• Capability comparison: Trend Micro maps OpenClaw against ChatGPT Agent using a structured framework, showing many shared capabilities and therefore shared risks.
  • Prompt-injection exposure: Agents that plan and reason across domains can be steered by hidden or embedded prompts in web pages or documents.
  • Persistent memory risk: OpenClaw’s long-term memory can retain sensitive context, increasing the blast radius if an agent is manipulated.
  • Ecosystem integration: Agent-to-agent communication (e.g., Moltbook) expands attack surfaces and can propagate compromised behaviors across systems.
  • External access = exfil risk: Broad access to email, calendars, files, and APIs makes successful manipulation far more damaging than in traditional chatbots.
  • Supply chain exposure: Skills/tools with insufficient vetting can become injection points for silent behavior influence or data theft.
  • Not OpenClaw-only: The risks described are framed as inherent to agentic assistants, not just one product.

Why it matters

As agentic assistants become operationally embedded, their planning ability, persistent memory, and multi-system access collapse multiple steps of the attack chain. The same features that make them useful also make prompt injection and supply-chain compromises far more dangerous.

What to do

  • Constrain memory: Treat persistent memory as sensitive storage; minimize what is retained and segment by task.
  • Harden ingestion: Treat untrusted content (web pages, docs, chats) as hostile input; add strict parsing and allowlists.
  • Isolate integrations: Use scoped keys and least privilege for every connected system.
  • Vet skills/tools: Require provenance checks and monitoring for third-party skills or extensions.

Trend Micro: Viral AI, Invisible Risks — What OpenClaw Reveals About Agentic Assistants

Trend Micro: The Silent Leap — OpenAI’s Agent Capabilities and Security Risks

Moltbook (agent-to-agent network referenced in the analysis)