Avoid using OpenClaw in mission-critical settings, giving unrestricted access: IMDA

SINGAPORE – Users of OpenClaw have been advised against giving the artificial intelligence tool unrestricted access to files and applications, or running it on personal devices that contain sensitive data.

OpenClaw implementations in core production and financial systems, among other mission-critical environments, should also be reviewed, said the Infocomm Media Development Authority (IMDA) in its first warning to organisations in Singapore.

This is to prevent the agent from running amok, shutting down transactions or leaking sensitive data.

IMDA’s advisory, released on May 14, comes amid restrictions or bans by some governments and corporations around the world.

Created and released in November 2025 by Austrian developer Peter Steinberger, OpenClaw is a popular personal assistant as it allows users to connect AI models – such as OpenAI’s ChatGPT, Google’s Gemini and Anthropic’s Claude – to instant messaging and e-mail systems to execute multi-step workflows automatically.

“It can automate everyday tasks – such as compiling research from multiple websites, drafting reports or e-mails, and coordinating schedules,” said IMDA in its advisory. When applied to workflows, it can also respond to customer queries, pull data to generate business reports and assist developers in debugging code.

“Nevertheless, deploying OpenClaw safely requires careful set-up, particularly given the limited built-in security controls. Users should understand the risks involved and be prepared to implement appropriate guard rails themselves.”

When the tool was launched, it came with key security concerns such as a lack of extensive testing, access control and authentication gaps, and the risk of exposing sensitive data, said IMDA.

As at April, around a quarter of more than 400 vulnerabilities and exposures related to OpenClaw reported on intelligence platform OpenCVE were found to be high on the severity scale, which could lead to major damage such as data theft, said IMDA.

By default, OpenClaw is able to access files anywhere on one’s computer as it inherits the privileges of the user account that installs it – giving it access to any file the user has permission to access.

For instance, when OpenClaw is connected to communication channel Slack, it may accept instructions from any participant in the channel without added authentication. This increases the risks of unintended or harmful actions. So, users should restrict who can post in the Slack channel, or introduce approval workflows that require explicit human approval, said IMDA.

Users also run the risk of exposing their sensitive data to external AI model providers, as OpenClaw typically relies on AI models such as Claude to reason and plan actions.

“As part of this process, users’ messages to OpenClaw, as well as files or e-mails that OpenClaw has access to, may be transmitted to these models as context,” said IMDA.

And while skills downloaded from online marketplaces are a key driver of OpenClaw’s capabilities, they may not have gone through rigorous testing and may contain malicious instructions. “Many skills on public marketplaces like ClawHub are currently flagged as malicious,” said IMDA.

The authority cited reports of the malware Atomic macOS Stealer – designed to steal sensitive data from Apple users – being distributed under the guise of OpenClaw skills such as YouTube video downloaders, cryptocurrency wallet trackers and Google Workspace tools.

To circumvent this, users should default to using trusted skills only – where its source code is publicly inspectable and maintained by a known publisher, said IMDA.

“Skills that lack transparent source code, verifiable provenance, recent maintenance activity, or that request permissions beyond their stated purpose should be treated as higher risk and avoided.”

OpenClaw requires autonomy and broad access to data to be helpful, but this comes with higher risks of unpredictable actions and data leakage, said IMDA.

It added: “Accepting the risks associated with granting OpenClaw broader capabilities should be an intentional decision, and not the result of default configurations that were overlooked.”

To minimise such risks, IMDA outlined several recommendations. These include advice against creating a single “all-powerful” OpenClaw agent with unrestricted access, and against installing OpenClaw on primary work or personal devices that contain sensitive data.

Instead, users are urged to use multiple agents with narrow and clearly defined roles, such as separate agents for calendar scheduling and coding projects.

Human approval should also be implemented through system-level controls as a guard rail where possible, said IMDA, adding that this is especially crucial for high-stakes and irreversible actions.

Technical controls, such as creating a unique identity and account for the agent, are also encouraged to avoid letting agents reuse personal credentials. All actions taken by the agent should be traceable and logged to a persistent directory.

Said IMDA: “Managed identity for agents should be recognised as a foundational control layer, particularly as agents increasingly act as proxies for human users across systems.”

The warnings and recommendations in the advisory are based on the authority’s Model AI Governance Framework for Agentic AI, released in January, and the technical experiences of the Government Technology Agency of Singapore, Cyber Security Agency of Singapore, Grab, Microsoft and Tencent.

In Singapore, more than 20 community-led OpenClaw events have been held that have drawn a variety of workers, including developers and entrepreneurs, keen to learn from real-use cases for the tool.

In March, China banned state-run enterprises and government agencies from running OpenClaw on office computers, out of security concerns. The same fears have also reportedly driven tech companies such as Meta to ban employees from running OpenClaw on their work laptops.

“OpenClaw highlights how rapidly autonomous AI tools are advancing – they offer significant benefits, but also pose real risks if used carelessly,” said IMDA, adding that the aim is not to avoid such tools but to use them with clear limits, accountability and safeguards.

“As the technology continues to evolve, this case study offers a starting point rather than a complete solution. Ongoing vigilance and stronger safeguards will be essential, especially for enterprises with higher security needs.”