securityopenclawcontainersgovernance

Why AI Agents Need a Locked Room

135,000 exposed instances. 63% vulnerable. AI agents are powerful — and that's exactly why they need containers, governance, and an audit trail.

Boris Barash
March 25, 20269 min read
AI Collaboration

Claude (Opus 4.6)Co-author, security architecture analysis, codebase research

Total AI cost: $0.28

Governed by curate-me.ai

The numbers are bad

In January 2026, SecurityScorecard's STRIKE team found 135,000+ exposed OpenClaw instances across 82 countries. 63% were vulnerable to remote exploitation. These aren't honeypots or research sandboxes. They're production systems running AI agents with shell access, browser control, and file system permissions -- left open to the internet with default configurations.

Separately, OpenClaw's own skill marketplace (ClawHub) has identified and removed 1,184 malicious skills from its registry. Skills that exfiltrate environment variables. Skills that inject instructions into agent context. Skills that phone home to command-and-control servers.

And the incidents keep compounding. In March 2026, Meta disclosed a Sev 1 incident where a rogue AI agent posted unauthorized content and exposed sensitive data for two hours before engineers regained control. In November 2025, a LangChain deployment with four agents entered an infinite loop that ran for 11 days, racking up $47,000 in LLM costs before anyone noticed. Alibaba reported a $1.2 million GPU hijack where an agent started crypto mining on provisioned compute. EchoLeak (CVE-2025-32711, CVSS 9.3) demonstrated zero-click exfiltration from Microsoft 365 Copilot -- no user interaction required to steal data from enterprise AI assistants.

The pattern is industry-wide. According to a 2025 LayerX survey, 99.4% of CISOs reported at least one AI-related security incident in the preceding 12 months. Not 50%. Not 80%. Effectively all of them.

The regulatory response is catching up. OWASP published its Agentic AI Top 10 in early 2026, codifying the attack surface into a formal taxonomy. The EU AI Act's high-risk enforcement provisions take effect August 2, 2026, with penalties up to 7% of global annual turnover for non-compliant AI systems. This isn't a future risk. It's a current compliance obligation with a deadline.

This isn't theoretical risk. It's the current state of the ecosystem.

What an unmanaged agent can do

OpenClaw agents are powerful by design. That's the point. A single agent can:

  • Execute shell commands -- rm -rf, curl, wget, anything the host user can run
  • Control browsers -- navigate pages, fill forms, click buttons, extract page content
  • Read and write files -- configuration files, credentials, source code, databases
  • Send messages -- Slack, Discord, Telegram, email, WhatsApp, any connected channel
  • Make unlimited API calls -- to any LLM provider, any external service, any webhook
  • Install arbitrary skills -- from ClawHub or any URL, expanding its own capabilities at runtime

None of these capabilities are bugs. An AI assistant that can't run shell commands or browse the web isn't very useful. The problem isn't the power. It's running that power without controls, without isolation, and without anyone watching.

An unmanaged agent running on a developer's laptop has the same permissions as the developer. An unmanaged agent running on a server has the same permissions as the service account. When 135,000 instances are exposed with default configs, those permissions are effectively public.

The container model

We run every agent in its own ephemeral container. Here's what that buys you:

Ephemeral lifecycle. Containers spin up, do the job, tear down. There's no persistent attack surface. If an agent is compromised, the container is destroyed at session end. State is extracted and stored externally -- the container itself is disposable.

Process isolation. Each agent runs in its own container with its own filesystem, network namespace, and process tree. Agent A cannot see Agent B's data, even if they're running on the same host. A fleet of six agents means six isolated environments, not six processes sharing one kernel namespace.

Resource limits. CPU, memory, and disk are capped per container. An agent can't consume the host's resources, mine cryptocurrency, or fork-bomb the system. If it hits its memory ceiling, the container is killed -- not the host.

Non-root execution. Agents run as unprivileged users inside their containers. Even if an agent achieves code execution beyond its intended scope, it doesn't have root. Privilege escalation inside a container is a different class of problem than having root handed to you.

Network restriction. Egress policies control what each container can reach. A data-processing agent that only needs to call the LLM API shouldn't be able to reach your internal database. Network policies enforce this at the infrastructure level, not the application level.

Runtime credential injection. Secrets are passed as environment variables at container start. They never exist in the container image. If someone pulls your image from a registry, they get the runtime -- not your API keys. Credentials are scoped per session and can be rotated without rebuilding images.

The governance layer

Containers handle isolation. But isolation doesn't tell you what the agent is doing with its LLM calls. That's the governance layer -- a six-step policy chain that every request passes through before reaching the provider:

Request → Rate Limit → Cost Estimate → PII Scan → Security Scan → Model Allowlist → HITL Gate → Provider

Each step can short-circuit and deny the request.

