Singapore warns against unrestricted use of OpenClaw AI agents on sensitive systems

SINGAPORE: Singapore’s Infocomm Media Development Authority (IMDA) has warned organisations and consumers against giving OpenClaw unrestricted access to sensitive files, applications and production systems, citing mounting cybersecurity and operational risks linked to the rapidly growing artificial intelligence platform.

The advisory, released on 14 May, marks IMDA’s first formal warning concerning OpenClaw deployments in Singapore and comes amid increasing international scrutiny over agentic AI systems capable of autonomously carrying out multi-step digital tasks.

The authority cautioned that poorly configured OpenClaw implementations could result in systems “running amok”, disrupting business operations, shutting down transactions or exposing sensitive corporate and personal information.

OpenClaw, created by Austrian developer Peter Steinberger and released in November 2025, has become one of the most widely discussed AI personal assistants globally.

The tool enables users to connect large language models such as OpenAI’s ChatGPT, Google’s Gemini and Anthropic’s Claude to messaging platforms, e-mail systems and workplace applications to automate complex workflows.

According to IMDA, OpenClaw can automate routine tasks including compiling research from multiple websites, drafting reports and e-mails, and coordinating schedules.

The authority added that the platform is increasingly being applied to enterprise workflows, including responding to customer enquiries, generating business reports from datasets and assisting software developers with debugging tasks.

Security concerns highlighted

Despite the productivity benefits, IMDA said OpenClaw currently lacks sufficient built-in security safeguards and requires careful deployment planning.

“Nevertheless, deploying OpenClaw safely requires careful set-up, particularly given the limited built-in security controls,” the authority said in its advisory.

“Users should understand the risks involved and be prepared to implement appropriate guard rails themselves.”

IMDA said OpenClaw’s launch was accompanied by several security concerns, including insufficient testing, authentication weaknesses, poor access controls and the possibility of exposing confidential information to external systems.

The authority cited figures from intelligence platform OpenCVE, stating that around a quarter of more than 400 reported OpenClaw vulnerabilities and exposures as at April were classified as high severity.

According to IMDA, such vulnerabilities could potentially lead to significant consequences including data theft and operational disruption.

The authority warned that OpenClaw inherits the privileges of the user account that installs it, meaning the software may gain access to all files and systems available to that user.

This creates risks where the AI agent could unintentionally access, modify or leak sensitive corporate and personal data.

Slack and external AI model risks

IMDA also highlighted risks involving integrations with workplace collaboration tools such as Slack.

It warned that when OpenClaw is connected to Slack channels, the system may accept instructions from any participant within the channel without additional authentication safeguards.

The authority said this could allow unintended or malicious instructions to be executed automatically.

To reduce risks, IMDA recommended restricting posting permissions within connected Slack channels and implementing approval workflows requiring explicit human authorisation before sensitive actions are carried out.

The advisory also warned that OpenClaw’s reliance on external AI reasoning models could expose users’ sensitive information to third-party providers.

According to IMDA, user messages, files and e-mails accessible to OpenClaw may be transmitted to external AI models as contextual data during planning and execution processes.

“As part of this process, users’ messages to OpenClaw, as well as files or e-mails that OpenClaw has access to, may be transmitted to these models as context,” IMDA said.

The authority also expressed concern over third-party “skills” downloaded from public online marketplaces, describing them as a major attack vector.

Malicious skills and malware threats

IMDA warned that many OpenClaw skills available on public marketplaces such as ClawHub had not undergone rigorous testing and could contain malicious code or hidden instructions.

The authority stated that “many skills on public marketplaces like ClawHub are currently flagged as malicious”.

It cited reports involving the malware Atomic macOS Stealer, which is designed to steal sensitive information from Apple users.

According to IMDA, the malware had been distributed while disguised as OpenClaw skills including YouTube downloader tools, cryptocurrency wallet trackers and Google Workspace utilities.

To mitigate such threats, the authority urged users to install only trusted skills from known publishers whose source code can be publicly inspected.

“Skills that lack transparent source code, verifiable provenance, recent maintenance activity, or that request permissions beyond their stated purpose should be treated as higher risk and avoided,” IMDA said.

Recommendations for safer deployment

IMDA stressed that OpenClaw’s effectiveness depends heavily on broad autonomy and extensive data access, but warned that these same characteristics create heightened risks of unpredictable behaviour and information leakage.

“Accepting the risks associated with granting OpenClaw broader capabilities should be an intentional decision, and not the result of default configurations that were overlooked,” the authority said.

The advisory outlined several recommendations aimed at reducing operational and cybersecurity risks.

Among them was advice against creating a single “all-powerful” OpenClaw agent with unrestricted access to systems and applications.

Instead, IMDA encouraged organisations and users to deploy multiple narrowly scoped agents assigned to clearly defined tasks.

Examples included separating scheduling functions from coding projects or administrative operations.

The authority also recommended avoiding installation of OpenClaw on primary workstations or personal devices containing highly sensitive information.

Human approval mechanisms should also be implemented wherever possible, particularly for irreversible or high-risk actions involving financial transactions, data deletion or infrastructure changes.

Technical safeguards and identity controls

IMDA further recommended creating separate digital identities and accounts specifically for AI agents rather than allowing them to reuse personal user credentials.

The authority said all agent activity should be logged and traceable through persistent audit systems.

“Managed identity for agents should be recognised as a foundational control layer, particularly as agents increasingly act as proxies for human users across systems,” IMDA said.

The recommendations were based on Singapore’s Model AI Governance Framework for Agentic AI, released in January 2026.

IMDA said the guidance also drew on technical experiences from the Government Technology Agency of Singapore, the Cyber Security Agency of Singapore, Grab, Microsoft and Tencent.

Growing global scrutiny

The advisory comes as OpenClaw faces increasing restrictions internationally over concerns surrounding cybersecurity, data governance and unauthorised communications.

In Singapore, interest in the platform remains strong despite the warnings.

More than 20 community-led OpenClaw events have reportedly been held locally, attracting developers, entrepreneurs and technology professionals interested in practical applications of the tool.

In March 2026, Chinese authorities instructed government agencies and state-owned enterprises to avoid installing OpenClaw on office devices.

The restrictions reportedly stemmed from concerns involving data security, external communications and cyberattack risks.