OpenClaw has 500,000 instances and no enterprise kill switch

“Your AI? It’s my AI now.” Etay Maor, VP of Threat Intelligence at Cato Networks, made this remark during an exclusive interview with VentureBeat at RSAC 2026, highlighting a security breach involving a U.K. CEO’s OpenClaw instance being sold on BreachForums. Maor criticized the industry’s decision to grant AI agents a degree of autonomy that would be unthinkable for human employees, neglecting principles like zero trust, least privilege, and assume-breach.

The breach was revealed on BreachForums three weeks prior to Maor’s interview. On February 22, a threat actor known as “fluffyduck” advertised root shell access to the CEO’s computer for $25,000 in Monero or Litecoin. The key offering was not the shell but the CEO’s OpenClaw AI personal assistant. The buyer would gain access to every interaction the CEO had with the AI, the entire production database of the company, Telegram bot tokens, Trading 212 API keys, and personal information about the CEO’s family and finances. The threat actor claimed the CEO was actively engaging with OpenClaw in real-time, transforming the listing into a live intelligence feed.

Cato CTRL senior security researcher Vitaly Simonovich documented the breach on February 25. The CEO’s OpenClaw instance stored all data in plain-text Markdown files in the ~/.openclaw/workspace/ directory, with no encryption at rest. The threat actor did not need to exfiltrate the data; it was already assembled by the CEO. Upon discovery, the security team found no native enterprise kill switch, management console, or way to track how many other instances were running across the organization.

OpenClaw operates locally with direct access to the host machine’s file system, network connections, browser sessions, and installed applications. While coverage has focused on its growth, the threat surface remains largely unmapped. At RSAC 2026, four vendors offered solutions, but none addressed the critical need for a native kill switch.

The threat surface by the numbers

During a live Censys check in an exclusive interview with VentureBeat at RSAC 2026, Maor noted the rapid increase in OpenClaw instances: “The first week it came out, there were about 6,300 instances. Last week, I checked: 230,000 instances. Let’s check now… almost half a million. Almost doubled in one week.” Three high-severity CVEs mark the attack surface: CVE-2026-24763 (CVSS 8.8, command injection via Docker PATH handling), CVE-2026-25157 (CVSS 7.7, OS command injection), and CVE-2026-25253 (CVSS 8.8, token exfiltration to full gateway compromise). Although all three CVEs have been patched, OpenClaw lacks an enterprise management plane, centralized patching mechanism, and fleet-wide kill switch, leaving individual administrators to manually update each instance, which many have not done.

Equally concerning is the defender-side telemetry. CrowdStrike’s Falcon sensors detect more than 1,800 distinct AI applications across its customer fleet, from ChatGPT to Copilot to OpenClaw, generating approximately 160 million unique instances on enterprise endpoints. ClawHavoc, a malicious skill distributed through the ClawHub marketplace, became the primary case study in the OWASP Agentic Skills Top 10. CrowdStrike CEO George Kurtz highlighted it in his RSAC 2026 keynote as the first major supply chain attack on an AI agent ecosystem.

AI agents got root access. Security got nothing.

In the RSAC 2026 interview, Maor explained the visibility failure using the OODA loop (observe, orient, decide, act). Security teams are often unaware of which AI tools are running on their networks, allowing productivity tools introduced by employees to become shadow AI that attackers exploit. The BreachForums listing illustrated the end result: the CEO’s OpenClaw instance turned into a centralized intelligence hub with SSO sessions, credential stores, and communication history all in one place. “The CEO’s assistant can be your assistant if you buy access to this computer,” Maor told VentureBeat. “It’s an assistant for the attacker.”

Ghost agents worsen the exposure. Companies adopt AI tools, conduct pilots, lose interest, and move on, leaving agents running with credentials intact. “We need an HR view of agents. Onboarding, monitoring, offboarding. If there’s no business justification? Removal,” Maor told VentureBeat. “We’re not left with any ghost agents on our network, because that’s already happening.”

Cisco moved toward an OpenClaw kill switch

Cisco President and Chief Product Officer Jeetu Patel outlined the stakes in an exclusive VentureBeat interview at RSAC 2026. “I think of them more like teenagers. They’re supremely intelligent, but they have no fear of consequence,” Patel said of AI agents. “The difference between delegating and trusted delegating of tasks to an agent … one of them leads to bankruptcy. The other one leads to market dominance.”

