Five zero-day flaws found in OpenClaw, the framework behind Microsoft’s new Scout agent

Microsoft Launches Scout, an Always-On AI Work Agent Built on OpenClaw

Microsoft unveiled Scout, a new AI personal assistant built on the open-source OpenClaw framework, at its Build 2026 developer conference on Tuesday. The launch arrives as security researchers disclosed five zero-day vulnerabilities in OpenClaw that could allow attackers to hijack AI agent access across messaging platforms.

An AI Coworker That Never Logs Off

Scout represents what Microsoft calls an “Autopilot” — an always-on autonomous agent with its own persistent identity that operates on behalf of the user across Outlook, Teams, OneDrive, and other Microsoft 365 applications. The assistant can manage calendars, resolve scheduling conflicts, draft emails, handle expense reporting, and automate repetitive workplace tasks without prompting.mashable

Users name their own Scout instance and provide it ongoing feedback to shape its behavior, according to TechCrunch. Bloomberg reported that unlike conventional AI chatbots visible only to the user, Scout will appear on internal email and calendar systems as though it were another employee.techcrunch

Scout is currently available through Microsoft’s Frontier early-access program, which gives organizations a first look at experimental AI features within Microsoft 365. Use of Scout requires an active GitHub Copilot subscription, drawing from users’ monthly GitHub AI Credits allowance — a usage-based billing system that took effect on June 1. Under that system, Copilot Business subscribers receive $19 in monthly credits per user, while Enterprise subscribers get $39.github

OpenClaw Security Concerns Shadow the Launch

The timing of Scout’s release coincides with growing scrutiny of OpenClaw’s security posture. On June 3, researchers disclosed five zero-day flaws in OpenClaw that allowed attackers to bypass trust boundaries and hijack AI agent access across Slack, Discord, Microsoft Teams, Matrix, and Zalo.x

The vulnerabilities exploit a design flaw in which human-readable identifiers like display names are resolved to stable user IDs during service initialization. Because display names are mutable on most chat platforms, attackers can impersonate trusted users by renaming themselves to match an allowlisted identity before a service restart, gaining full control over agent interactions.cybersecuritynews

These flaws add to a growing catalogue of OpenClaw vulnerabilities documented since late January 2026, including a one-click remote code execution bug (CVE-2026-25253), a broken access control flaw enabling admin takeover (CVE-2026-33579), and four chainable sandbox-escape and privilege-escalation vulnerabilities disclosed by Cyera in May. Palo Alto Networks has warned that OpenClaw “does not maintain enforceable trust boundaries between untrusted inputs and high-privilege reasoning or tool invocation”.edera

Enterprise Ambitions Meet Open-Source Risk

Microsoft’s decision to build on OpenClaw reflects the platform’s rapid adoption — it has amassed over 179,000 GitHub stars — but also inherits its attack surface. Microsoft has wrapped Scout in enterprise governance layers including Entra identity management, though the underlying framework’s security track record remains a point of concern for organizations evaluating deployment.windowsforum