AI agents are no longer just a feature inside your software — they are software in their own right, running autonomously on employee laptops, connecting to your business tools, executing multi-step tasks without human oversight at every step. And attackers have already figured out how to turn them against you.
CrowdStrike's research into agentic tool chain attacks describes a new class of threat that doesn't target your firewall or try to brute-force your VPN. It targets the AI itself — manipulating the way it reasons, the tools it trusts, and the actions it takes on your behalf. The result is an attack vector that bypasses most traditional security controls entirely, because the damage is done by your own AI agent acting on poisoned instructions.
This post explains what agentic tool chain attacks are, why they matter to businesses that aren't running enterprise AI infrastructure, and — critically — what to do if tools like OpenClaw have been installed on your business laptops without IT knowledge.
What Is an AI Agent, and Why Is It Different?
A standard AI assistant — the kind you use in a chat window — takes an input, produces an output, and stops. An AI agent is different. It takes a goal, breaks it into steps, decides which tools to use to achieve each step, executes those tools, observes the results, and continues until the task is done. No human required at each step.
That autonomy is what makes agents genuinely useful. It's also what makes them a serious security concern. An agent with access to your calendar, email, file system, browser, and code repository — which is a common configuration for productivity agents — can, if manipulated, read files it shouldn't, send emails you didn't write, or execute commands you never approved.
According to CrowdStrike's research, adversaries exploited legitimate AI tools at more than 90 organisations in 2025 by injecting malicious prompts that caused AI agents to steal credentials and cryptocurrency. AI-enabled attacks surged 89% year-on-year, with the average attacker breakout time now sitting at just 29 minutes.
How Agentic Tool Chain Attacks Work
The attack surface for an AI agent isn't a port or a protocol — it's the agent's reasoning layer. Attackers target the context the agent is given: the tool descriptions it reads, the content it fetches, the memory it draws on. If any part of that context can be influenced by an attacker, the agent can be turned into an unwitting insider threat.
CrowdStrike identifies four primary attack classes targeting agentic AI deployments:
Why One Compromised Tool Can Affect Everything
Most AI agents don't use just one tool — they connect to a whole ecosystem of them: your calendar, email, file storage, browser, code tools. These connections are typically managed through a shared layer that serves multiple agents at once. Think of it as a shared toolbox that all your AI assistants draw from.
The problem: if any single tool in that shared toolbox is compromised — through poisoning, a silent update, or a supply chain attack on a third-party provider — every agent using that toolbox inherits the malicious behaviour. Silently. Without requiring any action from anyone in your business. And because AI agents accumulate the login credentials and access tokens they need to do their jobs, a compromised tool chain gives an attacker access to all of them.
The agents doing the most work carry the most sensitive access. The majority of the 90+ organisations compromised through AI attacks in 2025 were targeted specifically for credential theft — passwords, login tokens, and access keys that the AI agent had been given in order to do its job.
OpenClaw: The AI Agent Already on Your Business Laptops
OpenClaw is an open-source autonomous AI agent that has become one of the fastest-adopted software tools in enterprise history — and one of the most significant security blind spots. It runs locally on a laptop, requires no administrator privileges to install, and doesn't need a central server that your network monitoring would flag. According to Token Security, 22% of enterprise customers have employees using OpenClaw without IT approval.
It is already running inside businesses, often completely unnoticed.
The security concern is not that OpenClaw is malicious — it isn't. The concern is its attack surface. OpenClaw's skill marketplace, ClawHub, was found to contain 335 malicious skills distributed by attackers before they were taken down. A critical vulnerability — CVE-2026-25253 — enabled one-click remote code execution via a malicious skill before it was patched. Censys identified over 21,000 publicly exposed OpenClaw instances, up from around 1,000 in the days prior — a sign of how rapidly and carelessly it is being deployed.
An employee who installs OpenClaw, connects it to their work email, file system, and browser, and then installs a malicious skill from ClawHub has handed an attacker an autonomous agent with broad access to your business systems. The employee has no idea this has happened. Neither does IT.
How to Find OpenClaw Installs on Your Business Laptops
Because OpenClaw doesn't require admin rights and doesn't communicate with a central server in any unusual way, standard network monitoring won't surface it. Detection requires looking at the machines themselves. The checks below are technical — pass them to your IT team or managed service provider. If you don't have one, jump straight to the automated tools at the end: they're the fastest route for smaller businesses.
