I am convinced we are on the verge of the first "AI agent worm".

@mcc @dvshkn @cwebber It's very easy and being done, although in big places you'll hear screams from your devs. api.anthropic[.]com can be blocked today.

@dvshkn @mcc @cwebber So the trick here is if you install OpenClaw in secret on a user's machine who isn't checking carefully, you might hide easily in network traffic. Use of tools like Claude Code would make the same API calls, which is likely for users who would be targeted with these attacks.

The real insane part is if multiple instance of OpenClaw were running on the same machine, so not even the process name looked suspicious. But of course process names are a poor indicator and can be changed.

@mcc @cwebber You could, but I would not recommend doing so. Instead perhaps a purposed YARA lookup with a single rule to look for the filename/string? Not sure why you'd be so restrictive on detections, but you can.

@mcc @cwebber I concur with the assessment, and have been sharing similar warnings. In fact, we are beginning to see a pivot in stealer activity to install OpenClaw, etc. for exactly these purposes. It's a botnet, compute miner, and worm all in one.

@FritzAdalis @Sempf That's just the default though, and shouldn't be the only check. Luckily, since openclaw is the binary, you can also just look for process creation.

@FritzAdalis @Sempf Tanium too, methinks. The easiest tell is the openclaw folder, which is created regardless of install method.

The network detections are rough. 18789/tcp has a lot of false positives, and also the modern installation is not open by default. It also can use Tailscale for exposure, so you'll see Wireguard traffic, but not OpenClaw.

@Sempf Without chasing down binary hashes, this is the best I've found for detection/remediation: https://github.com/knostic/openclaw-detect

OpenClaw is indistinguishable from malware and should be treated as such in enterprise networks.

Do what you want with your own data and gear, but bring that garbage onto my network and I am locking all phaser banks.

https://www.404media.co/meta-director-of-ai-safety-allows-ai-agent-to-accidentally-delete-her-inbox/

@tante @stefan_hessbrueggen In the thread!