A security engineer at Runlayer, a Latest York City-based enterprise AI startup, reportedly gained full control of an OpenClaw agent in under an hour using only standard business user access and an API key, according to a recent interview with Runlayer CEO Andy Berman. The demonstration highlighted the vulnerability of the increasingly popular, open-source AI agent to prompt injection attacks.
OpenClaw, launched in November 2025, allows users to communicate with an AI agent through popular messaging apps and perform autonomous tasks on computers. Its adoption has surged in recent months, attracting both individual users and large enterprises seeking greater automation. Though, this rapid growth has coincided with documented security risks, leading to a rise in “shadow AI” – unmanaged AI agents operating outside of IT and security departments’ oversight.
Runlayer launched “OpenClaw for Enterprise” earlier this month, aiming to address these concerns by providing a governance layer designed to secure AI agents within corporate environments. The core of the problem, according to Runlayer, lies in the architecture of OpenClaw’s primary agent, formerly known as “Clawdbot.” Unlike typical web-based large language models (LLMs), Clawdbot often operates with root-level shell access to a user’s machine, granting it extensive system privileges.
This level of access, combined with a lack of native sandboxing, creates a significant security risk. Sensitive data such as SSH keys, API tokens, and internal communications stored in platforms like Slack and Gmail become vulnerable. Berman explained that a successful prompt injection attack could allow a malicious actor to hijack the agent’s logic and exfiltrate sensitive data. He described a scenario where a seemingly harmless email containing hidden instructions could command the agent to send confidential information to an external server.
The increasing adoption of OpenClaw mirrors the early days of the “Bring Your Own Device” (BYOD) trend, according to Berman. Just as employees favored iPhones over corporate-issued Blackberries due to superior functionality, they are now embracing agents like OpenClaw for the “quality of life improvement” they offer. He noted in a series of posts on X that attempts to prohibit the leverage of such tools are no longer effective, stating, “We passed the point of ‘telling employees no’ in 2024.”
Security experts share these concerns. Heather Adkins, a founding member of Google’s security team, has cautioned against running Clawdbot. Runlayer’s solution, ToolGuard, aims to mitigate these risks through real-time blocking of malicious commands, with a latency of less than 100ms. The technology analyzes tool execution outputs to identify patterns indicative of remote code execution or destructive commands, increasing prompt injection resistance from a baseline of 8.7% to 95% according to Runlayer’s internal benchmarks.
Runlayer’s suite includes OpenClaw Watch, a detection tool for unmanaged Model Context Protocol (MCP) servers, deployable via Mobile Device Management (MDM) software. It also features Runlayer ToolGuard, the active enforcement engine that monitors every tool call made by the agent, specifically targeting credential exfiltration attempts. The company emphasizes that its platform is designed to govern AI agents in a manner similar to how enterprises manage cloud services, SaaS applications, and mobile devices.
Runlayer’s platform is SOC 2 and HIPAA certified, making it suitable for use in regulated industries. The company’s data handling practices are designed to address privacy concerns, with Berman stating that the ToolGuard models do not train on organizations’ data and that contracting with Runlayer is akin to engaging a traditional security vendor. The licensing model shifts the risk from “community-supported” to “enterprise-supported,” providing the legal and technical guarantees required by large organizations.
Runlayer’s pricing structure is based on a platform fee rather than a per-user model, encouraging widespread adoption. The fee is tailored to the size of the deployment and the specific capabilities required. The company currently focuses on enterprise and mid-market segments but plans to introduce offerings for smaller companies in the future.
The platform integrates with existing security and infrastructure tools, allowing for data export to Security Information and Event Management (SIEM) vendors like Datadog and Splunk. Runlayer’s deployment options include cloud, private virtual private cloud (VPC), and on-premise installations. Berman highlighted a cultural shift observed at companies like Gusto, where the IT team was rebranded as the “AI transformation team” after implementing Runlayer’s solution. A customer at OpenDoor reportedly cited Runlayer as providing the “biggest quality of life improvement” by enabling secure access to sensitive systems.
Runlayer already provides security for several high-growth companies, including Instacart, Homebase, and AngelList. As the cost of tokens decreases and the capabilities of models continue to advance, the demand for robust AI governance infrastructure is expected to grow. Berman concluded that the central question is not whether enterprises will use AI agents, but whether they can do so safely and at scale.
