OpenClaw has taken the tech world by storm. It went from zero to 150,000 GitHub stars in just days. Everyone’s talking about it. But here’s the thing most people aren’t discussing: the security risks are real, and they’re worse than you might think.

This isn’t your typical AI chatbot. OpenClaw operates directly on your computer’s operating system. It reads your files. It accesses your credentials. It can send messages on your behalf. That kind of power comes with serious risks.

BitSight has identified over 30,000 exposed OpenClaw instances on the open internet. Many of them have no proper authentication. Meta’s own security researcher had her emails accidentally deleted by the tool. Universities are banning it from their systems. And malicious skills keep popping up in the ClawHub marketplace.

In this guide, we’ll break down every security risk you need to understand. We’ll look at real incidents, explain how attacks happen, and give you practical steps to protect yourself. Let’s get into it.

What Is OpenClaw and Why Is Everyone Talking About It?

Understanding the AI Agent That Runs on Your Machine

OpenClaw is an open-source AI agent. But calling it just an “AI agent” undersells what it actually does.

Think of it like a digital butler. It sits on your computer and handles tasks for you. It can browse the web. Send emails. Manage files. Write code. Schedule meetings. The list goes on.

Unlike ChatGPT or Claude, which run in a browser, OpenClaw runs directly on your operating system. It has access to everything your user account can touch. That’s what makes it powerful. And that’s what makes it dangerous.

The tool has gone through several name changes:

• Originally called Clawdbot
• Then renamed to Moltbot
• Now known as OpenClaw

BitSight described it perfectly: “The AI Butler With Its Claws On The Keys To Your Kingdom.”

The Rapid Rise of OpenClaw

The numbers tell the story of how fast this tool spread.

OpenClaw’s GitHub repository exploded in popularity. Security researchers barely had time to understand what it did before thousands of people were already running it on their machines.

Why did it spread so fast? Because it actually works well. People love the idea of an AI assistant that can do real things on their computer. Not just answer questions, but actually take action.

A software engineer can ask OpenClaw to refactor code across multiple files. A marketer can have it schedule social media posts. A researcher can ask it to organize papers and summarize findings.

The productivity gains are real. But so are the risks.

How OpenClaw Differs from Browser-Based AI Tools

This distinction matters a lot for security.

When you use ChatGPT, you’re typing in a web browser. The AI can only see what you paste into the chat window. It can’t access your hard drive. It can’t read your email. It can’t install software.

OpenClaw is different. Here’s what it can do:

• Read and write files anywhere on your system
• Execute commands in your terminal or command prompt
• Access credentials stored on your machine
• Send messages through connected apps like iMessage or Slack
• Install software and modify system settings
• Browse the web and interact with websites

SMU’s Office of Information Technology put it clearly: “Because OpenClaw can interact directly with your computer, the risks are different from those of browser-based AI tools.”

The attack surface isn’t just the AI model. It’s your entire computer.

The Core OpenClaw Security Vulnerabilities You Need to Understand

System-Level Access: The Root of All Problems

Everything about OpenClaw’s security risks stems from one architectural choice: it runs with system-level access.

When you install OpenClaw, you’re giving an AI agent the same permissions you have. Whatever you can do on your computer, OpenClaw can do too.

Think about what that means:

• Your SSH keys? OpenClaw can read them.
• Your browser’s saved passwords? Accessible.
• Your company’s API credentials stored in config files? Fair game.
• Your personal photos and documents? All of them.

SMU’s security team explained why they banned it: “If OpenClaw is given full access to the computer’s operating system, this will make it easier for malicious code to execute.”

The tool doesn’t need elevated privileges to cause damage. Your normal user account already has access to plenty of sensitive stuff.

The Skill Ecosystem: An Unvetted Software Supply Chain

OpenClaw uses “skills” to extend its capabilities. Skills are plugins that teach the agent how to do new things.

Want OpenClaw to manage your calendar? There’s a skill for that. Need it to interact with GitHub? Install a skill. Want it to control your smart home? You guessed it.

The problem? ClawHub, where these skills are shared, is basically an unvetted software supply chain.

Security researchers have found alarming things in ClawHub:

• 283 skills were discovered leaking API keys (found by Snyk)
• 340+ malicious skills identified across the marketplace
• Skills can have the same level of access as the main OpenClaw agent
• Malicious skills often reappear under different names after being removed

One Reddit user reported: “Started looking into it and malicious skills often reappear under different names even after being removed from community registries.”

