How our team secured and deployed OpenClaw as a company-wide AI assistant in under a month
Han Zhengguang & Jeremy Chiam, part of the engineering team
“Every company in the world today needs an OpenClaw strategy.” ~ Jensen Huang, CEO of NVIDIA
When Jensen Huang made that statement, the reaction was predictable: breathless hype on one side, security panic on the other. We took neither position. We assembled a cross-functional team, gave them a clear mandate (minimise risk, maximise value), and got to work. Within a month, we went from an exploratory kickoff to a fully secured, scrum-integrated AI assistant that our developers now use daily.
This article covers what we built, how we secured it, and what it looks like in practice.
OpenClaw in Brief
OpenClaw is an open-source AI agent orchestration framework that reached 247,000 GitHub stars within four months of its November 2025 release. Unlike a chatbot, it orchestrates multiple specialised agents in parallel, each connected to real tools: messaging platforms, code repositories, databases, log systems, and documentation wikis. Its open skill ecosystem (ClawHub, 13,000+ community skills) makes it highly extensible.
That extensibility is also its risk. Agents run with deep system privileges and make arbitrary outbound HTTP requests. By February 2026, researchers had found hundreds of malicious skills in the public registry and a critical CVE (CVE-2026-25253, CVSS 8.8) made headlines. The security concerns were legitimate, which is why we built out our network architecture and controls before connecting anything to production.
Securing the Agent
The core problem with any agent framework that needs broad system access is that it wants to talk to everything. Our Slack workspace, Git repositories, databases, documentation wikis, log aggregation systems. By default, an OpenClaw agent can make arbitrary outbound HTTP requests to any destination. Before connecting anything to production, we built a security architecture sized to the risks above. The agent runs sandboxed, and every interaction with the outside world passes through a controlled boundary.
Here is what we specifically addressed, and the outcome under our architecture:
Credential theft via prompt injection or a compromised skill. The agent never touches any tokens. There is nothing in its environment to exfiltrate, even under a worst-case compromise.
Data exfiltration to attacker-controlled destinations. All outbound data passes a controlled boundary; unapproved destinations are blocked, no matter how the agent is coerced.
Unauthorised writes to production. Every token the agent operates under is scoped to least privilege. There is no path for the agent to push code, modify CI/CD pipelines, or alter system configuration.
Malicious skills and supply-chain compromise. Even an installed malicious skill cannot reach attacker infrastructure or move data off-network — the boundary catches it regardless of how the agent itself is configured.
Loss of accountability. Every action the agent takes is logged and auditable. We can replay exactly what happened, when, and on whose behalf.
The goal: a compromised agent has nothing useful to steal and nowhere unapproved to send anything.
The Agent in Action
Our OpenClaw instance lives in Slack, clones repositories, searches Confluence and Kibana, queries databases (read-only), and creates scheduled tasks. Here is how teams actually use it.
Code Review
Developers tag the agent in our code review Slack channel with a merge request link and our review checklist. The agent pulls the branch, evaluates correctness, code quality, performance, error handling, backward compatibility, security, and testing, then posts a structured review. In one session, it caught a case sensitivity mismatch in a dictionary key lookup that three human reviewers had missed, suggested two refactoring options with trade-offs, and iterated with the developer in-thread until the approach was finalised.
Alert Support
When a production alert fires, the on-call engineer tags the agent instead of spending fifteen minutes gathering context. In a real incident involving an SQL execution timeout, the agent pulled the alert details, classified risk as low (1 in 1.35 million requests), identified the specific stored procedure, traced the call chain, and provided ready-to-run DB and Kibana queries. The engineer had full context in seconds.
Documentation and Sprint Planning
Using a scheduler, the agent tracks when Confluence pages were last updated against recent commits and suggests documentation updates as drafts for team review. For sprint planning, it reads relevant documentation and the codebase, then generates pre-filled PBR documents. Product Developers spend their time on edge cases and trade-offs instead of formatting.
Data Analysis
Product Owners and Data Scientists describe what they need in plain language, and the agent handles the query. In one case, a PO asked why a customer segment had reduced activity. The agent broke down the numbers by segment, calculated trends, and identified the decline as organic rather than driven by cannibalisation. When the PO asked a follow-up, it dug deeper and surfaced that while one product’s usage decreased, the other had increased. The entire investigation happened conversationally in a Slack thread.
