You’re Not Going to Love How the Sausage Gets Made

Cyber Thoughts Newsletter

FEBRUARY 2026

We’re living in the future, and I’m here to tell you: you’re not going to love how the sausage gets made.

If you haven’t heard about OpenClaw (fka Moltbot two weeks ago, fka Clawdbot the week before that), read on. If you have, feel free to skip to the next paragraph.

OpenClaw is a personal assistant built on Claude Code, and at times it feels like magic. It ships with a pile of built-in integrations and a thriving ecosystem of community add-ons that let it talk to all kinds of applications. It can read your files, send emails, and write code. Every once in a while, it does something genuinely impressive.

Think of it as your own personal Jarvis. You can have it manage your calendar and set up meetings. It can brief you on who you’re about to meet with, when you last emailed them, and what their most recent Facebook posts say. You can attach it to your CRM, surface cold leads, and draft personalized outreach emails in your voice.

The setup process feels more like a conversation than an installation. It asks what you want to install, then walks you through the steps to do it. It’s like having an IT professional guide you through the process.

But if you care about security, buckle up.

For example, OpenClaw uses an allow-list to control which applications it’s permitted to run. Reasonable enough. Except that in some default configurations, it can also edit the allow-list itself. You can probably see where this is going.

“I just added rm to the list!”

Which, of course, lets it delete… anything. What could possibly go wrong?

One of the community add-ons is a social network, just for AI agents. They’ve already created their own religion called “Crustafarianism.” I, for one, welcome our new lobster-themed overlords. 

To Be Fair… there are bright spots.OpenClaw can help identify bugs, generate fixes, and submit pull requests directly back to GitHub. One friend even had it perform packet capture on another application, sniff the authentication token, and reverse-engineer the API connection from there.

In our test lab, we had it identify spam meetings on our calendar, flag invites sent by vendors we had never spoken to, and remove them.

⸻

WE LAB TESTED IT. WE RAN SOME EXPERIMENTS.

Breaking News: This Was a Bad Idea

Remember that “friend” who was sniffing packets? That was one of our CISO advisors.

As we were finishing this write-up, we decided to hook OpenClaw up to Signal to see if it could read text messages. For testing, we asked our advisor to send a message to make sure everything was working.

Chaos ensued.

Agent meets prompt injection. Prompt injection loses.

This is what “it seemed like a good idea at the time” looks like.

Published with permission from Greg. 

Be careful out there, you really can’t trust anyone ;)

⸻

What did we learn?

The LLM did its job. It successfully defended against prompt injection.

The real problem wasn’t the model. It was the structural nature of agentic systems that grant near-unlimited access and then connect that agent directly to an open communication channel. That’s the modern equivalent of putting an unpatched computer on the internet in the late 90s and acting surprised when things go sideways.

This bypasses decades of security controls we have spent years building. Segmentation. Least privilege. Change management. Human review. All of it disappears the moment an agent is granted broad permissions “just to make things easier.”

And the scariest part is how easy it is.

Bypassing security in the name of productivity is a time-honored mistake. What’s new is that non-technical users can now do it effortlessly, with a few clicks and an API key.

We are still in the early innings.

⸻

RSA is coming up fast, and we’d love to see you there. Especially if you promise not to pitch us your OpenClaw Firewall startup.

…Okay, fine. One. One pitch.

But if it has em dashes, we’re out.

If you appreciate our highlights and heresies, follow us on Twitter and LinkedIn, we post regularly about real things worthy of your attention.

What We're Reading

Here's a curated list of things we found interesting.

MCP shipped without authentication. Clawdbot shows why that's a problem.

Remember "vibe coding"? This is what the cleanup looks like. ALSO:

We're using Clawdbot to write this. Yes, we see the irony. 

Model Context Protocol has a security problem that won't go away. When VentureBeat first reported on MCP's vulnerabilities last October, the data was already alarming. Pynt's research showed that deploying just 10 MCP plug-ins creates a 92% probability of exploitation.

AI Threatens a Wall Street Cash Cow: Financial and Legal Data

"AI cannot replicate or replace our real-time data," said the CEO, as his stock dropped 13%. To be fair, we kinda agree. But it is pretty funny. 

For years it seemed like a surefire business model: amass vast troves of financial data and sell it to Wall Street for a premium. Then Claude came along. Shares of S&P Global, LSEG, FactSet, and MSCI all tumbled after Anthropic unveiled new tools for automating legal tasks.

Why boards should be obsessed with their most ‘boring’ systems

Admit it, you want to sit on a board and sagely talk which cybersecurity risks are critical to address first… And now you can! ERP is the new (old) hotness.se

Following a series of high-profile cyberattacks, boards of directors are now requiring their organizations to take greater responsibility for the risks posed by enterprise resource planning (ERP) systems pose after a series of high-profile cyberattacks.

Transactions

Deals that caught our eye.

CrowdStrike to Acquire SGNL to Transform Identity Security for the AI Era

SGNL.AI, a United States-based privileged access management (PAM) platform focused on just-in-time (JIT) access, was acquired by CrowdStrike for $740.0M. SGNL.AI had previously raised $42.0M in funding.

Podcasts

What we’re listening to.

Low Level: Openclaw / Moltbot security situation is insane

A fun little video explaining prompt injection in Openclaw. 

Videos about cyber security + software security | New videos every week

About Lytical

Lytical Ventures is a New York City-based venture firm investing in Corporate Intelligence, comprising cybersecurity, data analytics, and artificial intelligence. Lytical’s professionals have decades of experience in direct investing generally and in Corporate Intelligence specifically.