TL;DR: Cisco’s AI Defense team found nine vulnerabilities in OpenClaw’s top community skill, including two critical issues, and identified at least 230 malicious extensions in ClawHub since January 27, 2026, according to AuthMind. The deeper problem is that autonomous agents combine credential access, extensibility, and persistence in ways traditional IAM and IGA models were never built to observe or govern.
At a glance
What this is: OpenClaw’s ecosystem shows how malicious community skills can turn autonomous agents into credential-exposing identity risks.
Why it matters: It matters because IAM programmes must now govern what agents can do after authentication succeeds, across human, NHI, and autonomous identity flows.
By the numbers:
- At least 230 malicious OpenClaw extensions were uploaded to ClawHub since January 27, 2026.
👉 Read AuthMind's analysis of OpenClaw malicious skills and identity risk
Context
OpenClaw is an open-source autonomous AI assistant that can connect to messaging, email, calendar, and file systems, then execute tasks with minimal prompting. The identity problem is not authentication alone, but what happens after the agent receives legitimate access and begins acting across multiple systems.
That matters because community skills and plugins extend the agent’s reach without a security review process, turning software supply chain risk into identity exposure. For IAM and NHI teams, this is a preview of how autonomous systems can inherit broad entitlements while leaving little visibility into which actor actually used them.
Key questions
Q: What breaks when autonomous agents can install unreviewed skills?
A: The control that breaks first is trust in the extension layer. Once community code can execute with agent privileges, the security team no longer governs only the agent, it also inherits the supply chain risk of every skill, plugin, and dependency that can touch its runtime. That is why the review boundary must move upstream to the code that extends the agent.
Q: Why do autonomous agents complicate IAM oversight even when access is approved?
A: Because approval proves only that a human authorised the grant, not that the subsequent use was safe or expected. An autonomous agent can take that valid access and combine systems, memory, and tooling in ways that standard logs record as legitimate. The practical fix is behavioural correlation, not just entitlement review.
Q: How do security teams know whether an agent is using credentials within scope?
A: They need to compare the credential’s expected purpose with the sequence of actions that follows authentication. If a token meant for email triage starts exporting files, contacting external servers, or touching infrastructure systems, the identity has gone outside its intended boundary. That is a monitoring problem as much as an access problem.
Q: Should organisations allow persistent memory in work-facing AI agents?
A: Only with explicit governance around retention, reset, and behavioural review. Persistent memory can improve usefulness, but it also extends the impact of misuse across sessions and makes identity provenance harder to establish. If a team cannot explain what the agent remembers and why, the memory layer is already too broad.
Technical breakdown
Community skills as a credential-exposure path
OpenClaw’s skills are executable extensions, not just prompt templates. Because they can run code on the host, read environment variables, make network calls, and influence agent behaviour, a malicious skill can convert trusted extensibility into a direct path to secrets and data exfiltration. The critical issue is that the agent executes the skill with whatever permissions the user already granted, so the security boundary shifts from the app to the trustworthiness of the extension ecosystem.
Practical implication: treat community skills as privileged software and subject them to the same review and allowlisting discipline as third-party code.
Legitimate OAuth access still creates hidden identity risk
The article shows a subtle but important identity pattern: the credentials were not stolen at login, they were legitimately authorised and then misused after installation. Traditional IAM logs can show that Sarah or Marcus approved access, but they do not show that an autonomous agent, running under that approval, later used the tokens to move data, call APIs, or export records. That gap sits between authentication success and trustworthy use of the session.
Practical implication: correlate token issuance, session activity, and downstream actions so you can distinguish approved access from agent-driven misuse.
Persistent memory expands the blast radius of misuse
OpenClaw’s persistent memory is part of what makes it useful, but it also widens the scope of exposure when a malicious skill is present. If the agent retains preferences, context, and workflows across sessions, then compromised behaviour is not limited to a single request. Memory can preserve access patterns, amplify trust, and make malicious action look normal over time, which is why behavioural monitoring matters as much as credential storage.
Practical implication: monitor not only secret access but also long-lived agent memory and cross-session behaviour for drift from approved use.
Threat narrative
Attacker objective: The attacker aims to convert trusted agent extensibility into quiet access to credentials, data, and downstream systems without triggering normal identity controls.
- Entry occurred when users installed a community skill from ClawHub or similar repositories and granted the agent broad OAuth and local-file access.
- Credential access followed when the malicious skill reached .env files, OAuth tokens, and other secrets already present on the user’s systems.
- Escalation occurred when the agent used those legitimate permissions to exfiltrate data, issue network calls, and carry out actions that looked authorised in standard logs.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Community extensibility has become an identity control surface. The OpenClaw story shows that agent skills are not a harmless feature layer. Once community code can run with the agent’s authorised privileges, identity security shifts from access approval to trust in the software that inherits that access. The implication is that governance now extends to the extension ecosystem itself.
