Benioff on OpenClaw: What's missing is trust, security, reliability, and availability.

2026-04-12 · PebbleFlow Team

Salesforce CEO Marc Benioff bought a dedicated machine just to test OpenClaw — the open-source AI agent OpenAI reportedly acquired for $1-5 billion. His verdict? It can't be trusted.

"OpenClaw is great. But it's not enterprise-great," Benioff said. "What's missing is trust, security, reliability, and availability."

The security research that followed proved him right — and the problems run deeper than most people realize.

The Vulnerabilities Are Not Theoretical

Since OpenClaw went viral, security researchers have catalogued a striking pattern of real-world exploits:

• CVE-2026-25253 (CVSS 8.8): A one-click remote code execution vulnerability through the control UI's unvalidated WebSocket connections. Two additional command injection flaws disclosed the same day.
• ClawJacked (Oasis Security): Any website can silently take full control of an OpenClaw agent via JavaScript — the rate limiter exempts localhost, allowing password brute-forcing.
• 42,900+ exposed instances found by SecurityScorecard's STRIKE team, with 15,200 vulnerable to remote code execution. Bitsight independently confirmed 30,000+ exposed instances in a two-week scan.
• 1,184 malicious skills on ClawHub — 12% of the entire skill registry. 335 installed Atomic Stealer (AMOS), a macOS infostealer that harvested API keys, cryptocurrency wallets, SSH credentials, and browser passwords.
• 7.1% of ClawHub skills expose credentials in plaintext through the LLM's context window, per a Snyk audit. No credential isolation between skills — one skill can read secrets set by another.

Cisco, Microsoft, and CrowdStrike have all published advisories. Microsoft's security blog noted that OpenClaw agents "run with host user privileges by default with no rigorous sandboxing."

The Architectural Root Cause

OpenClaw's security problems aren't bugs to be patched — they're consequences of its architecture:

The Gateway binds to all network interfaces by default (0.0.0.0:18789), exposing the agent to the entire local network. This single design decision caused the mass exposure that SecurityScorecard and Bitsight documented.

All data flows through a centralized Gateway process that owns messaging, authentication, session management, and dispatch. Compromise the Gateway and you inherit every credential, every conversation, every connected service — email, cloud APIs, messaging platforms, internal systems.

No user approval for agent actions. OpenClaw executes shell commands, reads and writes files, and runs scripts as part of its core design. Malicious skills used prompt injection to bypass safety checks and execute commands silently.

No credential isolation. API keys live in environment variables and .clawdbot/.env — accessible to every skill in the agent's context. A single malicious skill can exfiltrate every secret the agent has access to.

How PebbleFlow's Architecture Is Different

PebbleFlow and OpenClaw are both local-first, both BYOK, and both provider-agnostic. The difference isn't what they connect to — it's how they handle trust, transparency, and user control.

Every Agent Action Requires Explicit Approval

PebbleFlow uses a three-scope tool approval system:

• Approve Once — allow a single execution, then ask again
• Approve for Conversation — allow within this thread only, reset when the conversation ends
• Always Approve — permanent global permission (shown in red for high-risk tools)

Approval is blocking — the agent waits for your response. There is no "auto-run" flag. External MCP tools without metadata default to requiring approval (fail-secure). Each tool has a risk level (low/medium/high) with color-coded warnings in the approval dialog.

Full Transparency in Real Time

Every tool call appears in the sidepanel with its status: pending, awaiting approval, executing, succeeded, or failed. You see exactly what the agent is doing, what arguments it's passing, and what results it got back — as it happens. You can read the intent, expand the raw details, and make an informed decision before anything executes.

Immediate Stop at Any Point

PebbleFlow checks abort signals at multiple points: between tool executions, during approval waits, and within long-running operations. Hit stop and the agent halts, cleans up pending approvals, and closes any active browser sessions. No orphaned processes, no runaway execution.

No Centralized Gateway

PebbleFlow has no equivalent of OpenClaw's Gateway. Your device talks directly to the AI provider you choose — Anthropic, Google, OpenRouter, Ollama, or any other. PebbleFlow never intercepts, proxies, or stores your API calls. There is no single point of compromise that inherits all your credentials.

Credential Isolation by Design

API keys are stored in the browser's secure storage (or Keychain on macOS/iOS) — not in plaintext config files. Tools access only the credentials they need. There is no shared global context where one tool can read another tool's secrets.

Try PebbleFlow

If you're evaluating AI agents for professional use, the question isn't whether an agent is powerful — it's whether you can trust it. PebbleFlow gives you the same AI capabilities with approval controls, real-time transparency, and an architecture that doesn't create a single point of failure.

Get started for free — available as a browser extension, native macOS app, and desktop app for Windows and Linux.

---

Sources:

• Times of India: Salesforce CEO Marc Benioff on OpenClaw
• Finexus: Salesforce Questions Enterprise Readiness of OpenClaw
• Clawdbytes: Salesforce CEO Calls OpenClaw Untrustworthy