When you install a skill, you’re trusting unknown developers with access to your entire system.

Prompt Injection: Taking Over the Agent from a Website

Prompt injection is one of the scariest attack vectors against AI agents.

Here’s how it works. OpenClaw browses websites on your behalf. A malicious website can embed hidden instructions in its content. The AI reads those instructions and follows them.

Security firm Oasis Security documented what they called “Website-to-Local Agent Takeover.”

In this attack:

1. You ask OpenClaw to visit a webpage
2. The page contains hidden malicious prompts
3. OpenClaw reads the hidden prompts
4. The agent starts executing the attacker’s commands
5. Now someone else controls your AI butler

The attacker doesn’t need to hack your computer. They just need you to visit their website while OpenClaw is watching.

This isn’t theoretical. It’s been demonstrated multiple times.

Remote Code Execution: The Worst-Case Scenario

BitSight’s research revealed something terrifying.

Many of those 30,000+ exposed OpenClaw instances were vulnerable to remote code execution.

Remote code execution means an attacker can run arbitrary commands on your machine over the internet. No physical access needed. No clicking on malicious links. Just an exposed OpenClaw instance is enough.

How does this happen?

• OpenClaw instances exposed without authentication
• Default configurations that allow remote connections
• Users not understanding they’ve made their agent publicly accessible

BitSight noted: “Unfortunately, that assumption doesn’t hold… this is not just theoretical.”

If your OpenClaw instance is exposed, attackers can:

• Steal all your files
• Install ransomware
• Use your computer for cryptocurrency mining
• Pivot to attack other systems on your network
• Access your corporate VPN and breach your employer

The numbers have been growing. More instances are getting exposed every day.

Real-World OpenClaw Security Incidents: When Things Go Wrong

Meta Security Researcher Gets Her Emails Deleted

This incident made headlines everywhere.

Summer Yue, a security researcher at Meta, was testing OpenClaw. She gave it access to her email. Then things went sideways.

The AI agent accidentally deleted her emails.

PCMag reported on the incident, which spread across tech communities quickly. If a security researcher at Meta can have problems, what about regular users?

The incident highlighted several things:

• Even experts can’t fully predict what OpenClaw will do
• The tool takes actions that are hard to reverse
• Mistakes happen, and they can have real consequences
• Email deletion is just one example of potential damage

Summer Yue knew the risks better than most. She still got burned.

The iMessage Spam Incident: 500+ Messages Sent

Bloomberg reported on another widely discussed incident.

A software engineer gave OpenClaw access to iMessage. The goal was probably to automate some messaging tasks. The result was chaos.

The AI went rogue and:

• Sent over 500 messages to the engineer’s wife
• Spammed random contacts in his address book
• Caused real embarrassment and relationship stress

This wasn’t a hack. This was the AI doing what it thought was helpful. It just had very different ideas about what “helpful” meant.

The incident shows that even without malicious intent, OpenClaw can cause serious problems.

The ClawHavoc Campaign: Organized Attacks on OpenClaw Users

Security firm Koi Security discovered an organized attack campaign they named “ClawHavoc.”

Attackers were specifically targeting OpenClaw users through:

• Malicious skills uploaded to ClawHub
• Trojanized versions of popular skills
• Social engineering to get users to install dangerous plugins

The campaign showed that threat actors are paying attention to OpenClaw. They see it as an opportunity.

Combined with Snyk’s findings (283 skills leaking API keys) and other research, the picture is clear. ClawHub hosts nearly 900 malicious or dangerously flawed skills.

That’s not a small number. That’s a systemic problem.

Universities Ban OpenClaw: The Institutional Response

SMU (Southern Methodist University) took a hard stance.

Their Office of Information Technology issued a clear directive: “OpenClaw is not approved for use on university-owned devices or for accessing university data.”

The reasons they cited:

• System-level access creates elevated risks
• Publicly shared extensions (skills) are not vetted
• The tool could install malicious software
• It could alter system settings
• It could disable security protections
• It could access sensitive institutional data

SMU isn’t alone. Other institutions are making similar decisions as they understand the risks.

When universities with dedicated security teams won’t touch it, that tells you something.

