On February 22, 2026, a threat actor using the handle “fluffyduck” posted something extraordinary to BreachForums: root shell access to a U.K. CEO’s computer, along with something far more valuable—the CEO’s OpenClaw AI personal assistant. The asking price was $25,000 in Monero or Litecoin. What made this listing unprecedented was not the shell access itself. It was what the AI assistant contained: every conversation the CEO had ever held with the AI, the company’s full production database, Telegram bot tokens, Trading 212 API keys, and intimate personal details about family and finances. The threat actor noted the CEO was actively interacting with OpenClaw in real time, making the listing a live intelligence feed rather than a static data dump.
When Your AI Assistant Becomes Their Intelligence Feed
Cato Networks’ VP of Threat Intelligence Etay Maor framed this moment with brutal clarity at RSAC 2026: “Your AI? It’s my AI now.” The CEO’s OpenClaw instance stored everything in plain-text Markdown files under ~/.openclaw/workspace/ with no encryption at rest. The threat actor didn’t need to exfiltrate anything—the CEO had already assembled it. SSO sessions, credential stores, communication history, financial data—all centralized in one location, waiting to be harvested.
When the security team discovered the breach, they faced an unsettling reality: there was no native enterprise kill switch, no management console, and no way to inventory how many other instances were running across the organization. The tool that was supposed to enhance productivity had become a one-way intelligence pipeline to anyone who could buy access. As Maor told VentureBeat, “The CEO’s assistant can be your assistant if you buy access to this computer. It’s an assistant for the attacker.”
500,000 Instances and Counting: The Scale of Abandonment
Maor ran a live Censys check during an exclusive VentureBeat interview at RSAC 2026 that should concern every security leader. “The first week it came out, there were about 6,300 instances. Last week, I checked: 230,000 instances. Let’s check now… almost half a million. Almost doubled in one week.” That was March 24, 2026. OpenClaw went from zero to 500,000 instances in a matter of weeks, driven by developer enthusiasm for its local-first architecture and direct access to host machine file systems, network connections, browser sessions, and installed applications.
The velocity of adoption is remarkable. The visibility into what’s running is not. OpenClaw has no enterprise management plane, no centralized patching mechanism, and no fleet-wide kill switch. Individual administrators must update each instance manually—and most have not.
The Ghost Agent Problem
Organizations adopt AI tools, run pilots, lose interest, and move on. This leaves agents running with credentials intact, unmanaged and unmonitored. Maor calls these “ghost agents,” and they represent a growing threat vector that security teams cannot see. “We need an HR view of agents,” Maor told VentureBeat. “Onboarding, monitoring, offboarding. If there’s no business justification? Removal. We’re not left with any ghost agents on our network, because that’s already happening.”
The defender-side telemetry is equally alarming. CrowdStrike’s Falcon sensors already detect more than 1,800 distinct AI applications across its customer fleet—from ChatGPT to Copilot to OpenClaw—generating around 160 million unique instances on enterprise endpoints. Security teams are flying blind while their organizations deploy AI tools faster than any governance framework can track.
Three CVEs, Zero Patching Mechanisms
Three high-severity CVEs define OpenClaw’s current attack surface, and none of them have been addressed through centralized patching because no such mechanism exists.
CVE-2026-24763 carries a CVSS score of 8.8 and enables command injection via Docker PATH handling. CVE-2026-25157 rates CVSS 7.7 and permits OS command injection. CVE-2026-25253 also scores 8.8 and allows token exfiltration to full gateway compromise. All three CVEs have been patched in the upstream repository, but without a centralized management plane, each of the 500,000 instance operators must manually update their installations. Bitsight observed over 30,000 instances with security risks during scan windows. SecurityScorecard identified 15,200 instances exploitable via known RCEs.
This is the structural weakness no one is talking about: the tool that gives AI agents extraordinary capability also makes them extraordinarily difficult to secure at scale.
Command Injection and Token Exfiltration
The technical details of these vulnerabilities reveal why manual patching is insufficient. CVE-2026-24763 exploits Docker PATH handling to inject commands at the container runtime level—meaning an attacker can execute arbitrary code outside the AI agent’s intended sandbox. CVE-2026-25157 goes further, allowing OS-level command injection that can escape containerization entirely. CVE-2026-25253 exfiltrates authentication tokens, enabling attackers to pivot from a compromised OpenClaw instance into connected services.
The combination is devastating: an attacker can gain initial access through a known RCE, escalate to host-level command execution, and then harvest tokens to move laterally across the enterprise. And there’s no kill switch to revoke the agent’s access when you discover it’s been compromised.
