Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Advisory

Advisory on Cybersecurity Risks of OpenClaw

28 May 2026

Autonomous AI agents, such as OpenClaw, offer real productivity benefits but introduce serious cybersecurity risks. This advisory draws attention to IMDA's Case Study on the Responsible Deployment of OpenClaw, and highlights the key cybersecurity risks.

Introduction 

Autonomous AI agents are AI systems that can understand context, formulate plans and take independent actions to achieve specified objectives. Unlike conventional AI tools that respond to a single prompt, they can use external tools (e.g. web browsers, code executors, and APIs) and take actions on behalf of users. 

Autonomous AI agents, such as OpenClaw, offer real productivity benefits but introduce serious cybersecurity risks. This advisory draws attention to IMDA's Case Study on the Responsible Deployment of OpenClaw, and highlights the key cybersecurity risks covered on pages 2–4 of that document. 

These risks include unpatched vulnerabilities, weak access controls, sensitive data exposure, malicious third-party skills, and memory poisoning. If left unaddressed, they can lead to agent hijacking, unauthorised agent actions through tool or API abuse, and unauthorised access to systems or data. 

As the IMDA case study notes, "accepting the risks associated with granting OpenClaw broader capabilities should be an intentional decision, and not the result of default configurations that were overlooked". 

What You Can Do 

The following best practices are drawn from Section 3 of the IMDA case study (pages 5–10). They are non-exhaustive and should be implemented as part of a broader defence-in-depth approach. 

For Individuals: 

  • Avoid installing OpenClaw in its open-source form on devices containing sensitive data. 

  • Install and run it under a least-privileged account rather than an account with administrator roles. 

  • Keep sensitive data such as passwords, financial records and personal information out of its reach. 

  • Install skills only from trusted sources with verifiable provenance. 

  • Identify checkpoints in agentic workflows that require human approval, especially for high-stakes and irreversible actions. This can potentially be done through system level controls (e.g., approval workflows, execution constraints). 

  • Keep OpenClaw updated promptly given its frequent security fixes, and regularly rotate API keys, OAuth tokens and other credentials. 

For organisations, stronger safeguards are essential, particularly given higher security needs and the greater potential impact of a compromise: 

  • Apply Zero Trust principles: assume breach, enforce least privilege and monitor continuously. 

  • Avoid deploying OpenClaw in its open-source form in mission-critical environments or systems handling sensitive data.  

  • Use multiple narrowly scoped agents rather than one all-purpose agent with broad access, to limit the blast radius of any compromise. 

  • Use dedicated credentials for the agent, inject them securely via short-lived tokens from a secure vault and rotate them regularly, including after detecting anomalous behaviour or a disclosed vulnerability.  

  • Route outbound connections through a policy-enforcing proxy to ensure all external requests are controlled and auditable.  

  • Ensure all agent actions are logged and attributable, redirecting OpenClaw logging to a persistent directory rather than the default “/tmp” directory. 

  • Require human approval for high-stakes or irreversible actions such as financial transactions, executing code in production, deleting critical data or sending external communications. This can be enforced through system-level controls such as approval workflows and permission gates, not just prompt-layer instructions. 

  • Before deployment, test that safety controls work as intended using deliberate negative tests and verify that human-in-the-loop is correctly triggered across different scenarios.  

  • In the event of a compromise, rebuild the agent environment from a known-good baseline rather than simply restarting it, and extend recovery to persistent memory, vector stores and downstream services where relevant. 

  • Finally, provide clear usage guidance to personnel on what the agent can and cannot do, and when human approval is required. 

Other variants have emerged since OpenClaw's initial launch, such as NanoClaw and Nvidia's NemoClaw. However, as safeguards for agentic AI are still maturing, organisations requiring agentic AI capabilities in their environments should evaluate and verify whether these variants are able to meet their performance and security requirements. 

Further Reading 

For more information, refer to IMDA's Case Study on the Responsible Deployment of OpenClaw and the Model AI Governance Framework for Agentic AI.  

For cybersecurity best practices, refer to CSA’s Securing Agentic AI - An Addendum to the Guidelines and Companion Guide on Securing AI Systems

Back to top