it added.
These AI agents are basically what sci-fi movies have imagined AI personal assistants could be throughout the past century, said Mr Jacob Chen, the technical team lead at the Singapore University of Technology and Design (SUTD) Academy’s digital capabilities centre.
Referencing Jarvis, who features as Iron Man’s virtual personal assistant in the movies, he noted that most people install OpenClaw on a spare computer and connect it to a large language model like ChatGPT or Claude.
What makes OpenClaw powerful is not its ability to carry out tasks, but its ability to figure out how to do things it previously could not – or build its own skills, said Mr Chen.
For example, a default version of OpenClaw would not be able to process videos because large language models cannot process videos directly.
However, if a user sends OpenClaw a video, it could figure out how to extract screenshots from the video to analyse them, or extract the audio and transcribe it, without the user having to give specific instructions.
OpenClaw originated as a hobbyist, vibe-coding project, which did not undergo extensive security testing before it was released, said IMDA.
It was launched with limited security controls – while many of the vulnerabilities have been patched in updated versions, new ones are still frequently being surfaced.
By default, OpenClaw inherits the privileges of the user account that installs it.
The agent can access files anywhere on the computer where it is installed, unless sandboxing is turned on, said IMDA.
Sandboxing is a cybersecurity practice that creates an isolated and secure environment to run, test, or analyse untrusted programs.
If the AI agent is compromised, the attacker may have access to everything the user has access to.
For example, if it is connected to shared programmes or apps like Slack, it may accept instructions from any participant in the channel without additional authentication, including from potential bad actors.
Since it relies on an external AI model for reasoning and planning, everything OpenClaw has access to may be used by these models as context, and sensitive data may be shared without the user’s knowledge.
Its use of long-term memory, which is what allows it to be an effective personal assistant, increases the risk of accidental data exposure, said IMDA.
Storing this memory helps it to identify the user’s preferences and maintain the context of the work that it has done, which makes it more effective and personalised.
But attackers can exploit this – instructions embedded in the agent’s memory, possibly through external content such as emails, web pages or documents, can manipulate its behaviour.
Known as memory poisoning, attackers can add inputs in fragments over time. The agent stores these fragments in its long-term memory, and they later combine into a harmful set of instructions.
In practical terms, a user could think the agent is just preparing a report. But it could also be following hidden instructions embedded earlier through emails, webpages or documents, said Associate Professor Goh Weihan with the Singapore Institute of Technology (SIT).
OpenClaw can also learn skills from external sources, and these skills are often made by other users and do not undergo rigorous vetting, which opens up further risks.
Applying this to practical uses, an individual may, for example, allow OpenClaw access to their personal email inbox.
If their agent is compromised, then the information in their personal email accounts is also not safe.
In order to automate tasks, the agent knows everything about you, which allows it to give very smart answers.
“But the thing is, that very thing also makes it very dangerous, because now it has access to all the context of what you do in your daily life. There's a lot of compromising information that it can give,” said Mr Chen.
An AI agent that has access to a person’s emails already knows who they are in contact with. It could impersonate them or reveal information about those they are in contact with, he added.
Even if an individual only uses OpenClaw as a personal assistant, this access could still reveal that the individual works for a certain company. It could lead to a chain of events that compromises the larger organisation.
Since OpenClaw has become so popular, many people are trying to break the application and exploit it, said Mr Chen.
“It’s just too viral for its own good at this moment right now,” he added.
What sets agentic AI systems apart is that they can move from giving suggestions to performing actions, said SIT's Assoc Prof Goh.
"Your normal AI chatbot may give a poor answer, and that's pretty much the end of it. An AI agent, with access to emails, files, code repositories, or cloud systems, may act on that answer," he added.
Any unintended errors or malicious instructions can have a much larger, real-world impact, beyond just a bad answer, said Assoc Prof Goh, citing the incident where a Meta AI security researcher had her entire email inbox deleted by OpenClaw in February.
The AI agent seemingly bypassed safety instructions to ask for permission, ignored stop commands and deleted hundreds of emails, he added.
To use OpenClaw safely, IMDA advised that people avoid deploying it in its open-source form in mission-critical environments – a stance that experts also agreed with.
Mission-critical typically refers to a system, process or asset that is absolutely essential to an organisation’s core operations. If they are affected, business operations would immediately stop, resulting in severe consequences.
OpenClaw’s configurations are permissive by default, and IMDA stressed that users should only use trusted skills and sources.
IMDA also advised users against creating an “all-powerful” agent with unrestricted access and to avoid installing it on personal devices that contain sensitive data.
