Microsoft Scout Arrives as an Always-On AI Agent for Microsoft 365
Microsoft used its Build 2026 developer conference on Tuesday to introduce Scout, a personal AI assistant built on the open-source OpenClaw framework. The company describes Scout as an "Autopilot" — an always-on, autonomous agent that carries its own persistent identity and acts on a user's behalf across Outlook, Teams, OneDrive, and the wider Microsoft 365 suite.
Rather than waiting to be told what to do, Scout is designed to take initiative. It can manage calendars, untangle scheduling conflicts, draft emails, process expense reports, and absorb the repetitive tasks that quietly eat into a workday — all without being prompted each time.
What Sets Scout Apart from a Standard Chatbot
The defining difference is presence. Conventional AI chatbots are visible only to the person using them. Scout behaves more like a colleague: it surfaces on internal email and calendar systems as though it were another employee. Each user names their own Scout instance and shapes its behavior over time by giving it ongoing feedback, allowing the agent to adapt to how a particular person works.
How Organizations Can Access Scout
For now, Scout is available through Microsoft's Frontier early-access program, which gives organizations an advance look at experimental AI features inside Microsoft 365. Access, however, comes with a billing requirement.
Using Scout depends on an active GitHub Copilot subscription and draws from each user's monthly GitHub AI Credits allowance — a usage-based billing model that took effect on June 1. Under that structure, Copilot Business subscribers receive $19 in monthly credits per user, while Enterprise subscribers are allotted $39.
Five Zero-Day Vulnerabilities Disclosed in OpenClaw
Scout's debut landed at an awkward moment for the framework beneath it. On June 3, security researchers disclosed five zero-day vulnerabilities in OpenClaw that let attackers bypass trust boundaries and hijack AI agent access. The flaws reach across several widely used messaging platforms, including Slack, Discord, Microsoft Teams, Matrix, and Zalo.
How the Impersonation Flaw Works
At the center of the problem is how OpenClaw handles identity. During service initialization, human-readable identifiers such as display names are resolved into stable, underlying user IDs. The catch is that display names are mutable on most chat platforms — users can change them at will. An attacker can exploit this by renaming themselves to match an allowlisted identity before a service restart. Once the service reinitializes and binds that display name to a trusted ID, the attacker effectively inherits that trust and can take full control over the agent's interactions.
A Growing Catalogue of OpenClaw Security Issues
The five newly disclosed flaws are not isolated incidents. They join a list of OpenClaw vulnerabilities that has been building since late January 2026. Earlier findings include a one-click remote code execution bug (CVE-2026-25253) and a broken access control flaw that enabled administrator takeover (CVE-2026-33579). In May, researchers at Cyera disclosed four additional vulnerabilities that could be chained together to escape the sandbox and escalate privileges.
The structural critique has been blunt. Palo Alto Networks has warned that OpenClaw fails to maintain enforceable trust boundaries between untrusted inputs and its high-privilege reasoning and tool-invocation functions — a weakness that helps explain why so many of these issues keep surfacing.
Enterprise Ambitions Meet Open-Source Risk
OpenClaw's appeal is hard to ignore. The framework has gathered more than 179,000 GitHub stars, a marker of rapid adoption that helps explain why Microsoft chose to build on it. But adopting the framework also means inheriting its attack surface.
Microsoft has tried to address that by wrapping Scout in enterprise governance layers, including Entra identity management. Even so, the security track record of the underlying framework remains a live concern for organizations weighing whether to deploy it.