Inside OpenClaw: How AI Agents Actually Work — and 6 Security Risks You Can’t Ignore OpenClaw, a free open-source AI agent framework launched in late 2025, uses a ReAct pattern combining large language models with tool-use to autonomously perform tasks like scheduling meetings and searching files. The system operates through a local Node.js gateway that manages agentic loops of reasoning, acting, and observing, but introduces six critical security risks including unauthorized tool access and data leakage. We’ve all been using AI chatbots. You give your question to some type of LLM — your favourite GPT or Claude model, perhaps — and get an answer back from the large language model. Maybe you want help replying to an email, so you copy and paste the relevant information from Gmail. Or we need help scheduling a meeting, so we’re pulling in calendar availability. But you are the one doing the actions. You’re copy-pasting information, switching tabs, clicking buttons, and putting it all into the context window of that prompt to the LLM. I could ask my favourite LLM to schedule a meeting, and it will tell me exactly how to schedule it. But it’s not actually going to go to my calendar and schedule that meeting for me. That is the gap between knowing and doing — and that’s what we’re going to be talking about today. By connecting these large language models with tools, we’re able to create an AI agent to solve problems that humans typically handle by moving information back and forth and using tools themselves. Agents such as OpenClaw allow this to run autonomously. Welcome to the world of AI agents. An AI agent like OpenClaw is a system that combines a large language model with the ability to use tools and take autonomous actions. While a chatbot interaction is typically a user sending a prompt and a model generating a response, an AI agent is fundamentally different, operating in what’s known as an agentic loop . Let’s take the case of OpenClaw. Typically, a task comes into the agent. This task could come from a variety of places — maybe it’s an organization running OpenClaw and connecting it to their Slack, or maybe it’s iMessage on your own device, or WhatsApp — these are some of the communication platforms to talk to the agent. From there, the real magic begins. The AI agent assembles the context that will be passed to the LLM: the conversation history, the long-term memory, the system instructions, and — most importantly — the available tools the model can use if it needs to pull in additional information to answer the initial request. Next, it sends that accumulated context to the LLM to perform reasoning. The model decides: Do I need to use a tool to pull in data for my response? If a tool is needed, the agent might pull in additional information from, for example, a terminal command, reading a file on your hard drive, searching the web, or calling an API. When the tool is executed, the agent receives the result, and that information is passed again into the context window. So all of that existing information, plus the result of the tool call, is now available. This loop continues — reasoning, acting, and observing — until the task is done. If no tool is needed anymore, the final response is passed back to the user through Slack, iMessage, or whichever platform they started on. This is what’s called the ReAct pattern . We are essentially reasoning over the information provided by the user and the systems connected to the agent, and then acting on that information. That, my friends, is the core pattern behind every agent framework out there. OpenClaw is probably the best real-world example of an agentic AI assistant in action right now. It is a free, open-source AI agent that was created in late 2025 and is now one of the most popular projects on GitHub by total stars. Let’s learn how it works. The OpenClaw agent runs as a local Node.js service on your machine. This could be your laptop, a virtual machine, a Raspberry Pi — wherever you want your personal assistant to be available. It follows a hub-and-spoke model centered around a singular component: the gateway . The gateway is really important. It’s a control plane, and it’s always on as a WebSocket server that handles message routing, session management, the ability to create multiple agents, and — as you’ll see in a second — the usage of tools. How do you actually communicate with this gateway? There are two methods for managing it: the UI and the CLI. But when you’re sending requests to your agent, you have been messaging integrations through various channels: Slack, Teams, Discord, iMessage — pretty much any communication platform you want to reach your agent with. The way these are standardized into OpenClaw is through adapters . The adapter takes different types of incoming data sources and converts them into one unified internal format that can then be provided to the gateway. The agentic loop assembles the full context of a request before it’s passed to the LLM. The LLM for OpenClaw could be a model running locally on your machine, or one hosted via an API. This LLM needs not just the request from the user, but also additional data. That data could come from different databases storing long-term memory about conversations and the work the agent has been doing. It’s passed through the central gateway along with other information, like prompt templates and the agents.md and soul.md Markdown files that decide how the agent responds and what its job is. Going down one more layer, we have the ability to use tools. This is where we can craft our agent’s capabilities. There are built-in tools like the ability to use a web browser to automate different tasks, or to use the terminal to run commands and access different CLIs. Skills are what make OpenClaw extensible as an AI personal assistant. They’re essentially folders containing a markdown skills file with instructions to teach your agent how to perform a specific task or workflow. What’s cool is that OpenClaw doesn’t automatically give all of this information to the model by default, because it would fill up the LLM’s context window quickly. Instead, it injects the available skills and some brief metadata so that the LLM can pick what would be useful for a specific task and read the full skill on demand. There are thousands of skills out there to manage everything from Trello boards to Google Calendar accessing and editing calendars , to engineering workflows like using Docker to build, run, and test container images, to connecting to CRMs, GitHub, and different types of data sources. We’re teaching the model how to perform functions we would typically do ourselves — automating whatever you need, whether on demand through Slack or iMessage, or through automated cron jobs. Before you go all in, let’s talk about security with OpenClaw — because with great power also comes great responsibility. Since OpenClaw runs locally and has access to your file system, your terminal, and other integrations, a misconfigured environment could essentially become a powerful backdoor on your own machine. There are already thousands of internet-exposed OpenClaw instances out there, due to misconfiguration or skills that might