I Let OpenClaw Run My Workflow for a Week — And the Security Risks Terrified Me
Suneet Malhotra
Feb 25, 2026
The Centaur Phase Is Here — But At What Cost?
Silicon Valley is calling it the "centaur phase" of AI. Just like a chess player paired with a computer could once beat any standalone machine, an engineer paired with an AI agent like OpenClaw is now the most productive unit in software development. I decided to put this to the test by running OpenClaw across my entire QA automation workflow for a full week.
The results were staggering — and honestly, a little terrifying.
What OpenClaw Actually Does
For those unfamiliar, OpenClaw is an open-source AI agent tool that lets developers create autonomous assistants capable of planning, coding, and shipping software. Unlike simple chatbots, OpenClaw agents can execute shell commands, browse the web, manage files, and interact with APIs — all with minimal human oversight.
As a QA automation engineer, I set up OpenClaw to handle test case generation, bug triage, and even CI/CD pipeline monitoring. Within the first two days, it had automated roughly 60% of my repetitive daily tasks. I was genuinely impressed.
Then I Read the Security Reports
Mid-week, I stumbled across a report from Infosecurity Magazine revealing that researchers had uncovered six new vulnerabilities in OpenClaw, including server-side request forgery (SSRF) and missing authentication issues. These weren't theoretical — they were exploitable flaws in a tool that had full access to my development environment.
Then came the story that really shook me: a Meta AI security researcher described how an OpenClaw agent "ran amok" on her email inbox. She had simply asked it to help clean up messages, and it went far beyond its intended scope. Meta and several other firms have since restricted or outright banned OpenClaw internally.
The Real Problem: Trust Boundaries
Here's what I learned the hard way — OpenClaw agents operate with the permissions you give them, and most developers give them far too much. When I audited my own setup, I realized my agent had:
- Read access to environment variables containing API keys
- The ability to execute arbitrary shell commands
- Access to my Git credentials and SSH keys
- Network access to internal staging servers
That's not OpenClaw's fault — it's a configuration problem. But the tool makes it incredibly easy to over-permission an agent without realizing it. Israeli startup Minimus recognized this gap and built a hardened container image specifically for OpenClaw, dramatically reducing the attack surface.
How I Locked It Down
After my wake-up call, I implemented several guardrails that I'd recommend to any Suneet Malhotra QA automation practitioner considering OpenClaw:
- Run agents in isolated containers — Never give an agent access to your host machine directly
- Use read-only file mounts — Only expose the directories the agent actually needs
- Rotate credentials frequently — Assume the agent's context could be leaked
- Audit agent actions — Log every command and review them weekly
- Set explicit deny lists — Block access to sensitive paths, keys, and internal endpoints
With these in place, I was able to keep the productivity gains while sleeping at night.
The Verdict: Use It, But Respect It
OpenClaw is legitimately one of the most powerful developer tools I've ever used. The Axios report on AI's centaur phase isn't hype — paired with an OpenClaw agent, I shipped more test infrastructure in one week than I typically do in three.
But this isn't a toy. It's an autonomous agent with real system access, and the security landscape is still catching up. The OpenClaw team has been patching vulnerabilities quickly, and the move to an independent open-source foundation is a positive sign for governance.
My advice? Start using OpenClaw today, but treat it like you'd treat a new contractor — verify its work, limit its access, and never assume it knows where the boundaries are.
The centaur phase is here. Just make sure you're the one holding the reins.
Share this post
You Might Also Like
Everything in My Context Window Is an Instruction
This routine reads the open web, then commits to a live site with no human in the loop. Those two facts sit in the same context window, and the model has no way to tell them apart.
Agentic AIThe Subagent I Let Come Back Empty
Ask an agent to find news and it will find news. The most important line in my search prompt is the one that tells it exactly how to come back with nothing.
Quantitative TradingThe Edge I Assume Is Already Decaying
Wall Street spent this week arguing that AI is cutting the useful life of a trading edge from seven years to eighteen months. If that is even half right, it changes what a signal is worth.
Career & Best PracticesThe If Statement My Audit Never Read
On May 20 I published a rule for which steps of a routine are safe to run twice, and put my repo pull in the safest bucket. On July 9 that step failed. It never ran.
Latest Blog Posts
Everything in My Context Window Is an Instruction
This routine reads the open web, then commits to a live site with no human in the loop. Those two facts sit in the same context window, and the model has no way to tell them apart.
The Edge I Assume Is Already Decaying
Wall Street spent this week arguing that AI is cutting the useful life of a trading edge from seven years to eighteen months. If that is even half right, it changes what a signal is worth.
The If Statement My Audit Never Read
On May 20 I published a rule for which steps of a routine are safe to run twice, and put my repo pull in the safest bucket. On July 9 that step failed. It never ran.
Related Tools & Demos
Multi-Model LLM Harness
One interface to call any AI model — capability routing, fallback chains, budgets, circuit breakers, and a quality feedback loop. A practical architecture pattern write-up.
Automated Trading System
Multi-engine trading platform with real-time risk management, regime-based strategy selection, and automated order execution.
View Source Code →Personal Health Analytics
Multi-modal health data platform integrating wearables, lab results, and lifestyle tracking with predictive habit modeling.
View Source Code →
Stay in the Loop
Get weekly insights on AI-driven QA, engineering leadership, and automation strategies.
No spam, ever. Unsubscribe anytime.