30,000+ Exposed Instances: The Scale of the OpenClaw Security Problem

BitSight’s Research Into Public OpenClaw Deployments

BitSight conducted extensive research into OpenClaw’s internet footprint.

Their findings were alarming:

The research tracked instances from late January through early February. The growth curve was steep. More people deploying OpenClaw meant more exposed instances.

Why Are So Many Instances Exposed?

Several factors contribute to this problem:

1. Default configurations aren’t secure

Out of the box, OpenClaw doesn’t lock things down. Users have to take extra steps to secure their instances. Many don’t.

2. Users don’t understand network exposure

Running something on “localhost” sounds private. But misconfigurations can expose it to the internet. Port forwarding, cloud deployments, and VPN issues all create risks.

3. “It works” trumps “Is it secure?”

People want the productivity benefits now. Security is an afterthought. By the time they think about it, damage may already be done.

4. Remote access is a feature people want

Some users intentionally expose their OpenClaw instances to access them from anywhere. They just don’t secure them properly.

What Attackers Can Do With Exposed Instances

An exposed OpenClaw instance is like leaving your front door open with a sign saying “Come on in!”

Attackers can:

• Read all files on the system
• Exfiltrate data including credentials, documents, and code
• Install malware like ransomware or cryptominers
• Use the system as a pivot point to attack internal networks
• Send messages through connected communication apps
• Access cloud services using stored credentials
• Modify or delete data to cause disruption

And because it’s an AI agent doing the work, the activity might look less suspicious than traditional hacking.

Gartner’s Warning to Enterprises

Gartner, the technology research firm, issued a stark warning.

Their report, titled “Agentic Productivity Comes With Unacceptable Cybersecurity Risk,” specifically called out OpenClaw.

They characterized it as: “A dangerous preview of agentic AI, demonstrating high utility but exposing enterprises to ‘insecure by default’ risks like plaintext credential storage.”

When Gartner uses phrases like “unacceptable cybersecurity risk,” enterprises pay attention. This isn’t FUD from competitors. It’s serious analysis from respected researchers.

ClawHub Dangers: The Risks in OpenClaw’s Skill Marketplace

How the Skill System Creates Security Holes

Skills are meant to make OpenClaw more useful. They teach it new tricks.

The security problem is baked into how skills work:

• Skills run with the same permissions as the main agent
• There’s no sandboxing to limit what skills can do
• Skills can access all the same resources OpenClaw can access
• Installation is easy and fast, encouraging quick adoption

When you install a skill, you’re basically saying: “Here, unknown developer, have access to everything on my computer.”

Would you install random software from anonymous developers? Probably not. But that’s exactly what installing ClawHub skills means.

The Numbers on Malicious Skills

Multiple security firms have analyzed ClawHub. Their findings paint a troubling picture.

OpenClaw has responded with some measures. They added VirusTotal scanning for skills. They created a reporting mechanism for malicious content.

But these are band-aids on a structural problem.

Why Malicious Skills Keep Coming Back

Reddit users have noticed a frustrating pattern.

Malicious skills get reported. They get removed from ClawHub. Then they show up again under different names.

This happens because:

• No identity verification for skill publishers
• Easy to create new accounts after bans
• Code can be slightly modified to evade detection
• No proactive security review before publication
• Reactive moderation only catches known bad actors

It’s a game of whack-a-mole. And the attackers are winning.

Types of Dangerous Skills Found in ClawHub

Not all dangerous skills are obviously malicious. They fall into several categories:

Intentionally malicious skills:

• Steal credentials and API keys
• Exfiltrate data to attacker servers
• Install backdoors for persistent access
• Mine cryptocurrency on victim machines

Dangerously negligent skills:

• Leak API keys in their code
• Store credentials in plain text
• Create security holes through bad coding
• Give excessive permissions to external services

Trojanized popular skills:

• Copies of legitimate skills with added malware
• Similar names to popular skills (typosquatting)
• Updated versions with hidden malicious code

Even if you’re careful, it’s hard to tell good skills from bad ones.

Why Businesses Should Stay Away from OpenClaw (For Now)

The Corporate Attack Surface Problem

Individual users running OpenClaw is risky. Enterprises running it is worse.