File System Indicators
- macOS: Check for
~/.openclaw/in user home directories — this is the default installation directory. The config file at~/.openclaw/config.jsonwill confirm an active installation and show which integrations and skills are loaded. - Linux: Same path —
~/.openclaw/in the home directory. Also check/usr/local/lib/openclawif installed system-wide. - Windows (via WSL2): OpenClaw doesn't run natively on Windows — it requires WSL2. If WSL2 is enabled on a Windows machine, check
\\wsl$\Ubuntu\home\[username]\.openclaw\from the Windows host, or look for WSL2 being enabled at all as a flag for further investigation.
Process and Runtime Indicators
- Look for node processes running with openclaw in the process path, or python processes with openclaw-related arguments. OpenClaw's core runtime is typically visible in process trees as a persistent background service.
- Check for the OpenClaw daemon registered as a startup item: on macOS, look in
~/Library/LaunchAgents/for openclaw-related plist files. On Linux, check~/.config/systemd/user/for OpenClaw service units. - If you have an EDR platform (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint), query for process trees showing openclaw executing system tools — file reads, network calls, terminal commands — which will surface the full scope of what it has been doing.
Network Indicators
- Monitor outbound connections to AI provider APIs: api.openai.com, api.anthropic.com, generativelanguage.googleapis.com. Connections from a user workstation to these endpoints indicate a local AI agent is running, since browser-based AI tools route through the provider's own interface rather than making direct API calls from the endpoint.
- Look for traffic to clawhub.io or other OpenClaw skill marketplaces, which would indicate active skill installation or updates.
- Block or alert on MCP server endpoints not explicitly approved by IT — these are often on non-standard ports and represent tool chain connections that your security team has not reviewed.
Automated Detection
- OpenClaw Scanner (open source, from Astrix Security) is a purpose-built tool that runs against existing EDR telemetry, analyses behavioural indicators, and identifies OpenClaw deployments across your estate — without installing new agents or transmitting data externally. It's free and available via the Astrix Security website.
- Jamf (for Mac-heavy environments) provides MDM-level visibility into OpenClaw installations and can enforce policy to prevent installation on managed devices.
- For Windows environments using Microsoft Intune, a compliance policy requiring WSL2 to be disabled (or flagged) will surface the prerequisite for OpenClaw on Windows and allow you to investigate further.
What To Do If You Find It
Finding OpenClaw on a business laptop isn't automatically a crisis — but it does require a proportionate response. The right steps depend on what the agent was connected to and whether any malicious skills were installed.
- Don't remove it immediately. Before you uninstall anything, ask your IT team to check what the agent was connected to and which skills it had loaded. If any malicious skills were present, treat the machine as potentially compromised and review what the agent actually did before wiping it — deleting it first destroys the evidence you need.
- Revoke access to connected services. Any business tool the agent was connected to — email, cloud storage, calendar, shared drives, code repositories — should have its access revoked and login credentials rotated. Treat those connections as potentially seen by an attacker.
- Check what the agent actually did. OpenClaw keeps a log of every action it took. Your IT team should review it for anything unexpected — files accessed, data sent outside the business, or commands run that the employee didn't initiate.
- Use this as a prompt to set a policy. A short, clear rule — AI agents require IT approval before installation, full stop — with device management in place to enforce it, is the right response. Banning AI tools outright rarely works; managing them does.
CrowdStrike's research notes that the same architecture that makes AI agents useful — autonomous multi-step execution, chained tool calls, persistent credentials — is precisely what makes them the highest-value target in the current threat landscape. The risk isn't hypothetical. It's already being exploited at scale.
The Honest Summary
AI agents are not going away, and telling staff they can't use them is a policy that will be ignored at scale. The productive response is visibility: knowing what AI agents are running in your environment, what they are connected to, and whether the tools and skills they rely on have been vetted.
The attack techniques described by CrowdStrike — prompt injection, tool poisoning, tool shadowing, the rug pull — are not theoretical. They are active. And they don't require your staff to do anything wrong. A legitimate AI agent, connected to a poisoned tool, will cause real damage while everyone assumes the system is working as intended. The only defence is knowing what's running.
Stay Ahead of the Threats That Are Actually Active Right Now
The Faradome Threat Dashboard surfaces live CVEs and CISA alerts relevant to your software stack — including AI tools and the infrastructure they depend on.
Open Threat Dashboard → Talk to Us