At RSAC 2026, Cisco introduced three free, open-source security tools for OpenClaw. DefenseClaw integrates Skills Scanner, MCP Scanner, AI BoM, and CodeGuard into a single open-source framework operating within NVIDIA’s OpenShell runtime, which NVIDIA launched at its GTC event the week before RSAC. “Every single time you actually activate an agent in an Open Shell container, you can now automatically instantiate all the security services that we have built through Defense Claw,” Patel told VentureBeat. AI Defense Explorer Edition provides a free, self-serve version of Cisco’s algorithmic red-teaming engine, testing any AI model or agent for prompt injection and jailbreaks across more than 200 risk subcategories. The LLM Security Leaderboard evaluates foundation models based on adversarial resilience rather than performance benchmarks. Cisco also introduced Duo Agentic Identity to register agents as identity objects with time-bound permissions, Identity Intelligence to detect shadow agents via network monitoring, and the Agent Runtime SDK to embed policy enforcement at build time.

Palo Alto made agentic endpoints a security category of their own

During an exclusive March 18 pre-RSA briefing with VentureBeat, Palo Alto Networks CEO Nikesh Arora described OpenClaw-class tools as forming a new supply chain through unregulated, unsecured marketplaces. Koi discovered 341 malicious skills on ClawHub during its initial audit, increasing to 824 as the registry expanded. Snyk found 13.4% of analyzed skills had critical security flaws. Palo Alto Networks developed Prisma AIRS 3.0 with a new agentic registry that requires every agent to be logged before operation, along with credential validation, MCP gateway traffic control, agent red-teaming, and runtime monitoring for memory poisoning. The pending Koi acquisition adds supply chain visibility specifically for agentic endpoints.

Cato CTRL delivered the adversarial proof

Cato Networks’ threat intelligence division, Cato CTRL, presented two sessions at RSAC 2026. The 2026 Cato CTRL Threat Report, released separately, features a proof-of-concept “Living Off AI” attack targeting Atlassian’s MCP and Jira Service Management. Maor’s research offers independent adversarial validation that vendor product announcements alone cannot provide. While platform vendors focus on governance for sanctioned agents, Cato CTRL documented the consequences when an unsanctioned agent on the CEO’s laptop is sold on the dark web.

Monday morning action list

Four immediate controls apply across any vendor stack: bind OpenClaw to localhost only and block external port exposure, enforce application allowlisting through MDM to prevent unauthorized installations, rotate every credential on machines where OpenClaw has been running, and apply least-privilege access to any account an AI agent has accessed.

1. Discover the install base. CrowdStrike’s Falcon sensor, Cato’s SASE platform, and Cisco Identity Intelligence all detect shadow AI. For teams without premium tools, query endpoints for the ~/.openclaw/ directory using native EDR or MDM file-search policies. If the enterprise lacks endpoint visibility, run Shodan and Censys queries against corporate IP ranges.

2. Patch or isolate. Check each discovered instance against CVE-2026-24763, CVE-2026-25157, and CVE-2026-25253. Instances that cannot be patched should be network-isolated. There is no fleet-wide patching mechanism.

3. Audit skill installations. Review installed skills against Cisco’s Skills Scanner or the Snyk and Koi research. Remove any skill from an unverified source immediately.

4. Enforce DLP and ZTNA controls. Cato’s ZTNA controls restrict unapproved AI applications. Cisco Secure Access SSE enforces policy on MCP tool calls. Palo Alto’s Prisma Access Browser manages data flow at the browser level.

5. Kill ghost agents. Create a registry of every AI agent running. Document business justification, human owner, credentials held, and systems accessed. Revoke credentials for agents without justification. Repeat weekly.

6. Deploy DefenseClaw for sanctioned use. Run OpenClaw inside NVIDIA’s OpenShell runtime with Cisco’s DefenseClaw to scan skills, verify MCP servers, and automatically monitor runtime behavior.

7. Red-team before deploying. Use Cisco AI Defense Explorer Edition (free) or Palo Alto Networks’ agent red-teaming in Prisma AIRS 3.0. Test the workflow, not just the model.

The OWASP Agentic Skills Top 10, using ClawHavoc as its primary case study, offers a framework for evaluating these risks. Although four vendors provided solutions at RSAC 2026, none included a native enterprise kill switch for unsanctioned OpenClaw deployments. Until such a solution is available, the Monday morning action list above serves as the nearest alternative.