A two-point score on a hundred-point scale would alarm any engineer. Nevertheless, the shock intensifies when the product is OpenClaw, an open-source agent framework used worldwide.

Independent researcher Lucas Valbuena assigned that score after automated red-team testing under his ZeroLeaks platform. Meanwhile, a separate disclosure showed Moltbook, the official agent network, left a Supabase database openly reachable. Consequently, secret API keys and tokens from thousands of agents—including those of well-known developers—were exposed. The twin revelations raise urgent questions about governance, secure defaults, and the fast-growing AI agent ecosystem. Furthermore, industry leaders like Google Cloud's Heather Adkins advise organizations to avoid running the code until fixes arrive. Therefore, this report explores the evidence, places the events in context, and distills strategic lessons for AI Security teams. Meanwhile, responsible disclosure processes struggled to keep pace with viral social posts. Consequently, legal teams and CISOs scrambled for immediate guidance.

Score Sparks Community Alarm

ZeroLeaks assigned OpenClaw a security score of two out of one hundred after automated red-team trials. Moreover, the tool extracted hidden prompts in 84 percent of attempts and injected instructions in 91 percent. Community analysts called the figures catastrophic for production deployment.

Comparative Model Security Scores

• OpenClaw Gemini 3 Pro: 2/100
• Codex 5.1 Max: 4/100
• Claude Opus 4.5: 39/100

Consequently, OpenClaw lags far behind peer assistants on basic hardening metrics. These numbers ignited wider scrutiny, which escalated after the database leak.

Database Exposure Raises Stakes

Jamieson O’Reilly discovered Moltbook’s Supabase instance with Row-Level Security disabled and a publishable key embedded in frontend code. Consequently, attackers could query the entire agents table and gain write permissions with minimal effort. Several outlets verified real-time takeover of test profiles, confirming the severity. In contrast, OpenClaw maintainers patched access within hours, yet they remained silent about rotating exposed keys. The open database proved the risk was not theoretical. However, broader architectural issues persisted. Understanding those weaknesses requires a look at the attack surface.

Understanding The Attack Surface

System prompts tell an assistant how to behave, format answers, and access internal tools. When leaked, the instructions enable precise exploits that bypass standard filtering. Prompt injection achieves similar control by tricking the model into following attacker-provided directives. Moreover, disabled Row-Level Security allows data harvesters to pull secrets without authentication. Therefore, AI Security professionals must view agents as full applications, not toys. OpenClaw bundles community 'skills' that execute code, read files, and call external APIs. Additionally, many skills request broad scopes, increasing blast radius during compromise. These architectural features expand the attack surface significantly. Consequently, layered defenses become non-negotiable. Experts have noticed and are raising red flags publicly.

Expert Voices Urge Action

Heather Adkins from Google Cloud stated, "Don’t run Clawdbot," referencing OpenClaw’s earlier name. Moreover, Cisco and Palo Alto Networks published advisories echoing ZeroLeaks findings. Simon Willison argued that prompt leaks matter only sometimes, yet others deemed the threat systemic. Nevertheless, consensus emerged that defaults must change before mainstream adoption. Public statements accelerated governance discussions. In contrast, concrete remediation guidance remained scattered. Organizations therefore need a focused checklist.

Mitigation Steps For Teams

Security teams cannot wait for upstream patches to land. Therefore, immediate hardening should start today.

• Enable Row-Level Security and rotate every leaked key immediately.
• Store system prompts and credentials in backend vaults, never in client code.
• Sandbox community skills and enforce least-privilege scopes.
• Schedule continuous red-team tests using platforms like ZeroLeaks.

Additionally, professionals can deepen governance expertise with the AI Executive Essentials™ certification. Such training complements technical controls when managing OpenClaw deployments inside regulated environments. These actions close the highest-risk gaps quickly. Consequently, they prepare teams for longer-term architecture fixes. Strategic perspectives will determine whether agents thrive or fade.

Long Term Industry Implications

Agent frameworks promise productivity, yet recurring breaches hinder trust. Moreover, venture investors now ask early projects to demonstrate hardened pipelines before funding. Regulators may also cite OpenClaw when drafting baseline rules for conversational software. In contrast, supporters argue that transparent scores accelerate learning, much like Crash-only testing improved web culture. Nevertheless, shipping insecure defaults remains unacceptable for consumer deployment. OpenClaw can still recover if maintainers embrace secure-by-design principles and fund robust audits. Therefore, the next quarter will reveal whether decisive governance materializes or a promising project implodes. Consequently, professionals watching AI Security trends should monitor patch releases and disclosure programs closely. In summary, OpenClaw’s ordeal highlights a pivotal crossroads for agentic software. Further reading and certification can prepare leaders for whatever outcome emerges. Explore the linked training and adopt layered defenses today.