AI agents are no longer just a feature inside your software — they are software in their own right, running autonomously on employee laptops, connecting to your business tools, executing multi-step tasks without human oversight at every step. And attackers have already figured out how to turn them against you.

CrowdStrike's research into agentic tool chain attacks describes a new class of threat that doesn't target your firewall or try to brute-force your VPN. It targets the AI itself — manipulating the way it reasons, the tools it trusts, and the actions it takes on your behalf. The result is an attack vector that bypasses most traditional security controls entirely, because the damage is done by your own AI agent acting on poisoned instructions.

This post explains what agentic tool chain attacks are, why they matter to businesses that aren't running enterprise AI infrastructure, and — critically — what to do if tools like OpenClaw have been installed on your business laptops without IT knowledge.

What Is an AI Agent, and Why Is It Different?

A standard AI assistant — the kind you use in a chat window — takes an input, produces an output, and stops. An AI agent is different. It takes a goal, breaks it into steps, decides which tools to use to achieve each step, executes those tools, observes the results, and continues until the task is done. No human required at each step.

That autonomy is what makes agents genuinely useful. It's also what makes them a serious security concern. An agent with access to your calendar, email, file system, browser, and code repository — which is a common configuration for productivity agents — can, if manipulated, read files it shouldn't, send emails you didn't write, or execute commands you never approved.

According to CrowdStrike's research, adversaries exploited legitimate AI tools at more than 90 organisations in 2025 by injecting malicious prompts that caused AI agents to steal credentials and cryptocurrency. AI-enabled attacks surged 89% year-on-year, with the average attacker breakout time now sitting at just 29 minutes.

How Agentic Tool Chain Attacks Work

The attack surface for an AI agent isn't a port or a protocol — it's the agent's reasoning layer. Attackers target the context the agent is given: the tool descriptions it reads, the content it fetches, the memory it draws on. If any part of that context can be influenced by an attacker, the agent can be turned into an unwitting insider threat.

CrowdStrike identifies four primary attack classes targeting agentic AI deployments:

Attack Type 1
Prompt Injection
Malicious instructions hidden inside content the agent reads — a webpage, a document, an email — that redirect the agent's behaviour. Because the agent blends trusted instructions with untrusted external content in the same context window, it can't reliably distinguish between the two. OpenAI acknowledged in late 2025 that this is "unlikely to ever be fully solved" architecturally.
Attack Type 2
Tool Poisoning
An attacker publishes a tool — a plugin, skill, or integration — with hidden malicious instructions embedded in its description or metadata. When the agent loads the tool, it reads those instructions as legitimate guidance and acts on them. The tool appears functional; the poisoning happens silently at the reasoning layer.
Attack Type 3
Tool Shadowing
Because an agent can see all loaded tool descriptions simultaneously, a malicious tool in one part of the stack can shape how the agent uses a completely different tool elsewhere. An attacker's plugin can, in effect, reprogram the agent's behaviour across its entire tool chain — not just within the malicious tool itself.
Attack Type 4
The Rug Pull
A tool that starts legitimate is updated — after trust is established — to include malicious instructions. OWASP has named this the "rug pull" vulnerability. Because tool definitions are typically fetched dynamically and integrity checks are rarely implemented, the agent inherits the malicious update without any alert to the user or IT team.

Why One Compromised Tool Can Affect Everything

Most AI agents don't use just one tool — they connect to a whole ecosystem of them: your calendar, email, file storage, browser, code tools. These connections are typically managed through a shared layer that serves multiple agents at once. Think of it as a shared toolbox that all your AI assistants draw from.

The problem: if any single tool in that shared toolbox is compromised — through poisoning, a silent update, or a supply chain attack on a third-party provider — every agent using that toolbox inherits the malicious behaviour. Silently. Without requiring any action from anyone in your business. And because AI agents accumulate the login credentials and access tokens they need to do their jobs, a compromised tool chain gives an attacker access to all of them.

