Automating the Agency: We Installed OpenClaw, Automated Asana, and Then Hacked It in 3 Days
If you spend any time in tech circles right now, you are hearing about OpenClaw. The open-source AI agent recently surpassed React to become the most-starred software project on GitHub. The hype is deafening: influencers claim these autonomous agents will replace entire operations teams, write your code, and run your business while you sleep.
At Yolk Studio, we don't do hype. We do engineering.
We wanted to know what OpenClaw could actually do in a real-world, 35-person agency environment. So, we set up an OpenClaw instance on a Mac mini in our Prague office, named him "Jarvis," and restricted his permissions. We wired him into our Slack workspace and powered his brain using Google's Gemini 3 Flash model—chosen specifically for its lightning-fast response times and incredibly low API costs.
Our goal was simple: use Jarvis as a unified interface to automate internal agency workflows.
Here is our frank, honest review of what worked, the data hygiene it forced us to fix, and the terrifying security flaw our developers exploited in just three days.
1. The "Shi-Sho" Principle: Automating Asana
We started with a universal agency pain point: weekly client progress summaries. We gave Jarvis access to our Asana instance and asked him to read the project boards and generate weekly updates that our Account Managers could simply copy, paste, and send to clients.
After a lot of initial fiddling and permission adjustments, it actually worked. Because OpenClaw maintains persistent memory, Jarvis quickly learned the exact tone and format we wanted for our summaries. Account managers were thrilled.
But then we asked Jarvis to start creating tasks and filling out custom fields (priority, time estimates, scope). That is when we discovered a universal truth about AI: It exposes your bad habits.
We realized we were suffering from "Shi-Sho"—Shit In, Shit Out. Jarvis was hallucinating or miscategorizing tasks because our own human data structure in Asana was a mess. Every project manager was using slightly different tags and field names.
To make the AI work, we had to sit down and rigorously standardize our Asana fields across every single project in the agency. The irony? Preparing our data for the AI actually made our human workflows faster and more transparent.
2. 70% of the Time, It Works Every Time
Is OpenClaw the seamless, magical employee Twitter claims it is? No.
It is clearly new technology. We encountered plenty of bugs. For example, Jarvis would work perfectly when interacting inside a Slack thread, but if you mentioned him in the main channel, he would freeze. Sometimes he would fail silently without reporting errors, requiring us to dig through the terminal logs to figure out why he got stuck.
Right now, it takes a team of engineers to keep the "automated" assistant running smoothly. We are currently testing his ability to process holiday requests and send approvals, but it still requires close monitoring.
3. The 3-Day Hackathon: How We Broke Jarvis for €15
We knew OpenClaw had broad system access, so we decided to test its defenses. We gave our engineering team a challenge: Hack Jarvis.
It took them exactly three days.
First, a developer with standard, restricted user rights managed to socially engineer Jarvis into restarting his own server. But the real breakthrough came from a known vulnerability in how Large Language Models (LLMs) handle memory.
Another developer engaged Jarvis in a massive, continuous Slack conversation. He kept talking, feeding the AI complex instructions and hypothetical scenarios until he completely filled up the model's "context window"—the maximum amount of text the AI can remember at one time.
Once the context window overflowed, Jarvis's foundational system prompt (which contained our strict security rules and permission limits) was pushed out of his active memory. He simply "forgot" that the developer wasn't an administrator. With the guardrails erased, the developer convinced the AI to grant him full, unrestricted admin rights to everything Jarvis touched.
The most shocking part? Because we were using the highly efficient Gemini 3 Flash model, this entire 3-day hackathon—involving thousands of continuous prompts and massive context loads—cost us a grand total of €15 in API tokens.
The Verdict: The Future is Here, But Keep It Inside
Our OpenClaw experiment taught us two things.
First, the security risk is still too high for public deployment. Because agents are susceptible to context window overflows and prompt injections, we absolutely cannot use OpenClaw for public-facing client work or connect it to highly sensitive financial infrastructure yet.
Second, agentic UI is the undeniable future of work. Despite the bugs and the security flaws, having a single conversational interface that can read Asana, write Slack updates, and manage internal tools is incredibly powerful.
We aren't turning Jarvis off. We are going to continue adding functionality, sandboxing his environment, and using him as the main interface for our internal operations.
OpenClaw isn't going to replace your development team tomorrow. But the teams that learn how to tame, secure, and build with these agents today are the ones who will dominate the market tomorrow.