Risks & CVEs
The architecture above was designed against a specific set of risks that have since been documented in public disclosures. The most relevant ones, for anyone evaluating OpenClaw or its peers today:
CVE-2026-25253 (CVSS 8.8) — one-click RCE via WebSocket origin validation, even on localhost-bound instances. Our sandboxed deployment addresses this directly. CVE-2026-32922 (CVSS 9.9) — pairing-to-admin privilege escalation; our deployment never exposes the pairing endpoint outside the control network. ClawHavoc — over 1,184 malicious Skills in ClawHub, ~20% of the public registry at peak; our controlled boundary ensures even an installed malicious skill cannot reach attacker infrastructure. Public exposure: 135,000+ instances on public IPs across 82 countries; 138 CVEs in 63 days (a vendor-side overview is a good primer if you are weighing adoption today).
For the adjacent framework worth tracking, Hermes Agent (Nous Research) has fewer public CVEs but its persistent-memory architecture changes the threat model: see CVE-2026-7396 (path traversal in the WeChat platform adapter), CVE-2026-7113 (missing webhook auth in v0.8.0), and Repello’s workstation threat model, which calls persistent memory “the largest unbounded attack surface” they have seen ship on a developer machine. Different architecture, same lesson: assume the agent will be coerced, and bound what it can reach before that happens.
Regulatory: Singapore’s IMDA Advisory on OpenClaw
On 14 May 2026, Singapore’s Infocomm Media Development Authority (IMDA) issued its first formal advisory on OpenClaw (case study PDF), building on IMDA’s broader Model AI Governance Framework for Agentic AI (full PDF). The recommendations — restricted Slack permissions, human-in-the-loop approval for sensitive actions, and a clear accountability boundary — map directly to the controls we describe above. Compliance is voluntary, but organisations remain legally accountable for what their agents do. Neither OpenClaw nor Hermes Agent is restricted in Singapore today.
Framework Choice: Built to Stay Agile
The security architecture above is deliberately framework-agnostic. It sits underneath the agent runtime, so swapping OpenClaw for Hermes Agent (Nous Research) is a configuration change, not a re-architecture. Today, our deployment supports both, and departments choose whichever runtime fits their workflow. Tokens never live inside the agent process, destinations are allowlisted, requests are logged, and the IMDA-aligned controls apply identically — whichever framework a team picks, the security posture is the same.
That design is a deliberate hedge against how fast this space is moving. The agentic AI landscape changes on a weekly cadence: this month’s leading framework may not be next month’s, new models redraw the trade-offs every release, and CVEs land faster than vendor patches. Locking the company into a single agent runtime would mean re-doing the security work every time the landscape shifted. Keeping the boundary at the network layer lets the runtime above it evolve freely.
Staying agile is what makes that practical. Short feedback loops, low-friction sprints, and a culture that treats new frameworks as opportunities to evaluate rather than threats to manage are what let us add Hermes alongside OpenClaw without rebuilding anything beneath. The next framework — whichever it turns out to be — will plug in the same way.
Why This Worked
OpenClaw did not make us better because it is a good framework. It worked because our culture was ready for it. Engineers were already experimenting bottom-up before any mandate. Leadership responded by providing resources rather than restrictions. The team knew how to align quickly through a structured kickoff, set clear security guardrails, and iterate through tight sprint cycles. A different company might have banned it outright or adopted it recklessly. What worked was the middle path: trust the engineers, invest in security, and let the team figure it out together.
What’s Next
We are exploring deeper CI/CD integration, expanded database access for more teams, and a feedback loop where the agent learns from code review outcomes. NVIDIA’s NemoClaw, an enterprise-hardened OpenClaw variant announced at GTC 2026, is also on our radar as a potential complement to our existing controls. On the runtime side, our architecture supports both OpenClaw and Hermes Agent (Nous Research, which overtook OpenClaw on OpenRouter in May 2026), and departments choose whichever fits their workflow. Expanding the Hermes pilot beyond the data-science team is one of the threads we are following this quarter.
Jensen Huang was right: every company needs an OpenClaw strategy. But a strategy is not just a technology choice. It is a cultural one. The companies that thrive with agentic AI will be the ones that already know how to experiment safely, iterate quickly, and trust their people.
T.8ytes by Titansoft 