OpenClaw has 500,000 instances and no enterprise kill switch

To create a unique version of the provided article that seamlessly integrates into a WordPress platform, the following rewritten content can be used:

—

In an exclusive interview with VentureBeat at RSAC 2026, Etay Maor, VP of Threat Intelligence at Cato Networks, made a bold statement, “Your AI? It’s my AI now.” This statement perfectly encapsulates the unsettling reality faced by a U.K. CEO whose OpenClaw instance was put up for sale on BreachForums. Maor highlighted that the industry has granted AI agents a level of autonomy that would never be given to a human employee, disregarding fundamental security principles such as zero trust, least privilege, and assume-breach.

The incident came to light three weeks before Maor’s interview when a threat actor known as “fluffyduck” posted a listing on BreachForums offering root shell access to the CEO’s computer for $25,000 in Monero or Litecoin. However, the real prize was the CEO’s OpenClaw AI personal assistant, which contained sensitive information including conversations, production database, API keys, and personal details. This exposed a major flaw in the security of OpenClaw instances, as the data was stored in plain-text Markdown files without encryption.

Upon discovery of the breach, there was a glaring lack of enterprise controls, with no native kill switch, management console, or inventory of active instances. OpenClaw’s direct access to the host machine’s resources posed a significant threat, and the absence of a centralized patching mechanism compounded the security risks.

The Scale of the Threat Surface

During the interview, Maor conducted a live check using Censys, revealing a rapid increase in the number of instances, emphasizing the urgent need for security measures. Three high-severity CVEs pose significant risks, highlighting the importance of patching vulnerable instances.

The security landscape is further complicated by the proliferation of AI applications, with CrowdStrike’s Falcon sensors detecting over 1,800 distinct AI applications. Malicious skills like ClawHavoc present a new challenge, underscoring the need for robust security measures.

Addressing the Security Gap

Cisco and Palo Alto Networks have taken proactive steps to address the security implications of AI agents like OpenClaw. Cisco’s DefenseClaw framework and AI Defense Explorer Edition offer essential security features to protect against potential threats. Palo Alto Networks’ Prisma AIRS 3.0 introduces stringent security measures to safeguard against malicious skills and vulnerabilities.

Moreover, Cato Networks’ threat intelligence arm, Cato CTRL, has provided valuable insights through the 2026 Cato CTRL Threat Report, offering a practical perspective on the challenges posed by AI agents.

Key Recommendations for Action

Implementing key controls such as isolating OpenClaw instances, enforcing application allowlisting, and conducting regular audits of installed skills are crucial steps to enhance security. Additionally, organizations should prioritize the identification and removal of ghost agents to mitigate potential risks.

By deploying tools like DefenseClaw and conducting red-team exercises, organizations can bolster their defenses against evolving threats posed by AI agents. The OWASP Agentic Skills Top 10 framework serves as a valuable guide for evaluating and mitigating risks in AI ecosystems.

As the security landscape continues to evolve, organizations must remain vigilant and proactive in securing their AI environments to prevent potential breaches and data compromises.

—

This rewritten content captures the key points of the original article while providing a fresh perspective on the security challenges posed by AI agents like OpenClaw. It is tailored for integration into a WordPress platform, maintaining the integrity of the original HTML tags and images.