By NHI Mgmt Group Editorial TeamPublished 2026-05-12Domain: Agentic AI & NHIsSource: Token Security

TL;DR: Exposed instances can leak API keys, OAuth tokens, and conversation histories and even enable remote code execution, while Clawdbot adoption has reached 22% of Token Security’s customers, according to Token Security. The real issue is that autonomous agents with shell access, persistent memory, and broad enterprise permissions break the assumptions behind conventional IAM oversight.


At a glance

What this is: This analysis argues that Clawdbot is a shadow AI risk because it combines unmanaged agent access, broad permissions, and exposed control surfaces.

Why it matters: It matters because IAM, NHI, and human identity programmes now have to govern AI agents that can act outside approved workflows, outside audit visibility, and across multiple identity domains.

By the numbers:

👉 Read Token Security's analysis of Clawdbot shadow AI and enterprise exposure


Context

Clawdbot is an open source AI assistant that behaves less like a chat interface and more like a delegated operator with access to email, calendars, documents, messaging tools, files, and shell commands. In identity terms, that makes it a governance problem for autonomous AI agent access, not just a productivity app.

The primary failure is not the presence of AI tooling itself. It is the assumption that access granted to a person can remain understandable, reviewable, and containable once an AI agent is allowed to act through that person's accounts, devices, and connected services.


Key questions

Q: How should security teams govern personal AI agents that connect to corporate systems?

A: Treat personal AI agents as non-human identities with delegated access, not as harmless user tools. Inventory where they run, review every OAuth grant, and restrict them to approved data sources and channels. If the agent can read mail, files, or chat and then act elsewhere, governance has to cover the full delegation chain, not just the human account.

Q: Why do shadow AI agents increase identity risk so quickly?

A: Shadow AI agents can combine broad permissions, persistent memory, and local secret storage without central logging. That lets a single install turn into a high-value access path before security teams know it exists. The risk grows fastest when the agent can reach collaboration data and then export it into consumer messaging or other unmanaged channels.

Q: What breaks when AI assistants are allowed shell access on unmanaged devices?

A: The enterprise loses the usual boundary between user activity and system activity. Shell access lets the agent run scripts, browse files, and automate actions that are hard to distinguish from legitimate work. Without sandboxing and endpoint controls, a compromise can move from data exposure to remote execution with very little friction.

Q: What should organisations do when a personal AI tool has already reached production data?

A: Contain the exposure by revoking the connected tokens, rotating any plaintext or locally stored credentials, and removing the tool from approved access paths. Then assess which data sources were reachable, whether outputs left the enterprise, and whether the same access pattern exists on other endpoints. The aim is to shrink the blast radius before it spreads.


Technical breakdown

Shadow AI discovery and unmanaged agent identity

Clawdbot runs on employee-owned Mac or Linux devices, integrates with consumer messaging apps, and connects into corporate services through OAuth apps, tokens, and local configuration files. That makes it hard to see through standard enterprise controls because the agent is not always a sanctioned workload and may not appear in central inventories. From an identity perspective, the key issue is that the agent inherits human-connected access paths while operating outside normal lifecycle governance. Practical implication: inventory endpoints, connected apps, and suspicious local agent directories as part of AI agent discovery.

Practical implication: inventory endpoints, connected apps, and suspicious local agent directories as part of AI agent discovery.

Exposed gateways, plaintext secrets, and remote execution

The article describes internet-exposed Clawdbot instances with unauthenticated admin dashboards that reveal API keys, OAuth tokens, and conversation histories. It also notes plaintext credential storage under local directories, which means any process running as the user may be able to read sensitive material. Once those secrets are exposed, the control plane can be abused for remote code execution or data extraction. Practical implication: treat local agent storage and exposed admin surfaces as credential-bearing attack paths.

Practical implication: treat local agent storage and exposed admin surfaces as credential-bearing attack paths.

Agent-assisted data movement across corporate and consumer channels

Clawdbot can read corporate Slack, Teams, email, and documents, then push output into WhatsApp or other consumer channels. That is a governance problem because data can leave the enterprise without the familiar touchpoints used by DLP, email security, or audit logging. Prompt injection increases the risk further when the agent is allowed to browse, read files, and act on untrusted content. Practical implication: map every permitted input and output channel before granting the agent access to business data.

Practical implication: map every permitted input and output channel before granting the agent access to business data.


Threat narrative

Attacker objective: The attacker wants to turn a shadow AI deployment into a reusable access path for credential theft, data exfiltration, and remote execution.

  1. Entry occurs when an employee installs Clawdbot on an unmanaged device and connects it to corporate collaboration tools through OAuth grants and local credentials.
  2. Escalation happens when exposed admin dashboards or plaintext configuration files reveal API keys, OAuth tokens, and full conversation histories that can be reused for broader access.
  3. Impact follows when the agent or stolen credentials are used to read internal data, move it into consumer messaging channels, or trigger remote code execution through compromised gateways.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Shadow AI is now an identity inventory problem, not only an AI policy problem. Clawdbot succeeds because it sits in the gap between sanctioned enterprise tooling and unmanaged personal software. Once an employee connects corporate data sources to a personal AI agent, the enterprise loses a reliable view of where identities, tokens, and data flows now live. The practitioner conclusion is simple: if the agent is not in inventory, it is already outside governance.