The agent’s access to files and applications should be limited to the specific files and applications that it needs to perform its tasks, and the actions that it can perform within each application should also be restricted.
Users should identify checkpoints where the AI agent needs human approval. This could include financial transactions, executing code, deleting critical data or sending external communications on behalf of an organisation.
OpenClaw highlights how rapidly autonomous AI tools are advancing, said IMDA, adding that they offer significant benefits but also pose real risks if used carelessly.
“The aim is not to avoid them, but to use autonomous agents with clear limits, accountability, and safeguards.”
Users should remember that OpenClaw still uses large language models built by providers like OpenAI and Anthropic, said Mr Chen.
“They say that they don’t use your data for training, and they have privacy policies, but there is no 100 per cent guarantee that they themselves will not be compromised or they themselves are not using the data for anything,” he added.
In teaching his students, he reminds them to treat OpenClaw as a personal assistant or an intern.
Users should start with slow and simple tasks that have low stakes and are easy to verify, said Mr Chen.
“When you get more confident with what you can do, understand its quirks, then you can kind of give it more things to do,” he added.
He stressed that users should always be in the loop on what the agent is doing or producing.
For example, the agent should not be reading your inbox or sending messages, said Mr Chen.
Instead of connecting the agent to a personal email inbox, selecting and sending the information to OpenClaw is a better practice, although this reduces convenience and automation.
Users should avoid giving OpenClaw authority to take irreversible actions, said SIT's Assoc Prof Goh.
For example, a user may allow OpenClaw to draft an email, but the human user should always be the one reviewing and sending it.
Users may also allow OpenClaw to suggest how to clean up a folder, but it should never be allowed to delete files without the users' approval, he added.
Continue reading...
Given its experimental nature, deploying OpenClaw in systems that handle sensitive data could lead to errors with serious consequences, it said.
Users should also avoid creating a single “all-powerful” OpenClaw agent with unrestricted access, and instead use multiple AI agents with narrow and clearly defined roles.
Here’s what you need to know about the risks associated with OpenClaw and how it can be used safely.
WHAT IS OPENCLAW?
CNA GamesShow More Show Less
OpenClaw is an AI agent. Unlike large language models such as ChatGPT and Claude that mainly answer questions, AI agents are designed to carry out tasks.
With permission from the user, these agents can open applications, search for information, generate documents and complete multi-step processes with little supervision.
It can automate everyday tasks – compiling research from multiple websites, drafting reports or emails, and coordinating schedules.
For example, businesses can monitor a dashboard and create reports, or respond to customer enquiries on messaging platforms.
OpenClaw was created by Austrian developer Peter Steinberger. Since it was released in November 2025, it has exploded in popularity.
One factor contributing to this is OpenClaw’s ease of use out of the box, IMDA said in its report.
The AI agent’s ability to access files and systems, integrate with messaging platforms and develop skills, make it highly attractive as a productivity assistant, it added.
These AI agents are basically what sci-fi movies have imagined AI personal assistants could be throughout the past century, said Mr Jacob Chen, the technical team lead at the Singapore University of Technology and Design (SUTD) Academy’s digital capabilities centre.
Referencing Jarvis, who features as Iron Man’s virtual personal assistant in the movies, he noted that most people install OpenClaw on a spare computer and connect it to a large language model like ChatGPT or Claude.
What makes OpenClaw powerful is not its ability to carry out tasks, but its ability to figure out how to do things it previously could not – or build its own skills, said Mr Chen.
For example, a default version of OpenClaw would not be able to process videos because large language models cannot process videos directly.
However, if a user sends OpenClaw a video, it could figure out how to extract screenshots from the video to analyse them, or extract the audio and transcribe it, without the user having to give specific instructions.
Also read:
WHAT ARE THE RISKS?
OpenClaw originated as a hobbyist, vibe-coding project, which did not undergo extensive security testing before it was released, said IMDA.
It was launched with limited security controls – while many of the vulnerabilities have been patched in updated versions, new ones are still frequently being surfaced.
By default, OpenClaw inherits the privileges of the user account that installs it.
The agent can access files anywhere on the computer where it is installed, unless sandboxing is turned on, said IMDA.
Sandboxing is a cybersecurity practice that creates an isolated and secure environment to run, test, or analyse untrusted programs.
If the AI agent is compromised, the attacker may have access to everything the user has access to.
For example, if it is connected to shared programmes or apps like Slack, it may accept instructions from any participant in the channel without additional authentication, including from potential bad actors.
Since it relies on an external AI model for reasoning and planning, everything OpenClaw has access to may be used by these models as context, and sensitive data may be shared without the user’s knowledge.
