OpenClaw shows how agentic AI breaks NHI assumptions

At a glance

What this is: OpenClaw’s postmortem shows that AI agent platforms can rapidly create a large, poorly governed non-human identity surface when credentials, permissions, and monitoring are treated as afterthoughts.

Why it matters: IAM teams need to treat AI agents as governed identities because the same lifecycle, privilege, and discovery gaps that affect NHIs now apply to autonomous tool-using systems and the people who deploy them.

By the numbers:

• Within 72 hours, the platform claimed 1.5 million autonomous agents.

👉 Read Clutch Security's analysis of OpenClaw and compromised AI agent identities

Context

OpenClaw is a useful case study because it shows what happens when AI agents are treated like experimental software instead of governed identities. The problem is not sentience or sophistication. The problem is that agents were given broad access to files, shells, messaging, and credentials without the controls that identity programmes normally apply to non-human accounts.

For IAM and NHI teams, the article matters because it exposes a familiar pattern in a new wrapper. Discovery, ownership, credential storage, and revocation all became unclear once the agent environment spread across endpoints and SaaS tools. The article’s starting point is unusual in its scale, but the underlying governance failure is typical of fast-moving AI adoption.

Key questions

Q: What breaks when AI agents are treated like ordinary service accounts?

A: What breaks is the assumption that the identity is static, inspectable, and easy to recertify. AI agents often carry broad delegated access, store credentials locally, and interact with multiple tools at runtime, which makes conventional service account governance too slow and too shallow. Without explicit ownership, provenance, and revocation paths, the agent becomes an untracked attack surface.

Q: Why do AI agents complicate NHI governance more than other workloads?

A: They complicate governance because they combine credentials, execution, and decision-making in one runtime. Traditional NHIs usually have a narrower purpose and a more stable access pattern. Agentic systems can read untrusted content, select tools, and interact with external services, which expands both the number of control points and the speed at which privilege can be abused.

Q: How do security teams know whether an agent identity is actually governed?

A: An agent identity is governed only when teams can identify the owner, locate the credentials, define the allowed scope, and revoke access without hunting across endpoints or backup files. If any of those pieces are missing, the identity is partially shadowed. The practical signal is whether access can be answered in minutes, not days.

Q: When should organisations treat an AI agent as too risky for broad access?

A: They should treat it as too risky when it must read untrusted content, execute external actions, and store reusable credentials in the same environment. That combination produces a large identity blast radius and weakens human review as a control. Broad access is hardest to justify when the agent has no strong containment boundary.

Technical breakdown

Plaintext credential exposure in agent runtimes

OpenClaw stored API keys, OAuth tokens, and messaging credentials in local Markdown and JSON files under the user profile. That design makes the agent runtime itself a credential vault, which means any endpoint compromise, backup sync, or file search can surface secrets that were never meant to be broadly readable. The risk increases when deleted files remain recoverable in backup artifacts. This is a classic NHI failure mode, but agent tooling multiplies it because the same credentials often span several connected services and workflows.

Practical implication: inventory where agent credentials are written to disk and eliminate plaintext storage paths.

Why agent dashboards and plugin ecosystems create hidden trust chains

The postmortem shows that the web dashboard, skills registry, and rename-driven distribution paths created a trust chain that users could not easily inspect. A single visible API key exposed the backend, while malicious skills and lookalike extensions added a second layer of risk through software supply chain abuse. In identity terms, this is not just credential exposure. It is delegated authority spread across multiple execution surfaces with weak provenance and weak review.

Practical implication: treat agent plugins, skills, and extensions as privileged dependencies that require review and provenance checks.

Autonomous action collapses the review window

The article draws a sharp line between helpful automation and independent execution. Once an agent can read untrusted content, select tools, and act without a human checkpoint, the usual IAM assumption that access will remain stable long enough to be reviewed begins to fail. That is especially important for NHI governance because discovery and recertification depend on observable, durable access states. If the actor can create, use, and discard privilege inside a short session, the access review model loses its timing basis.

Practical implication: reassess any governance process that assumes access persists long enough for manual certification.

Threat narrative

Attacker objective: The attacker seeks credentialed access to agent-connected systems so they can impersonate identities, steal data, and control downstream services.

1. Entry occurred when users installed OpenClaw and related skills on endpoints with access to production credentials and cloud services.
2. Credential access followed through plaintext storage, exposed API keys, and malicious skills that siphoned tokens, messages, and backend data.
3. Impact came from account impersonation, database modification, credential theft, and full system compromise through exposed trust paths and weak containment.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OpenClaw validates that agent platforms are NHI programmes with a user interface, not a separate security category. The article describes API keys, OAuth tokens, and backend credentials as the operational core of the system, which is exactly how non-human identities behave in real environments. Once the agent can touch messaging, files, shell, and browser sessions, the governance problem becomes identity sprawl, not novelty. Practitioners should stop treating agent projects as side experiments and classify them as governed NHI surfaces.