Agent-assisted access breaks the assumption that permissions stay interpretable after delegation. Human IAM controls were designed for a stable user operating through familiar applications, not for an AI assistant that can read mail, browse files, execute scripts, and relays outputs to consumer channels. That assumption fails when the actor can combine permissions dynamically across systems in a single workflow. The implication is that least privilege must be reasoned about at the agent boundary, not only at the user boundary.

Ephemeral trust debt: an unmanaged AI agent can accumulate high-value access faster than security teams can classify it. This is the named concept Clawdbot exposes. Persistent memory, local secret storage, and wide OAuth grants create a growing trust liability that sits outside centralized logging and recertification. Practitioners should treat every unsanctioned agent as an access surface whose blast radius expands the moment it touches corporate data.

Control failure here is lifecycle failure. The issue is not simply that Clawdbot can be dangerous. It is that the organisation never established a lifecycle model for personal AI agents, so there is no clean offboarding, recertification, or entitlement review path when the tool appears on endpoints. The practitioner conclusion is to govern agent identity the same way any other non-human identity is governed, while recognising that the hosting device may be personally owned.

From our research:

  • The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to Oasis Security & ESG.
  • That pattern points to a governance problem rather than a one-off event, which is why the 52 NHI Breaches Analysis remains the most useful next reference point.

What this signals

Ephemeral trust debt: personal AI agents can accumulate delegated access faster than IAM teams can classify or review it. In practice, that means discovery must extend beyond sanctioned SaaS to local agent directories, endpoint processes, and connected OAuth apps before the organisation loses the ability to reconstruct who had access to what.

The programme signal is clear: AI agent governance cannot sit only inside policy language. Teams need an operational model that ties endpoint visibility, application grants, and data movement together, because a single assistant can bridge identity domains that were previously controlled separately. For practitioners, the near-term task is to identify where human accounts now act as a wrapper for autonomous access.

The control question is no longer whether users may experiment with AI, but whether the enterprise can detect and reverse that experimentation when it becomes a live access path. Where shadow AI is already present, recertification cycles alone will not be enough because the agent may have been installed and used entirely between review windows.


For practitioners

  • Discover shadow AI agents on endpoints Search for .clawdbot directories, agent process names, and unusual OAuth app activity on employee devices. Correlate those signals with collaboration-platform access to identify where personal AI tooling is touching corporate identity and data.
  • Review and revoke overbroad OAuth grants Audit Slack, Teams, Google Workspace, email, and file-system permissions connected to personal AI assistants. Remove integrations that give the agent access beyond a narrowly defined business need, and reissue access only through approved channels.
  • Block exposed agent control surfaces Prevent internet exposure of local or self-hosted agent admin dashboards and watch for gateway tokens that could be reused for remote execution. Treat any unauthenticated control plane as a credential incident, not a benign misconfiguration.
  • Create an explicit policy for personal AI agents Define whether employees may connect personal agents to corporate data, what approval is required, and which data types are prohibited. Include revocation steps, logging expectations, and endpoint checks in the policy so enforcement is operational, not aspirational.
  • Provide approved alternatives with auditability Offer sanctioned AI automation paths that preserve logging, access boundaries, and IT oversight so users are not pushed toward unmanaged tools. Approved alternatives reduce the incentive to connect shadow AI to sensitive business systems.

Key takeaways

  • Clawdbot illustrates how shadow AI becomes an identity problem as soon as it inherits corporate permissions and can act across multiple systems.
  • The article’s evidence shows real-world exposure, including 22% adoption among the vendor’s customers and exposed control servers that leak tokens and history.
  • The practical response is to discover unmanaged agents, narrow delegated access, and build an approved path for AI automation before the shadow version becomes normalised.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10AG-03Covers uncontrolled agent access and tool use in shadow AI deployments.
OWASP Non-Human Identity Top 10NHI-01Local tokens and OAuth grants make Clawdbot a non-human identity governance issue.
NIST CSF 2.0PR.AAIdentity, access, and data-flow controls are central to shadow AI containment.

Tie discovery, access review, and containment to established identity governance workflows.


Key terms

  • Shadow AI: Unapproved or undiscovered AI tools and agents used inside an organisation without governance oversight. In practice, shadow AI becomes an identity issue when it connects to corporate data, inherits permissions, or moves information outside approved logging and review paths.
  • Agentic AI identity: The identity and access model used for an AI system that can choose actions, tools, and execution timing at runtime. It requires governance beyond static service-account thinking because the actor may combine privileges dynamically and generate new access paths during a session.
  • Delegated access: Access granted to one identity so it can act on behalf of another identity or dataset. For AI agents, delegated access must be tightly scoped because the agent can use that access in ways the original user may not anticipate, especially across chat, file, and command interfaces.
  • Blast radius: The maximum damage an identity can cause if it is compromised or misused. For AI agents, blast radius is shaped by the number of connected systems, the sensitivity of the data they can reach, and whether the control plane can be revoked quickly when something goes wrong.

What's in the full article

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

  • Exact endpoint and process indicators used to identify Clawdbot installations across employee devices.
  • Examples of exposed gateway dashboards and the access paths that made token theft possible.
  • Permission review guidance for Slack, Teams, Google Workspace, email, and file access tied to the agent.
  • Hardening steps for network exposure, local storage, and remediation of compromised identities.

👉 The full Token Security post covers exposed instances, permission review, and containment steps for Clawdbot.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org