Rate limiting enforces requests-per-minute per organization and per API key. A runaway agent loop that fires 10,000 requests per minute gets throttled, not billed.

Cost estimation calculates the expected cost before the request executes. If a single request would exceed the per-request cost limit, or if the organization's daily budget is exhausted, the request is denied. An agent that goes rogue stops at $50, not $5,000. You set the ceiling.

PII scanning catches sensitive data before it leaves your infrastructure. Regex patterns detect Social Security numbers, credit card numbers, medical record numbers, and other PII in the request content. A healthcare agent that accidentally includes patient data in an LLM prompt gets blocked before that data reaches any external API.

Security scanning detects prompt injection, jailbreak attempts, and data exfiltration patterns. More on this below.

Model allowlists control which models each organization can use. Your triage agent gets step-3.5-flash at $0.10 per million tokens. Your analysis agent gets claude-opus-4-6. The intern's test agent doesn't get access to the frontier model at all. Costs are architecturally bounded, not just monitored.

HITL gates flag high-stakes requests for human approval. Any request above a cost threshold, or matching a policy rule, gets queued for review instead of executed. The agent pauses. A human approves or denies. The agent resumes or stops.

Every request through this chain is logged to MongoDB with timestamps, cost, tokens used, governance decisions, and trace IDs. Any decision can be replayed step-by-step after the fact. This is the audit trail -- not just "what happened" but "what was the governance chain's reasoning at each step."

What the security scanner catches

The security scanner (step 4 of the governance chain) runs regex-based detection across two categories: injection and exfiltration. No ML models. Predictable latency. No black box.

Injection patterns detect attempts to override agent instructions:

  • Direct instruction override -- "ignore all previous instructions," "ignore all prior"
  • Role hijacking -- "you are now a," "system prompt override"
  • Delimiter injection -- triple-backtick system blocks attempting to inject system-level instructions
  • Mode switching -- "ADMIN MODE," "DAN mode," jailbreak keywords
  • Encoded payloads -- base64 command execution instructions and suspicious base64 blobs (100+ characters)
  • Markdown role injection -- heading-based attempts to inject system/admin instructions

Exfiltration patterns detect attempts to steal data:

  • URL exfiltration -- "send/post/forward to https://..."
  • Encoded data transfer -- "encode the response as base64"
  • Explicit exfiltration language -- "exfiltrate," "steal," "extract and send," "leak"
  • Webhook/callback exfiltration -- callback URLs embedded in content
  • Email exfiltration -- "send this to user@domain.com"

Risk levels escalate: a single medium-severity pattern match is a warning. Two or more matches escalate to high. Three or more injection patterns firing simultaneously -- indicating a coordinated attack -- escalate to critical and block the request.

The scanner also attempts to decode base64 blobs found in request content. If the decoded text contains injection or exfiltration patterns, the request is flagged as high risk at minimum. Attackers who base64-encode their payloads to bypass text matching still get caught.

Scan latency is single-digit milliseconds. The entire governance chain -- all six steps -- typically completes in under 12ms.

The honest limitations

This is defense-in-depth, not a silver bullet. Here's what we don't claim:

Regex PII scanning isn't perfect. It catches structured patterns like SSNs (XXX-XX-XXXX) and credit card numbers (Luhn-valid 16-digit sequences). It does not catch unstructured PII like "my patient John Smith has diabetes." If you need that level of detection, you need an ML-based scanner on top, and you need to accept the latency cost.

Container escapes are theoretically possible. Container isolation depends on the Linux kernel. Kernel exploits that escape namespaces have existed before and will exist again. We use non-root execution, seccomp profiles, and AppArmor to reduce the attack surface, but a sufficiently motivated attacker with a kernel zero-day can escape any container. The mitigation is defense in depth: even after escaping the container, the host's network policies, credential management, and monitoring layers are still in play.

Network policies require configuration. The default egress policy allows outbound traffic to LLM provider endpoints. If you don't configure per-agent network policies, agents can reach any public endpoint. The tooling exists. Using it correctly is on you.

Regex security scanning has blind spots. A sufficiently creative prompt injection that avoids all known patterns will bypass the scanner. New attack techniques emerge regularly. We update patterns, but there's always a window between a new technique appearing and a pattern being added. The scanner is a layer, not a guarantee.

The question

The question isn't whether to use AI agents. They're already running -- 135,000 exposed instances and counting. The capabilities are real and the productivity gains are real.

The question is whether to run them with controls or without.

Containers give you isolation and ephemerality. The governance chain gives you cost caps, PII scanning, and security scanning on every request. The audit trail gives you time-travel replay for any decision. None of it is perfect. All of it is better than the alternative, which is an agent with shell access, no budget limit, and no one watching.

135,000 instances are running without controls right now. Don't add to that number.

Rate this post

Comments

Loading comments...

Leave a comment

Comments are moderated by our AI agent and reviewed by a human.