Its use of long-term memory, which is what allows it to be an effective personal assistant, increases the risk of accidental data exposure, said IMDA.
Storing this memory helps it to identify the user’s preferences and maintain the context of the work that it has done, which makes it more effective and personalised.
But attackers can exploit this – instructions embedded in the agent’s memory, possibly through external content such as emails, web pages or documents, can manipulate its behaviour.
Known as memory poisoning, attackers can add inputs in fragments over time. The agent stores these fragments in its long-term memory, and they later combine into a harmful set of instructions.
In practical terms, a user could think the agent is just preparing a report. But it could also be following hidden instructions embedded earlier through emails, webpages or documents, said Associate Professor Goh Weihan with the Singapore Institute of Technology (SIT).
OpenClaw can also learn skills from external sources, and these skills are often made by other users and do not undergo rigorous vetting, which opens up further risks.
Applying this to practical uses, an individual may, for example, allow OpenClaw access to their personal email inbox.
If their agent is compromised, then the information in their personal email accounts is also not safe.
In order to automate tasks, the agent knows everything about you, which allows it to give very smart answers.
“But the thing is, that very thing also makes it very dangerous, because now it has access to all the context of what you do in your daily life. There's a lot of compromising information that it can give,” said Mr Chen.
An AI agent that has access to a person’s emails already knows who they are in contact with. It could impersonate them or reveal information about those they are in contact with, he added.
Even if an individual only uses OpenClaw as a personal assistant, this access could still reveal that the individual works for a certain company. It could lead to a chain of events that compromises the larger organisation.
Since OpenClaw has become so popular, many people are trying to break the application and exploit it, said Mr Chen.
“It’s just too viral for its own good at this moment right now,” he added.
What sets agentic AI systems apart is that they can move from giving suggestions to performing actions, said SIT's Assoc Prof Goh.
"Your normal AI chatbot may give a poor answer, and that's pretty much the end of it. An AI agent, with access to emails, files, code repositories, or cloud systems, may act on that answer," he added.
Any unintended errors or malicious instructions can have a much larger, real-world impact, beyond just a bad answer, said Assoc Prof Goh, citing the incident where a Meta AI security researcher had her entire email inbox deleted by OpenClaw in February.
The AI agent seemingly bypassed safety instructions to ask for permission, ignored stop commands and deleted hundreds of emails, he added.
Also read:
USING IT SAFELY
To use OpenClaw safely, IMDA advised that people avoid deploying it in its open-source form in mission-critical environments – a stance that experts also agreed with.
Mission-critical typically refers to a system, process or asset that is absolutely essential to an organisation’s core operations. If they are affected, business operations would immediately stop, resulting in severe consequences.
OpenClaw’s configurations are permissive by default, and IMDA stressed that users should only use trusted skills and sources.
IMDA also advised users against creating an “all-powerful” agent with unrestricted access and to avoid installing it on personal devices that contain sensitive data.
The agent’s access to files and applications should be limited to the specific files and applications that it needs to perform its tasks, and the actions that it can perform within each application should also be restricted.
Users should identify checkpoints where the AI agent needs human approval. This could include financial transactions, executing code, deleting critical data or sending external communications on behalf of an organisation.
OpenClaw highlights how rapidly autonomous AI tools are advancing, said IMDA, adding that they offer significant benefits but also pose real risks if used carelessly.
“The aim is not to avoid them, but to use autonomous agents with clear limits, accountability, and safeguards.”
Users should remember that OpenClaw still uses large language models built by providers like OpenAI and Anthropic, said Mr Chen.
“They say that they don’t use your data for training, and they have privacy policies, but there is no 100 per cent guarantee that they themselves will not be compromised or they themselves are not using the data for anything,” he added.
Listen:
In teaching his students, he reminds them to treat OpenClaw as a personal assistant or an intern.
Users should start with slow and simple tasks that have low stakes and are easy to verify, said Mr Chen.
“When you get more confident with what you can do, understand its quirks, then you can kind of give it more things to do,” he added.
He stressed that users should always be in the loop on what the agent is doing or producing.
For example, the agent should not be reading your inbox or sending messages, said Mr Chen.
Instead of connecting the agent to a personal email inbox, selecting and sending the information to OpenClaw is a better practice, although this reduces convenience and automation.
Users should avoid giving OpenClaw authority to take irreversible actions, said SIT's Assoc Prof Goh.
For example, a user may allow OpenClaw to draft an email, but the human user should always be the one reviewing and sending it.
Users may also allow OpenClaw to suggest how to clean up a folder, but it should never be allowed to delete files without the users' approval, he added.
Continue reading...