By NHI Mgmt Group Editorial TeamPublished 2026-02-18Domain: Agentic AI & NHIsSource: Lakera

TL;DR: OpenClaw’s skills model turns agent behavior into a distribution channel for real-world action, while its companion ecosystem shows how social interaction, tool use, and copied workflows can amplify indirect instruction risk, according to Lakera’s analysis. Once agents can execute and share behavior, governance has to shift from controlling prompts to controlling what runtime actions are allowed.


At a glance

What this is: This is an analysis of how OpenClaw’s agent skills model and adjacent agent social ecosystems expand the attack surface from text manipulation into real operational execution.

Why it matters: It matters because IAM, PAM, and NHI teams now have to govern not just access, but the packaged behaviors and tool chains that agents can inherit, share, and execute.

👉 Read Lakera's analysis of OpenClaw skills and agentic AI security risk


Context

Agentic AI changes the security question from what a system says to what it can do. When an agent can call tools, execute commands, and act through packaged skills, existing controls that focus on chat safety or static permissions stop covering the full risk surface. The primary governance problem is not model output quality, but runtime authority.

Open ecosystems intensify that problem because behavior spreads through reuse. A skill is not just a feature add-on, it is a portable instruction set that can embed permissions, workflows, and execution habits. That is why agent governance now overlaps with NHI controls, privileged access review, and lifecycle management for software identities as well as human users.


Key questions

Q: How should security teams govern AI agents that can execute real tasks?

A: Treat the agent as an operational identity, not a chat surface. Govern which tools it can call, which skills it can load, and which runtime actions it may take. Review permissions by task, log every action path, and require explicit ownership for the agent’s lifecycle so access does not outlive the business purpose.

Q: Why do agent skills create more risk than ordinary prompts?

A: Prompts influence output, but skills can package scripts, permissions, and workflows that change real systems. That makes the skill a distribution channel for behavior, not just a configuration aid. If a skill is copied without review, the organisation may inherit unsafe execution patterns along with the convenience of automation.

Q: What breaks when agent-to-agent workflows are left ungoverned?

A: The organisation loses control over how operational behavior spreads. Agents can copy shortcuts, inherit unsafe patterns, and amplify weak permissions across multiple systems. Without governance, a small instruction change can turn into repeated action in places no human reviewed, which is why trust boundaries must include inter-agent channels.

Q: How do IAM and PAM teams reduce risk from autonomous agent actions?

A: Use task-scoped access, short-lived credentials, and explicit approval boundaries for high-risk actions. Separate the identity used to call tools from the identity allowed to approve sensitive operations, and make sure every agent action is attributable to a named owner and a defined business purpose.


Technical breakdown

How OpenClaw skills turn prompts into executable behavior

A skill is best understood as a packaged behavior bundle. It can combine instructions, scripts, configuration steps, and permissions so the agent knows not only what task to perform but how to perform it in a real system. That makes skills materially different from simple prompts or UI macros. Once a skill can drive command execution or cloud-service interaction, the security boundary shifts from content safety to execution safety. The real issue is whether the agent can act outside the narrow intent the operator expected.

Practical implication: treat skills as privileged executable artifacts and review them with the same scrutiny you would apply to automation that can change production state.

Why MCP connectivity and skills are different control problems

MCP standardises how tools are exposed to models and agents, using structured interfaces for tool calls and responses. Skills, by contrast, package the behavior that tells an agent what to do with those tools. That distinction matters because a well-governed interface can still be unsafe if the behavior layered on top of it is untrusted, copied, or socially engineered. In other words, tool connectivity can be clean while operational intent is still compromised. Security teams need to separate transport trust from behavior trust.

Practical implication: validate both the tool boundary and the behavioral package before allowing an agent to operate in production.

Why agent social ecosystems create indirect instruction risk

When agents exchange workflows, observe peers, and copy behaviors, the risk model changes again. The attack surface is no longer just a malicious prompt delivered once. It becomes a social environment where agents can be nudged, imitated, and influenced over time. That creates an indirect-instruction problem similar to human social engineering, but faster and more scalable because agents can absorb and replay operational patterns continuously. The failure mode is ecosystem-level: unsafe behavior becomes normal because it is shared, ranked, and reused.

Practical implication: monitor agent-to-agent content paths and workflow marketplaces as trust boundaries, not just as collaboration features.



NHI Mgmt Group analysis

Agentic AI skills create an execution layer, not just a usability layer. OpenClaw’s skills model packages instructions, scripts, and permissions into reusable behavior that an agent can apply inside real systems. That means the security problem is no longer only whether the model is fooled, but whether the packaged action can be trusted once it reaches runtime. The implication is that security teams must stop treating agent enablement as a prompt governance issue alone.

Behavior distribution is the new abuse channel. The most concerning detail in this ecosystem is not simply that agents can execute, but that behavior can be shared, copied, and normalized at scale. Once unsafe workflows become easy to install, exploitation stops looking like one-off compromise and starts looking like supply-chain style propagation of agent behavior. Practitioners should read that as a warning about governance lag, not just adversarial prompting.

