Blog

Silicon Valley fell for Clawdbot overnight. A personal AI assistant that manages your email, checks you into flights, controls your smart home, and executes terminal commands. All from WhatsApp, Telegram, or iMessage. A 24/7 Jarvis with infinite memory.

Security researchers saw something different: a honey pot for infostealers sitting in your home directory.

Clawdbot stores your API tokens, authentication profiles, and session memories in plaintext files. It runs with the same permissions as your user account. It reads documents, emails, and webpages to help you. Those same capabilities make it a perfect attack vector.

The creator, Peter Steinberger, built a tool that’s genuinely useful. The official documentation acknowledges the risks directly: “Running an AI agent with shell access on your machine is… spicy. There is no ‘perfectly secure’ setup.”

This article examines what those risks actually look like.

Most security awareness programs fail for the same boring reason: they’re boring.

Employees sit through a 45-minute video about password hygiene, click “Next” through a quiz, and forget everything before lunch. You know it. They know it. The phishing click rates prove it.

The fix isn’t better videos. It’s getting people out of their chairs and into scenarios that feel real. The 15 activities below are ones we’ve seen work in actual companies, with actual skeptical employees, producing actual measurable improvements. Some take 15 minutes. Some need a full hour. All of them beat another compliance slideshow.

If you want a broader look at cybersecurity training exercises and how to structure a program, we covered that separately. This post is the practical playbook: specific activities you can run this week.

Day one: An email from a new vendor asks if you’re the right person to discuss a partnership opportunity. Nothing suspicious. No links. No attachments. You reply confirming your role.

Day three: A follow-up arrives with a “proposal document” attached. You open it without hesitation. You already know this sender.

This is barrel phishing. The first email had one purpose: make you trust the second one.

“Does this actually work?”

Every CISO asking for budget, every HR leader evaluating vendors, every CFO signing the purchase order lands on the same question. Security awareness training eats time, attention, and money. What does the organization get back?

We dug through the research. The answer is messier than vendors want you to believe.

Open source sounds appealing. No licensing fees. Full control. Customization freedom.

But “free” software isn’t free. Before committing your security awareness training to an open source LMS, you need to understand what you’re actually signing up for. This guide covers the real tradeoffs, platform-by-platform comparisons, and the math that determines whether open source makes sense for your organization.