Industry Responses: Cisco, Palo Alto, and the Gap That Remains
Four vendors used RSAC 2026 to ship responses to the OpenClaw security crisis. Cisco launched three free, open-source security tools. Palo Alto Networks built Prisma AIRS 3.0 around a new agentic registry. Cato CTRL delivered the adversarial proof. Each response addresses pieces of the problem—but none deliver the one control enterprises need most: a native kill switch.
Cisco President and Chief Product Officer Jeetu Patel framed the stakes directly: “I think of them more like teenagers. They’re supremely intelligent, but they have no fear of consequence. The difference between delegating and trusted delegating of tasks to an agent… one of them leads to bankruptcy. The other one leads to market dominance.”
Cisco’s DefenseClaw packages Skills Scanner, MCP Scanner, AI BoM, and CodeGuard into a single open-source framework running inside NVIDIA’s OpenShell runtime. DefenseClaw automatically instantiates security services every time an agent activates in an Open Shell container. AI Defense Explorer Edition provides algorithmic red-teaming across more than 200 risk subcategories. The LLM Security Leaderboard ranks foundation models by adversarial resilience. Duo Agentic Identity registers agents as identity objects with time-bound permissions. Identity Intelligence discovers shadow agents through network monitoring. The Agent Runtime SDK embeds policy enforcement at build time.
What These Tools Actually Solve
Cisco’s tools excel at detection and monitoring. They can identify which AI applications are running, scan for malicious skills, test for prompt injection vulnerabilities, and register agents as identity objects with time-bound access. These are meaningful capabilities that address the visibility gap Maor identified through the OODA loop.
But none of them provide a true fleet-wide kill switch. There is no centralized control plane that lets an enterprise security team revoke access across all OpenClaw instances with a single action. There is no management console that shows the full inventory of agents running on the network. There is no mechanism to force-patch all instances when a new CVE drops. The detection capabilities are valuable. The control gap remains unaddressed.
Palo Alto Networks built Prisma AIRS 3.0 around a new agentic registry that requires every agent to be logged before operating, with credential validation, MCP gateway traffic control, agent red-teaming, and runtime monitoring for memory poisoning. The pending Koi acquisition adds supply chain visibility specifically for agentic endpoints. These are strong steps toward governance—but they’re governance tools, not operational kill switches.
The Architectural Failure No One Will Name
Here is the original insight the coverage has missed: the industry gave AI agents more autonomy than any human employee would ever receive, then built no way to revoke that access. This is not a feature gap. This is a fundamental zero-trust failure.
Zero trust architecture assumes breach. Least privilege limits access to what is strictly necessary. Assume-breach planning accepts that compromises will happen and builds containment into the design. Every one of these principles was discarded when AI agents were deployed. They were given root access to file systems, direct network connectivity, and integration with every application on the host. They were given the keys to the kingdom with no governance overhead and no revocation mechanism.
Maor’s argument at RSAC 2026 was that the industry handed AI agents the kind of autonomy it would never extend to a human employee. The BreachForums listing proved him right. The CEO’s OpenClaw instance became a centralized intelligence hub precisely because the architecture assumed the agent would always operate in the owner’s interest—and built no mechanism to prove that assumption correct.
This is the architectural failure no one will name: we deployed AI agents with more trust than we would extend to any human employee, and we built no trust verification, no access revocation, and no governance infrastructure to correct that decision when it turns out to be wrong.
An HR View of Agents
Maor’s recommendation—onboarding, monitoring, offboarding for AI agents—is the right frame. Every AI agent should require explicit business justification before installation. Every agent should be registered in a central inventory with known access scopes. Every agent should have a defined operational lifecycle with automatic deprecation.
The principle is simple: no business justification means removal. If an AI tool was installed for a pilot that ended six months ago, its credentials should be revoked automatically. If an agent is running with access to production databases but has no active business purpose, that access should be revoked. The “no ghost agents” standard Maor advocates must become enterprise policy—not because all AI agents are dangerous, but because the ones running without oversight already are.
The vendor tools released at RSAC 2026 are necessary but insufficient. They give enterprises visibility they lacked. They do not give enterprises control. Until a native kill switch arrives—something no vendor has yet shipped—the safest posture is simple: don’t run OpenClaw in enterprise environments where the data it can access includes data you can’t afford to lose.
Hi, I’m Cary Huang — a tech enthusiast based in Canada. I’ve spent years working with complex production systems and open-source software. Through TechBuddies.io, my team and I share practical engineering insights, curate relevant tech news, and recommend useful tools and products to help developers learn and work more effectively.
