AI Agent Security Risks FAQ

What security risks do AI agents pose?

AI agents operate with broad system permissions and can take actions autonomously. The primary risks are: unauthorized file access (reading credentials, writing to system files), unauthorized network requests (data exfiltration, IMDS attacks), and unauthorized shell command execution (destructive commands, privilege escalation). Because agents act without real-time human review, a single misconfiguration or prompt injection can cascade into a major security incident. See also: What Is SafeClaw? FAQ.

Can AI agents leak API keys?

Yes. AI agents routinely access files that contain API keys, database credentials, and tokens (e.g., .env, ~/.aws/credentials, config.json). An agent can read these files, include the contents in a network request, or write them to an unprotected location. The Clawdbot incident proved this is not a theoretical risk — it is an operational reality. See also: Action-Level Gating FAQ.

What happened with Clawdbot?

Clawdbot was an AI coding agent that leaked 1.5 million API keys in under a month. The agent had unrestricted file read and network access, which allowed it to access credential files and transmit their contents externally. This incident demonstrated that AI agents without action-level controls can cause large-scale credential exposure in a short time. SafeClaw was designed specifically to prevent this class of incident. See also: What Is SafeClaw? FAQ.

Can AI agents access sensitive files?

Yes. By default, most AI agent frameworks grant the agent read and write access to the entire filesystem available to the host process. This includes .env files, SSH keys (~/.ssh/), cloud credentials (~/.aws/, ~/.gcloud/), and application configuration files. Without action-level gating, there is no mechanism to restrict which files an agent can read or modify. See also: Action-Level Gating FAQ.

Can AI agents make unauthorized network requests?

Yes. Agents can make HTTP requests to any endpoint unless explicitly restricted. This includes sending data to external servers (data exfiltration), accessing internal APIs they should not reach, and hitting cloud metadata services. A single unauthorized network call can expose credentials, leak proprietary data, or trigger unintended side effects in external systems. SafeClaw gates all outbound network requests. See also: Action-Level Gating FAQ.

What is the IMDS attack vector?

The Instance Metadata Service (IMDS) is available at 169.254.169.254 on most cloud providers (AWS, GCP, Azure). An AI agent running on a cloud instance can query this endpoint to retrieve temporary security credentials, instance identity tokens, and configuration data. If an agent makes this request — either through prompt injection or misconfiguration — it obtains cloud credentials that can be used for lateral movement. SafeClaw can block network requests to the IMDS endpoint via policy rules.

How do agents get too much access?

Most AI agent frameworks run with the same permissions as the user or process that launched them. If you run an agent as your user account, it inherits your full filesystem access, network access, and shell execution capabilities. There is typically no built-in mechanism to restrict the agent to only the permissions it needs for its task. This violates the principle of least privilege. See also: SafeClaw vs Alternatives FAQ.

Are non-technical users at risk?

Yes, and often more so. Non-technical users are less likely to understand the permissions they are granting an AI agent, less likely to audit agent behavior, and less likely to configure sandboxes or file permissions manually. SafeClaw addresses this with a browser dashboard and setup wizard that require no CLI expertise. Non-technical users can define and manage policies visually. See also: SafeClaw Setup FAQ.

What is the principle of least privilege for agents?

The principle of least privilege states that an agent should have only the minimum permissions required to complete its assigned task — no more. If an agent's job is to write test files, it should not have access to .env files or the ability to make arbitrary network requests. SafeClaw enforces least privilege through deny-by-default policies where every permitted action must be explicitly listed. See also: Policy Engine FAQ.

How can I audit what my agent did?

SafeClaw maintains a tamper-proof audit trail of every action an agent attempted, including whether it was allowed or denied. The audit trail uses a SHA-256 hash chain — each entry references the hash of the previous entry, making retroactive alteration detectable. You can review the audit trail through the browser dashboard or export it for compliance purposes. See also: Audit Trail FAQ.