- OpenClaw can silently perform dangerous actions while you have full access credentials
- Persistent tokens allow subtle manipulations to remain undetected across multiple sessions
- Running OpenClaw on standard workstations exposes critical data to invisible risks
Microsoft security researchers have warned that OpenClaw should not run on ordinary personal or corporate workstations.
A new Microsoft Security blog post outlines how the risk is tied to how the runtime works — which mixes untrusted instructions with executable code while using valid credentials.
This combination changes the traditional security boundary in ways that most desktop environments are not built to handle.
What is OpenClaw
OpenClaw is a self-hosted AI agent runtime built to perform tasks for individuals or teams. It is not limited to answering questions.
To function fully, users grant it broad software access, including online services, email accounts, login tokens, and local files.
Once connected, it can browse repositories, send messages, edit documents, call APIs and automate workflows across SaaS platforms and internal systems.
It can also download and install external skills from public sources, and these skills extend what the agent can do.
The runtime maintains persistent tokens and stored state so that it can continue to function across sessions without repeated authentication.
When software can install new features, process unpredictable inputs, and act on stored credentials, the device hosting it becomes part of an ongoing automation loop.
The concern is not simply that OpenClaw runs code. Many applications execute code securely every day – the difference here is that OpenClaw can retrieve third-party functions while processing instructions that may contain covert manipulation.
This brings together both code supply and instruction supply risks in one environment, and unlike conventional software, OpenClaw can change its working state over time.
Its stored memory, configuration settings, and installed extensions may be affected by the content it reads.
In a lightly controlled environment, this could lead to credential exposure, data leakage, or subtle configuration changes that persist.
These results do not require obvious malware, they can occur through normal API calls made with legitimate permissions.
Microsoft notes that persistence can look like quiet configuration drift rather than visible compromise.
An OAuth consent authorization or a scheduled task can extend access without immediate warning signs.
Standard endpoint protection and a properly configured firewall reduce some threats, yet they do not automatically block logic that uses authenticated credentials.
“OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or corporate workstation…” the company said in a blog post.
For organizations still planning to test OpenClaw, Microsoft recommends strict isolation.
The runtime must operate inside a dedicated virtual machine or separate device with no associated primary worker accounts.
Credentials should be restricted, custom built and rotated regularly, while continuous monitoring through Microsoft Defender XDR or similar tools is advised to detect unusual activity.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