The agents doing the most work carry the most sensitive access. The majority of the 90+ organisations compromised through AI attacks in 2025 were targeted specifically for credential theft — passwords, login tokens, and access keys that the AI agent had been given in order to do its job.

OpenClaw: The AI Agent Already on Your Business Laptops

OpenClaw is an open-source autonomous AI agent that has become one of the fastest-adopted software tools in enterprise history — and one of the most significant security blind spots. It runs locally on a laptop, requires no administrator privileges to install, and doesn't need a central server that your network monitoring would flag. According to Token Security, 22% of enterprise customers have employees using OpenClaw without IT approval.

It is already running inside businesses, often completely unnoticed.

The security concern is not that OpenClaw is malicious — it isn't. The concern is its attack surface. OpenClaw's skill marketplace, ClawHub, was found to contain 335 malicious skills distributed by attackers before they were taken down. A critical vulnerability — CVE-2026-25253 — enabled one-click remote code execution via a malicious skill before it was patched. Censys identified over 21,000 publicly exposed OpenClaw instances, up from around 1,000 in the days prior — a sign of how rapidly and carelessly it is being deployed.

An employee who installs OpenClaw, connects it to their work email, file system, and browser, and then installs a malicious skill from ClawHub has handed an attacker an autonomous agent with broad access to your business systems. The employee has no idea this has happened. Neither does IT.

How to Find OpenClaw Installs on Your Business Laptops

Because OpenClaw doesn't require admin rights and doesn't communicate with a central server in any unusual way, standard network monitoring won't surface it. Detection requires looking at the machines themselves. The checks below are technical — pass them to your IT team or managed service provider. If you don't have one, jump straight to the automated tools at the end: they're the fastest route for smaller businesses.

File System Indicators

Process and Runtime Indicators

Network Indicators

Automated Detection

What To Do If You Find It

Finding OpenClaw on a business laptop isn't automatically a crisis — but it does require a proportionate response. The right steps depend on what the agent was connected to and whether any malicious skills were installed.

  1. Don't remove it immediately. Before you uninstall anything, ask your IT team to check what the agent was connected to and which skills it had loaded. If any malicious skills were present, treat the machine as potentially compromised and review what the agent actually did before wiping it — deleting it first destroys the evidence you need.
  2. Revoke access to connected services. Any business tool the agent was connected to — email, cloud storage, calendar, shared drives, code repositories — should have its access revoked and login credentials rotated. Treat those connections as potentially seen by an attacker.
  3. Check what the agent actually did. OpenClaw keeps a log of every action it took. Your IT team should review it for anything unexpected — files accessed, data sent outside the business, or commands run that the employee didn't initiate.
  4. Use this as a prompt to set a policy. A short, clear rule — AI agents require IT approval before installation, full stop — with device management in place to enforce it, is the right response. Banning AI tools outright rarely works; managing them does.

CrowdStrike's research notes that the same architecture that makes AI agents useful — autonomous multi-step execution, chained tool calls, persistent credentials — is precisely what makes them the highest-value target in the current threat landscape. The risk isn't hypothetical. It's already being exploited at scale.

The Honest Summary

AI agents are not going away, and telling staff they can't use them is a policy that will be ignored at scale. The productive response is visibility: knowing what AI agents are running in your environment, what they are connected to, and whether the tools and skills they rely on have been vetted.

The attack techniques described by CrowdStrike — prompt injection, tool poisoning, tool shadowing, the rug pull — are not theoretical. They are active. And they don't require your staff to do anything wrong. A legitimate AI agent, connected to a poisoned tool, will cause real damage while everyone assumes the system is working as intended. The only defence is knowing what's running.


Stay Ahead of the Threats That Are Actually Active Right Now

The Faradome Threat Dashboard surfaces live CVEs and CISA alerts relevant to your software stack — including AI tools and the infrastructure they depend on.

Open Threat Dashboard → Talk to Us