- OpenClaw can silently execute dangerous actions while maintaining full access credentials
- Persistent tokens allow subtle manipulations to go unnoticed across multiple sessions
- Running OpenClaw on standard workstations exposes critical data to invisible risks
Microsoft security researchers have warned that OpenClaw should not run on typical personal or enterprise workstations.
A new Microsoft security blog post describes how the risk is related to the operation of the runtime, which combines untrusted instructions with executable code while using valid credentials.
That combination disrupts traditional security boundaries in ways that most desktop environments are not designed to handle.
What is OpenClaw?
OpenClaw is a self-hosted AI agent runtime built to perform tasks for individuals or teams. It is not limited to answering questions.
To function fully, users grant broad access to the software, including online services, email accounts, login tokens, and local files.
Once connected, you can browse repositories, send messages, edit documents, call APIs, and automate workflows across SaaS platforms and internal systems.
You can also download and install external skills from public sources, and these skills expand what the agent can do.
The runtime maintains persistent tokens and stored state, allowing it to continue operating between sessions without repeated authentication.
When software can install new capabilities, process unpredictable inputs, and act on saved credentials, the device hosting it becomes part of a continuous automation cycle.
The concern is not simply that OpenClaw executes code. Many applications run code safely every day; The difference here is that OpenClaw can retrieve third-party capabilities while processing instructions that may contain hidden manipulation.
This brings together the risks of code delivery and instruction delivery in one environment, and unlike conventional software, OpenClaw can change its operating state over time.
Your stored memory, configuration settings, and installed extensions may be influenced by the content you read.
In a loosely controlled environment, this can lead to credential exposure, data leakage, or subtle configuration changes that persist.
These results do not require obvious malware; They can occur through normal API calls made with legitimate permissions.
Microsoft notes that persistence may appear to be a silent deviation from the configuration rather than a visible compromise.
An OAuth consent approval or scheduled task can expand access without immediate warning signs.
Standard endpoint protection and a properly configured firewall reduce certain threats, but do not automatically block logic that uses approved credentials.
“OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run it on a standard personal or enterprise workstation…” the company said in a blog post.
For organizations still planning to test OpenClaw, Microsoft recommends strict isolation.
The runtime must run within a dedicated virtual machine or standalone device with no primary worker accounts attached.
Credentials should be limited, specifically designed, and rotated periodically, while continuous monitoring through Microsoft Defender XDR or similar tools is recommended to detect unusual activity.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
