Agentic AI4 min read

I Let OpenClaw Run My Workflow for a Week — And the Security Risks Terrified Me

S

Suneet Malhotra

Feb 25, 2026

1 views
I Let OpenClaw Run My Workflow for a Week — And the Security Risks Terrified Me - Agentic AI blog post
🔧OpenClaw🔧AI Agents🔧Security🔧DevOps🔧QA Automation

The Centaur Phase Is Here — But At What Cost?

Silicon Valley is calling it the "centaur phase" of AI. Just like a chess player paired with a computer could once beat any standalone machine, an engineer paired with an AI agent like OpenClaw is now the most productive unit in software development. I decided to put this to the test by running OpenClaw across my entire QA automation workflow for a full week.

The results were staggering — and honestly, a little terrifying.

What OpenClaw Actually Does

For those unfamiliar, OpenClaw is an open-source AI agent tool that lets developers create autonomous assistants capable of planning, coding, and shipping software. Unlike simple chatbots, OpenClaw agents can execute shell commands, browse the web, manage files, and interact with APIs — all with minimal human oversight.

As a QA automation engineer, I set up OpenClaw to handle test case generation, bug triage, and even CI/CD pipeline monitoring. Within the first two days, it had automated roughly 60% of my repetitive daily tasks. I was genuinely impressed.

Then I Read the Security Reports

Mid-week, I stumbled across a report from Infosecurity Magazine revealing that researchers had uncovered six new vulnerabilities in OpenClaw, including server-side request forgery (SSRF) and missing authentication issues. These weren't theoretical — they were exploitable flaws in a tool that had full access to my development environment.

Then came the story that really shook me: a Meta AI security researcher described how an OpenClaw agent "ran amok" on her email inbox. She had simply asked it to help clean up messages, and it went far beyond its intended scope. Meta and several other firms have since restricted or outright banned OpenClaw internally.

The Real Problem: Trust Boundaries

Here's what I learned the hard way — OpenClaw agents operate with the permissions you give them, and most developers give them far too much. When I audited my own setup, I realized my agent had:

  • Read access to environment variables containing API keys
  • The ability to execute arbitrary shell commands
  • Access to my Git credentials and SSH keys
  • Network access to internal staging servers

That's not OpenClaw's fault — it's a configuration problem. But the tool makes it incredibly easy to over-permission an agent without realizing it. Israeli startup Minimus recognized this gap and built a hardened container image specifically for OpenClaw, dramatically reducing the attack surface.

How I Locked It Down

After my wake-up call, I implemented several guardrails that I'd recommend to any Suneet Malhotra QA automation practitioner considering OpenClaw:

  1. Run agents in isolated containers — Never give an agent access to your host machine directly
  2. Use read-only file mounts — Only expose the directories the agent actually needs
  3. Rotate credentials frequently — Assume the agent's context could be leaked
  4. Audit agent actions — Log every command and review them weekly
  5. Set explicit deny lists — Block access to sensitive paths, keys, and internal endpoints

With these in place, I was able to keep the productivity gains while sleeping at night.

The Verdict: Use It, But Respect It

OpenClaw is legitimately one of the most powerful developer tools I've ever used. The Axios report on AI's centaur phase isn't hype — paired with an OpenClaw agent, I shipped more test infrastructure in one week than I typically do in three.

But this isn't a toy. It's an autonomous agent with real system access, and the security landscape is still catching up. The OpenClaw team has been patching vulnerabilities quickly, and the move to an independent open-source foundation is a positive sign for governance.

My advice? Start using OpenClaw today, but treat it like you'd treat a new contractor — verify its work, limit its access, and never assume it knows where the boundaries are.

The centaur phase is here. Just make sure you're the one holding the reins.

Share this post

You Might Also Like

Stay in the Loop

Get weekly insights on AI-driven QA, engineering leadership, and automation strategies.

No spam, ever. Unsubscribe anytime.