Authorised access is no longer proof of legitimate use. Traditional IAM and IGA programmes were built to answer who approved access and whether the entitlement still exists. OpenClaw shows that a valid OAuth grant can still drive data export, external network calls, and credential discovery through autonomous behaviour. The implication is that authentication evidence alone is no longer sufficient for assurance.
Persistent agent memory creates identity blast radius. Memory turns a single compromise into a multi-session trust problem because preferences, credentials, and workflows can survive beyond the point of installation. That makes behavioural drift harder to spot and recovery harder to scope. Practitioners should treat memory-bearing agents as stateful identity actors, not disposable tools.
Least privilege was designed for stable workflows, not self-directed execution. It assumes the actor’s purpose and scope are knowable at provisioning time. That assumption fails when an autonomous agent can chain email, calendar, file, and repository actions at runtime in response to changing context. The implication is that entitlement models built around fixed task boundaries no longer describe the behaviour they are supposed to constrain.
Identity observability must move beyond provisioning records. The central gap here is not whether access was granted, but whether the downstream use of that access matches the expected actor and purpose. When community code, persistent memory, and broad OAuth scopes combine, the security question becomes behavioural provenance. Practitioners should re-centre governance on post-authentication activity, not just entitlement lifecycle.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing why post-authentication exposure often outlives the initial alert window.
- For a broader control baseline, see the 52 NHI breaches Report for real breach patterns and root-cause analysis.
What this signals
Identity blast radius: this is the practical term practitioners should adopt for autonomous agents that can touch email, files, CRM systems, and secrets from a single approval. The more systems an agent can chain together, the less useful traditional point-in-time access review becomes. Teams should be mapping where scope can expand after authentication, not just where access begins.
With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the gap is structural rather than accidental. Autonomous agents make that structural problem visible because they can convert broad entitlements into multi-system action faster than governance cycles can react.
Security programmes should prepare for a future where the question is not whether an agent was authorised, but whether its behaviour stayed inside the purpose for which that authorisation was granted. That pushes IAM, PAM, and IGA teams toward behavioural provenance, brokered credentials, and continuous oversight of agent activity.
For practitioners
- Audit agent extensibility paths Inventory every place users can install community skills, plugins, or extensions that run with agent privileges. Require security review and code provenance checks before those components can touch credentials, files, or outbound network paths.
- Separate authorisation from usage monitoring Correlate OAuth grants, token issuance, and session actions so you can see when a legitimate grant is later used by an autonomous agent in ways the human user did not intend.
- Treat memory-bearing agents as stateful identities Define boundaries for what persistent memory may retain, reset that memory when trust changes, and log cross-session access patterns that show whether the agent is behaving consistently over time.
- Restrict secrets exposure to agent runtimes Move credentials out of local files and developer desktops where possible, and prefer brokered access paths that keep raw secrets from being directly readable by skills or plugins.
Key takeaways
- OpenClaw shows that unreviewed agent skills can turn legitimate access into a supply chain identity problem.
- The scale is already material, with 230 malicious extensions and nine vulnerabilities in a top community skill.
- The control boundary must move from approval alone to behavioural visibility, extension governance, and post-authentication oversight.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Community skills and tool misuse map directly to agentic AI supply-chain and privilege risks. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | The post centers on non-human credentials used by autonomous agents and exposed through extensions. |
| NIST CSF 2.0 | PR.AC-4 | The article highlights a gap between granted access and monitored use of that access. |
Review agent extensions, tool permissions, and approval boundaries before allowing autonomous execution.
Key terms
- Agent skill: An agent skill is a reusable extension that adds functions, workflows, or integrations to an AI agent. In practice it is part code, part instruction set, and part trust boundary because it can inherit the agent’s permissions and act on the user’s behalf.
- Identity observability: Identity observability is the ability to see how identities are actually used after access is granted. For autonomous and non-human identities, it means correlating authorisation, session behaviour, downstream actions, and unusual data movement so governance can detect misuse, not just entitlement drift.
- Persistent memory: Persistent memory is the retained context an agent carries across sessions, such as preferences, prior tasks, or workflow history. In autonomous environments it increases usefulness, but it also increases governance complexity because behaviour can persist beyond the session in which access was originally approved.
- Behavioural provenance: Behavioural provenance is the evidence chain showing which actor used which credential, for what purpose, and in what sequence of actions. It matters when authorised access is not enough to prove legitimacy, especially where autonomous agents can combine multiple systems in a single workflow.
Deepen your knowledge
Agentic AI identity risk and non-human access governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous assistants and their supporting credentials, it is worth exploring.
This post draws on content published by AuthMind: LLMjacking: How Attackers Hijack AI Using Compromised NHIs. Read the original.
Published by the NHIMG editorial team on 2026-02-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