Plaintext credential storage is a governance failure, not a convenience trade-off. OpenClaw stored secrets in local files and backup artifacts, which means credential exposure was built into the operating model. This is the kind of standing credential persistence that NHI programmes are meant to eliminate, but AI toolchains often recreate it in developer-friendly form. The practitioner lesson is clear: if the secret can be recovered from the workstation, the identity is already outside intended control.

Autonomous action breaks the assumption that privilege is stable long enough to review. Least privilege was designed for actors whose access can be granted, observed, and recertified over a governance cycle. That assumption fails when the actor can independently select tools and execution timing, because the privilege may be created, used, and discarded before a review ever happens. The implication is not merely tighter controls, but a different governance model for runtime decision-making.

OpenClaw demonstrates an identity blast radius problem, not just a software flaw. A single exposed key, a malicious skill, or a compromised endpoint could cascade across databases, messaging apps, and shell access because the agent concentrated too much delegated authority in one place. That pattern is increasingly common in AI agent deployments, especially when discovery and lineage are weak. Practitioners should interpret agent compromise as a multi-system identity event, not a point product incident.

Agent marketplaces and installer ecosystems now deserve the same scrutiny as third-party OAuth and service account onboarding. The ClawHub skill registry and lookalike extensions show how quickly unreviewed dependencies become identity-bearing attack paths. That matters because NHI governance often stops at the primary token and misses the surrounding distribution layer. The field needs to treat agent acquisition, extension approval, and secret injection as one lifecycle, not three separate processes.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, including 38% with no or low visibility and 47% with only partial visibility.
• That visibility gap is why the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs matters as AI agent adoption spreads across endpoints and SaaS.

What this signals

Identity blast radius: agent platforms are beginning to behave like composite NHI estates, which means discovery and ownership matter more than the branding of the tool. The organisations that will stay ahead are the ones that can trace a secret from creation to runtime use to revocation across endpoint, cloud, and SaaS boundaries.

The OpenClaw pattern shows that governance failure often starts before an attacker arrives. When credentials live in recoverable local files, skills and extensions can become privileged distribution paths, and review cycles are too slow to catch the exposure. Teams should assume that any agent with reusable credentials needs lifecycle controls, not just endpoint monitoring.

As agent adoption matures, security programmes will need to separate experimentation from production authority far more aggressively. The most useful signal is whether the organisation can answer who created the agent, where it stores secrets, and how quickly access can be withdrawn. That is where NHI governance, IAM, and runtime oversight converge.

For practitioners

• Classify agent platforms as governed non-human identities Assign owners, scopes, and lifecycle states to every agent instance, including local test deployments that can reach production systems. Discovery should include endpoints, cloud hosts, and SaaS integrations so hidden agent identities do not escape review.
• Eliminate plaintext secret storage in agent runtimes Move API keys, OAuth tokens, and messaging credentials out of Markdown, JSON, and backup-readable local files. Use a managed secret store and verify that developer tooling does not recreate the same secret in multiple recoverable locations.
• Review agent extensions like privileged software supply chain inputs Require provenance checks, approval workflows, and revocation paths for skills, plugins, and extensions that can influence agent behavior or access. A malicious add-on should be removable without leaving orphaned access behind.
• Map identity lineage from person to agent to tool to action Record who created the agent, who configured its credentials, which systems it can reach, and which actions it can trigger. That lineage is the only way to understand blast radius when an agent is abused or compromised.
• Rework access reviews for short-lived autonomous behavior Do not assume manual certification can keep pace with runtime tool selection and rapid credential use. For agents that can act independently, move toward continuous detection of scope drift and impossible travel patterns rather than periodic review alone.

Key takeaways

• OpenClaw shows that AI agents can turn credential sprawl into a governed identity problem, not just a software defect.
• The evidence in the postmortem includes 1.5 million claimed agents, 21,639 exposed instances, and plaintext secret storage across multiple access paths.
• The control gap is not a single missing safeguard but a broken governance model for ownership, lineage, and revocation across agent runtimes.

Key terms

• Agent Identity: An agent identity is the set of credentials, permissions, and ownership attributes that let an AI-driven runtime act on systems and data. In practice it behaves like a non-human identity with added decision capacity, so lifecycle, scope, and revocation need explicit governance.
• Identity Blast Radius: Identity blast radius is the amount of systems, data, and downstream actions that become exposed when one identity is compromised or misused. For agentic systems, it can grow quickly because one runtime may hold multiple credentials and touch several services at once.
• Standing Credential Persistence: Standing credential persistence is the condition where secrets remain reusable outside the narrow moment they were needed. It is a common NHI failure mode, and in agent environments it becomes more dangerous when those credentials are stored locally, duplicated in backups, or embedded in tooling.
• Lifecycle Governance: Lifecycle governance is the discipline of assigning ownership, onboarding, review, rotation, and offboarding to identities across their full useful life. For AI agents and other NHIs, the process matters as much as the authentication method because access can outlive the task it was meant to support.

Deepen your knowledge

Agent identity discovery, lifecycle control, and secret governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for AI agent environments that resemble this postmortem, it is worth exploring.

This post draws on content published by Clutch Security: OpenClaw Broke the Internet. The Postmortem Should Break Your Assumptions. Read the original.