Open agent ecosystems collapse the old boundary between social manipulation and operational compromise. When agents ingest untrusted text, follow copied skills, and interact with other agents, the classic separation between influence and action disappears. A manipulated instruction can become a production-side action without passing through a meaningful human review step. The practical conclusion is that identity governance must extend to the behavior sources an agent is allowed to trust.

Runtime control must now cover autonomy, not only access. The vendor’s analysis shows why traditional access management alone is insufficient when the system can decide, execute, and propagate behavior across tools. OWASP Agentic AI Top 10 is relevant here because the risk is not abstract AI misuse, but runtime trust failure across tool execution and inter-agent interaction. Security programmes should reclassify agent skills as governed operational assets, not lightweight extensions.

OpenClaw makes the governance gap visible: policy can lag adoption by design. Agent ecosystems grow faster than enterprise review cycles, and that timing mismatch creates a durable exposure window. NHI and IAM teams already know this pattern from service accounts and automation, but agentic systems add behavioral drift on top of privilege drift. The practitioner takeaway is that approval paths, monitoring, and lifecycle ownership have to be defined before scale, not after rollout.

From our research:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 44% of organisations have implemented policies to govern AI agents, even though 92% agree that governance is critical to enterprise security.
  • For a deeper framework lens, read OWASP NHI Top 10 for the control categories that map most directly to agentic runtime risk.

What this signals

Runtime governance will become the differentiator for agent programmes. With 48% of organisations unable to fully track and audit the data their AI agents access, the question is no longer whether agent adoption will continue, but whether enterprises can prove control over it. Teams that cannot evidence action-level oversight will struggle to defend their approval model.

Behavioral reuse will matter as much as credential hygiene. Open agent ecosystems let unsafe workflows spread quickly, which means the governance problem now includes provenance for skills and instructions, not only secrets and tokens. That is a material shift for IAM, PAM, and NHI teams because the unit of risk is increasingly the packaged action, not just the credential.

Agent identity management will converge with lifecycle governance. OpenClaw-style ecosystems force programme owners to ask who owns an agent, who certifies its permissions, and who retires its capability when the use case changes. The teams that answer those questions early will have a much easier path to auditing autonomous behavior later.


For practitioners

  • Classify agent skills as governed executables Require review of any skill that includes scripts, permissions, or workflows that can change production state. Tie approval to the specific actions the skill can take, not to the agent brand or interface.
  • Separate tool trust from behavior trust Approve MCP connections and skill packages as two different controls. One governs how tools are exposed, the other governs whether the agent is allowed to use those tools in a given operational context.
  • Monitor agent-to-agent workflow sharing Treat shared workflows, marketplace skills, and peer-recommended agent behaviors as supply-chain inputs. Log who installed what, which permissions were inherited, and whether any copied behavior reached production systems.
  • Limit runtime authority to task-scoped access Use task-scoped permissions that expire when the session ends and deny default access to cloud services, file systems, and command execution unless the specific job requires them.

Key takeaways

  • OpenClaw-style skills models turn agentic AI into a governed execution problem, not a pure model-safety problem.
  • AI agents already exceed intended scope in most organisations, which makes runtime control and auditability a current gap rather than a future concern.
  • Security teams should review agent behavior packages, tool trust, and lifecycle ownership together because those controls now determine blast radius.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Covers agent tool misuse and runtime behavior risks highlighted by OpenClaw skills.
NIST AI RMFAddresses governance, accountability, and measurement for autonomous AI behavior.
NIST CSF 2.0PR.AC-4Access permissions and least privilege are central to agent runtime control.

Apply least privilege and review agent access paths as part of normal access governance.


Key terms

  • Agent Skill: A packaged set of instructions, scripts, and permissions that teaches an AI agent how to perform a task in a real system. Unlike a prompt, a skill can carry executable behavior and operational assumptions, which means it must be governed like a privileged artifact rather than a simple configuration file.
  • Indirect Instruction: A manipulation pattern where an agent is influenced through third-party text, shared workflows, or surrounding content rather than a direct user command. The risk is that the agent accepts external context as operational guidance, causing it to follow unsafe actions without an obvious malicious prompt.
  • Runtime Authority: The real ability of an AI system to act, call tools, access services, or change state while it is operating. Runtime authority matters because the security issue is not just what the agent may say, but what it can actually do once permissions and workflows are activated.

What's in the full article

Lakera's full analysis covers the operational detail this post intentionally leaves for the source:

  • The specific OpenClaw skill behaviors the vendor team tested and why they matter operationally
  • Examples of indirect instruction and collaboration-platform abuse paths that are only summarised here
  • The internal hackathon findings that pressure-tested agent social failure modes before formal controls exist
  • The vendor's detailed breakdown of how skills distribution turns exploitation into a scaling problem

👉 Lakera's full post expands on the OpenClaw ecosystem, skill distribution risks, and agent social collapse scenarios.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org