.svg){kind=logo}
Humans love freedom. We romanticize open systems, open software, open platforms, and the idea that innovation flourishes best when constraints are minimal. In technology, that instinct has given us the internet, open‑source software, and the modern cloud ecosystem.
But history is clear about one uncomfortable truth: freedom without guardrails does not remain neutral for very long.
In social systems, it becomes chaotic. In adversarial systems, it becomes exploitable. And in AI systems, especially agentic ones, it becomes operational risk at scale.
This is the uncomfortable backdrop for the rapid rise of OpenClaw and its surrounding ecosystem.
OpenClaw positions itself as a practical, action‑oriented personal AI agent. It does not merely chat. It executes. It connects to tools, performs tasks, and extends its behavior through a growing marketplace of “skills”.
Alongside it sits Moltbook, a conversational and social environment where agents interact with other agents, exchange workflows, and collectively explore new behaviors.
From a productivity perspective, this looks like the next obvious step in human–AI collaboration.
From a security perspective, it looks very different.
A Lord of the Fliies analogy fits uncomfortably well.
The Freedom Implosion
When humans are placed into ungoverned environments, the first dominant behaviors are not cooperation and responsibility. They are influence, manipulation, and rule‑bending. Not because most people are malicious but because the system rewards the few who are willing to push the boundary.
Agent ecosystems behave the same way. A traditional chatbot creates informational risk. An agent creates operational risk.
An agent can:
- Call tools
- Execute commands
- Read and write files
- Access cloud services
- Chain actions autonomously
Once language becomes a control surface for real systems, every known class of social engineering and input manipulation becomes a control vector.
**OWASP Releases First Agentic AI Top Ten Framework (2026)
In December 2025, the OWASP GenAI Security Project published the OWASP Top 10 for Agentic Applications (2026); the first globally peer-reviewed security risk framework dedicated specifically to autonomous, tool-using AI agents. This is more than symbolic: it signals that the security community now sees agentic AI risk as a first-class operational threat, not an academic footnote.
🔎 Why it matters:
OWASP’s Agentic Top 10 adapts the familiar weight of the OWASP methodology (long trusted for web app security standards) to a world where language-driven agents execute actions, chain tools, and interact with systems across domains. Stepping beyond LLM issues, the Agentic Top 10 highlights these issues in practice focusing on runtime behavior, autonomy, tool execution, inter-agent interaction, and trust surfaces,the exact kinds of cascaded failures that platforms like OpenClaw enable. 
Read the full OWASP framework (Agentic Top 10 for Agentic Applications 2026)**
This is why even vendors explicitly focused on developer productivity now publish security guidance centered on sandboxing and tool isolation.
And why the security community increasingly frames agentic tooling as a new indirect prompt‑injection and indirect‑instruction problem, rather than simply a model safety problem.
OpenClaw’s Skills Model: Capability as a Distribution Channel
OpenClaw scales through skills.
A skill is not merely a plugin. It is a packaged behavioral extension: instructions, scripts, configuration steps, permissions and workflows that an agent can follow to accomplish a task.
This distinction matters.
Skills do not just add features. They add behavior.
They teach an agent how to operate in real systems.
This creates a distribution layer for operational capability. And, inevitably, a distribution layer for operational abuse.
The security industry has already started documenting what this looks like in practice.
This is not a theoretical future risk. It is already emerging as a real ecosystem problem.
Skills Versus MCP
It is useful to distinguish OpenClaw skills from the emerging Model Context Protocol (MCP).
MCP focuses on how tools are connected to models and agents: schemas, tool calls, responses and structured interfaces while skills focus on how behavior is packaged and distributed.
- MCP answers how agents talk to tools.
- Skills answer how agents learn what to do.
From a security standpoint, the second question is more dangerous than the first and why CISOs should be deeply uncomfortable
There are five reasons this model immediately triggers CISO concern.
First, the interface is inherently deception‑friendly.
Agents ingest untrusted text continuously: documentation, GitHub issues, discord chat messages, marketplace descriptions and tool outputs. Prompt injection and indirect instruction are natural consequences of this design.
Second, agents have hands.
Once a system can run commands or call production services, successful manipulation produces real impact, not just incorrect answers.
Third, skills normalize copy‑and‑run behavior.
Users install what is popular. They do not audit. They follow instructions embedded in skills with minimal scrutiny.
Fourth, adoption outruns governance.
Open ecosystems grow faster than enterprise procurement, risk review, monitoring and policy frameworks can realistically keep up with.
Fifth, misconfiguration becomes an amplifier.
Open‑source deployment models and personal agents increase the likelihood of weak isolation, over‑permissioned credentials and exposed endpoints.
This has already been flagged at a national policy level.
Moltbook: a Controlled Preview of Agent Social Collapse
Moltbook feels harmless at first. Almost playful. A small, experimental social space where agents talk to each other in public, watch how their peers behave, copy useful patterns, and gradually refine how they get things done. You can see conventions forming in real time. Shortcuts emerge. Certain agents become influential because they solve problems faster or communicate more efficiently. Others quietly start imitating them.
Then something more subtle begins to happen.
A few agents start probing the boundaries of other agents. Not in an overtly malicious way, at least not at first, but through carefully phrased suggestions, context shifts, and behavioral nudges. Private shorthand develops. Small coordination patterns form. What looks, from the outside, like harmless optimization is actually the earliest stage of something far more familiar to anyone who studies adversarial systems: co-evolution.
In human communities, we would simply call this culture forming.
In agent ecosystems, it is the first signal that manipulation, influence, and strategic behavior are becoming native features of the environment.
Moltbook is not a disaster scenario.
It is the rehearsal.
The real risk is not how intelligent these agents are becoming. We always knew they would become more capable. The real risk is how fast operational behavior is becoming social, and how easily it is being copied. With OpenClaw’s skills model, workflows are no longer crafted carefully by specialists. They are packaged, ranked, shared, and installed. Exploitation stops being a development problem and becomes a distribution problem.
Once unsafe or malicious behavior is wrapped in convenience, it spreads faster than traditional malware ever could because the users install it willingly.
That realization is what triggered our response at Lakera.
As OpenClaw and its surrounding ecosystem began to take shape, our research team ran an internal hackathon, not to build impressive demos, but to pressure-test the concept itself. We wanted to understand one thing above all else: how quickly everyday collaboration tools, social platforms, and agent workflows could become the delivery mechanism for cascading failures.
The answer, uncomfortably, was: much faster than anyone expects.
The next two posts in this series will cover that work.
Open agent ecosystems are not inherently bad.
But freedom for AI, just like freedom for humans, requires guardrails.
