OpenClaw and the authorization gap: are IAM controls keeping up?

TL;DR: OpenClaw rapidly reached 150,000 GitHub stars and 300,000 to 400,000 users in under two weeks, while researchers found 341 malicious skills, CVE-2026-25253 with CVSS 8.8, and 42,665 exposed instances, according to EnforceAuth. The real failure is not access control alone but the assumption that authenticated agents can be safely governed after they begin acting independently.

NHIMG editorial — based on content published by EnforceAuth: OpenClaw security crisis and decision-centric authorization analysis

By the numbers:

• Researchers discovered 341 malicious skills designed to steal credentials.
• OpenClaw helped drive a 14% single-day jump in Cloudflare's stock.

Questions worth separating out

Q: What breaks when autonomous AI agents are governed like normal user accounts?

A: Identity controls built for human sessions assume access is granted, used, and then reviewed later.

Q: Why do autonomous agents complicate least privilege in enterprise IAM?

A: Least privilege is easy to define when the actor's intent is stable at provisioning time.

Q: How do memory and persistent state change AI agent security risk?

A: Persistent memory lets an agent carry instructions, preferences, and learned context across sessions, which means harmful input can survive logout.

Practitioner guidance

• Inventory autonomous agent runtimes and their connected surfaces Map every agent that can browse, call APIs, send messages, run shell commands, or retain memory across sessions.
• Separate approval boundaries from execution boundaries Require a distinct policy check for each high-risk action instead of relying on a single login or session grant.
• Treat persistent memory as governed state Apply integrity controls to memory files and history stores, and review who can write boundary instructions, task context, and persistent preferences.

What's in the full article

EnforceAuth's full white paper covers the operational detail this post intentionally leaves for the source:

• The complete OWASP Top 10 for Agentic Applications mapping, including all ten risk categories and how each one appears in OpenClaw.
• Detailed technical analysis of CVE-2026-25253, including the gateway token theft path and the configuration changes it enabled.
• The full decision-centric authorization architecture, including policy evaluation flow, contextual inputs, and audit logging design.
• Specific examples of malicious skills, prompt injection paths, and persistent memory abuse that were only summarised here.

👉 Read EnforceAuth's full OpenClaw security analysis →

OpenClaw and the authorization gap: are IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →