ClawBands GitHub Project Looks to Put Human Controls on OpenClaw AI Agents
A software engineer has created a lightweight plugin on GitHub aimed at ensuring greater human control of the actions of the controversial and highly popular OpenClaw AI personal assistant.
Exploited React2Shell Flaw By LLM-generated Malware Foreshadows Shift in Threat Landscape
A software engineer has created a lightweight plugin on GitHub aimed at ensuring greater human control of the actions of the controversial and highly popular OpenClaw AI personal assistant.ClawBands is described by its developer, Sandro Munda, as a security middleware for OpenClaw AI agents that hooks into the AI personal assistant, intercepting every tool execution – including file writes, shell commands, and network requests – and ensures “human-in-the-loop” approval before any actions are executed.“OpenClaw can execute shell commands, modify files, and access your APIs,” Munda, who goes by the handle SeyZ and is founder and CEO of RootCX, an AI-native operational platform and OS, wrote in GitHub. “OS-level isolation (containers, VMs) protects your host machine, but it doesn’t protect the services your agent has access to. ClawBands solves this by hooking into OpenClaw’s before_tool_call plugin event. Before any dangerous action executes (writes, deletes, shell commands, API calls), the agent pauses and waits for your decision.”OpenClaw – nee Clawdbot and Moltbot – runs locally on a user’s system as an autonomous, agentic AI personal assistant that is integrated with WhatsApp, Telegram, Discord, and similar apps. People are using it for everything from summarizing conversations and scheduling meetings to executing code, managing calendars, and booking flights.Popularity Comes with Security ConcernsIts popularity went viral, collecting more than 195,000 GitHub stars since launching in November 2025. However, as its popularity and use has grown, security pros have been vocal about the dangers that come with it.“From a capability perspective, OpenClaw is groundbreaking,” Cisco security researchers Amy Chang and Vineeth Sai Narajala wrote. “This is everything personal AI assistant developers have always wanted to achieve. From a security perspective, it’s an absolute nightmare.”They wrote that OpenClaw can run shell commands, read and write files, and execute scripts on a user’s system, and that giving an AI agent high-level privileges lets it do harmful actions if it’s misconfigured or if the user downloads a skill that is infected with malicious instructions. Chang and Narajala also noted that the open-source tool already has leaked plaintext API key and credentials that can be stolen by bad actors through unsecured endpoints or by prompt injection attacks.In addition, “OpenClaw’s integration with messaging applications extends the attack surface to those applications, where threat actors can craft malicious prompts that cause unintended behavior,” they wrote.A ‘Warning Shot’ That Must Be AddressedSophos CISO Ross McKerchar pointed to research that indicated more than 30,000 OpenClaw instances were exposed on the internet and that threat actors are discussing ways to weaponize OpenClaw capabilities for botnet campaigns.McKerchar called OpenClaw a “warning shot for enterprise AI security,” writing that “truly empowered agentic AI is coming at us fast. And it’s going to creep into mission-critical workflows before we have any truly robust ways to secure it. … The only sane response is to manage the inevitable change by rolling up your sleeves and figuring out how to acceptably manage something so inherently risky.”He optimistically added that “as with all technology adoption, pragmatic risk management is key. And, luckily, we’ve all been doing that for a long time.”‘Human-in-the-Loop’ ControlsClawBands is one attempt at this by trying to ensure a human makes the final decision before the AI agent takes any action.“In a terminal, you get an interactive prompt,” according to the description on GitHub. “On messaging channels (WhatsApp, Telegram), the agent asks you YES/NO and relays your answer via a dedicated clawbands_respond tool. Every choice is logged to an immutable audit trail. Think of it as sudo for your AI agent: nothing happens without your explicit permission.”Every action is evaluated by ClawBands, OpenClaw AI agents wait for approval for actions, the plugin hooks intercept all tool calls, and JSON Lines are in an append-only format. All critical decisions need approval and unknown actions default to ASK/DENY.OpenClaw Developer Moves to OpenAIThe introduction of ClawBands comes as AI giant OpenAI scoops up OpenClaw’s developer, Peter Steinberger. In a post on X, OpenAI CEO Sam Altman wrote over the weekend that Steinberger was hired to “drive the next generation of personal agents. He is a genius with a lot of amazing ideas about the future of very smart agents interacting with each other to do very useful things for people. We expect this will quickly become core to our product offerings.”In his own blog post, Steinberger wrote that OpenClaw will move to a foundation, adding that “it’s always been important to me that OpenClaw stays open source and given the freedom to flourish.”He also said he could have turned OpenClaw into a “huge company,” adding that wasn’t interesting to him.“What I want is to change the world, not build a large company and teaming up with OpenAI is the fastest way to bring this to everyone,” Steinberger wrote. “My next mission is to build an agent that even my mum can use. That’ll need a much broader change, a lot more thought on how to do it safely, and access to the very latest models and research.”
About Author