contain malicious code. That brings us to the second thing to watch out for: prompt injections . This is a typical vulnerability with LLMs, where the agent processes untrusted input — like an email or a web page — and malicious instructions embedded in that data get executed by the LLM as if they were legitimate commands. It’s also important with AI agents to run them in an isolated environment, review the code and skills you run, and encrypt your credentials before sending them to an LLM. For years, AI was just a conversation — you talked back and forth to a model that could tell you what to do, but not actually help you do it. Now our interaction has changed. The AI model becomes the orchestrator, able to plan, execute, and observe until the loop is finished. The open-source OpenClaw project represents just one approach to solving challenges with AI agents. There are tons of frameworks out there to build agents, like LangGraph and others. But there’s no denying OpenClaw’s momentum. The patterns you’ve learned apply to all types of AI agents — but remember to be responsible when it comes to security, governance, and deployment practices. AI agents are all the rage. You can tell them what you want done and let them do all the dirty work to make it happen. It’s as if you suddenly have a team of personal assistants at your beck and call. OpenClaw lets you run agents locally on your laptop, and this capability is lowering the barriers to entry, making it possible for everyone to benefit. But what is all this cool new stuff really? And what are the risks? Let’s double-click on OpenClaw specifically. Note: this is by no means an exhaustive list — these are just six that I’m going to call out. This is the one I already talked about: running in an untrusted environment. It’s untrusted code — specifically, the skills . OpenClaw allows users to install skills from public registries like ClawHub or GitHub. Installing a skill is effectively running third-party code with the agent’s privileges — your system-level privileges, if that’s the ID you’re running under. Multiple audits have found a non-trivial percentage of malicious or vulnerable skills. The impact could be arbitrary command execution — an attacker has your system running commands of their choice, not yours. It could be credential theft — now they know your passwords to get into your system or other services. It could be backdoors that persist across multiple sessions , making them even more dangerous. Here, we basically have content that is executing. OpenClaw ingests untrusted text from web pages, emails, PDFs, chat messages, and other sources — even other agents. Attackers can embed instructions into that content and cause an agent to leak secrets, execute commands, or modify its own memory or rules. This is not hypothetical. Prompt-injection-driven compromise has been demonstrated repeatedly in the wild. OpenClaw stores long-term memory in files like memory.md and identity.md. These files maintain state over multiple executions. Attackers can quietly alter that state so that malicious instructions persist across multiple restarts. OpenClaw commonly has access to API keys, OAuth tokens, messaging platform secrets, cloud credentials — all kinds of secrets that would allow you to authenticate to a system. There have been many cases where tens of thousands of exposed OpenClaw gateways were found leaking plain-text credentials or config files. That’s bad news. Because this thing is running autonomously, it means it could start off doing the right thing, but over time drift into doing things we didn’t intend. OpenClaw can act without approval. It could chain tools together. It could decide to bring in other components you didn’t think about. It could trigger background tasks. A single compromise can result in self-directed lateral movement — the system is deciding how to move across areas you did not have in mind. It could exfiltrate data , taking your sensitive stuff and sending it to someone else. Or cost amplification attacks — API usage bombing — where someone hijacks your agent and causes it to chew up resources or burn through all your tokens, costing you money. A lot of people don’t think about that. Remember, this is running on your system — that’s part of the self-hosted component. If it’s induced to execute malicious commands, OpenClaw could modify host files, access SSH keys, and pivot to other systems. In fact, Microsoft explicitly states OpenClaw should not be run on standard personal or enterprise workstations for exactly this reason. Let’s get this straight: I’m not saying you shouldn’t use agents. I think we all stand to benefit from these capabilities. This is really cool stuff. But don’t just blindly dive in. If you’re one of those people who stores your passwords in an Excel spreadsheet — which is a terrible idea, I might add — an agent you’ve just installed on your system might read those credentials. Since it can execute a browser, it could then go log on to your bank’s website, siphon off all of your money, and run a command to delete all the files on your system. That would be a really bad day for you. That’s what I mean by elevated risk. OpenClaw is powerful, but it’s also high-risk by design . Some things to consider to make it a more secure system: This is something we get from zero trust: assume breach . Expect the system to have already been breached. Explicitly engineer defenses against those kinds of attacks. Build your security as if the bad guy is already on your system. If you found this helpful, consider clapping👏 so others can find it too and follow me for more amazing AI content 1 Narek Maloyan, Dmitry Namiot, Sleeper Channels and Provenance Gates: Persistent Prompt Injection in Always-on Autonomous AI Agents https://injoit.org/index.php/j1/article/view/2621 2026 , International Journal of Open Information Technologies 2 Mateusz Dziemian, Maxwell Lin, Xiaohan Fu, How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition https://arxiv.org/abs/2603.15714 2026 , arXiv preprint arXiv:2603.15714 3 Microsoft Security Team, Running OpenClaw Safely: Identity, Isolation, and Runtime Risk https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/ 2026 , Microsoft Security Blog 4 SecurityScorecard STRIKE Threat Intelligence Team, Beyond the Hype: Moltbot’s Real Risk Is Exposed Infrastructure, Not AI Superintelligence https://securityscorecard.com/blog/beyond-the-hype-moltbots-real-risk-is-exposed-infrastructure-not-ai-superintelligence/ 2026 , SecurityScorecard Blog 5 Cisco AI Defense Team, Personal AI Agents Like OpenClaw Are a Security Nightmare https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare 2026 , Cisco Blogs 6 Cisco AI Defense Team, Don’t Deploy OpenClaw Without Securing It https://blogs.cisco.com/developer/openclaw-ai-agent-security 2026 , Cisco Blogs Inside OpenClaw: How AI Agents Actually Work — and 6 Security Risks You Can’t Ignore https://pub.towardsai.net/inside-openclaw-how-ai-agents-actually-work-and-6-security-risks-you-cant-ignore-33683cdf0b16 was originally published in Towards AI https://pub.towardsai.net on Medium, where people are continuing the conversation by highlighting and responding to this story.