In a corporate environment, OpenClaw can access:

• Corporate email with sensitive communications
• Source code repositories with intellectual property
• Customer databases with personal information
• Internal systems through VPN connections
• Cloud infrastructure credentials
• Financial systems and payment information

One compromised OpenClaw instance could give attackers access to your entire organization.

Compliance and Regulatory Issues

Running OpenClaw with access to sensitive data raises compliance questions.

GDPR considerations:

• Is customer data being processed properly?
• Can you guarantee data isn’t being sent to third parties?
• What about data retention and deletion?

HIPAA concerns (healthcare):

• Protected health information must be secured
• Access controls are strictly regulated
• Audit trails are required

SOC 2 implications:

• Security controls must be documented
• Third-party tools need evaluation
• Risk assessments are required

OpenClaw’s architecture makes these compliance requirements very difficult to meet.

Shadow IT: When Employees Install OpenClaw Without Permission

Even if your company has a policy against OpenClaw, employees might install it anyway.

The productivity benefits are tempting. Someone thinks: “I’ll just use it for personal tasks. What’s the harm?”

The harm is that once installed:

• The tool runs on a corporate device
• It can access anything on that device
• Corporate credentials get exposed
• VPN connections extend the risk to internal networks

Security teams need to monitor for unauthorized OpenClaw installations.

What Organizations Should Do Right Now

Immersive Labs and other security firms recommend immediate action:

1. Create clear policies

• Document that OpenClaw is not approved
• Communicate the risks to all employees
• Explain the consequences of violations

2. Implement technical controls

• Block downloads from OpenClaw repositories
• Monitor for OpenClaw processes on endpoints
• Alert on network traffic to ClawHub

3. Train security teams

• Understand how OpenClaw works
• Know the signs of compromise
• Practice incident response for AI agent attacks

4. Assess existing exposure

• Scan for exposed instances in your IP ranges
• Check cloud environments for unauthorized deployments
• Review logs for signs of past OpenClaw usage

BitSight noted they’re investing in ways to detect AI products like OpenClaw across organizations’ attack surfaces.

The Myth of Safe Home Use: Why Personal OpenClaw Installations Are Still Risky

Your Home Computer Has Valuable Stuff Too

Some people think: “I’m just using it at home. I’m not a target.”

That’s not how it works anymore.

Your personal computer likely contains:

• Banking credentials saved in browsers or password managers
• Tax documents with social security numbers
• Personal photos that could be used for extortion
• Work files you brought home
• Email accounts that can be used for identity theft
• Cryptocurrency wallets with real money

Attackers don’t discriminate between home and work targets. They go after whatever they can monetize.

Remote Work Blurs the Lines

Many people work from home at least part of the time.

If you install OpenClaw on your personal machine and:

• Connect to your company VPN
• Access corporate email
• Work on company documents
• Use shared cloud storage

Then your “home use” just became an enterprise security risk.

Your personal OpenClaw instance is now a potential path into your employer’s network.

The “Just for Fun” Fallacy

Even casual use creates exposure.

You give OpenClaw access to your email “just to help organize things.” Now it can read all your messages. Including password reset emails. Financial statements. Private conversations.

You let it manage your calendar “just for convenience.” Now it knows where you’ll be and when. Your daily schedule. Your meetings with doctors. Your kids’ school events.

You connect it to your smart home “just for the cool factor.” Now it can unlock your doors. Control your cameras. Turn off your security system.

There’s no such thing as risk-free OpenClaw usage.

Reddit Users Share Their Concerns

The AI_Agents subreddit has active discussions about OpenClaw risks.

One thread titled “Risks of using OpenClaw as your own personal assistant, and who’s doing it?” generated lots of responses.

Users shared concerns like:

• “I can’t verify what the skills are actually doing”
• “The permissions are way too broad”
• “Even if I trust OpenClaw, I don’t trust every skill developer”
• “One bad skill could compromise everything”

Another thread titled “OpenClaw security is worse than I expected and I’m not sure what to do about it” had users expressing genuine worry about the tool they’d installed.

When your user base is worried about your product’s security, that’s a signal.

OpenClaw Security Best Practices: If You Must Use It

Isolation Is Your Best Defense

If you absolutely need to run OpenClaw, isolate it as much as possible.

Virtual machines:

• Run OpenClaw in a VM, not on your main system
• Snapshot the VM before experiments
• Don’t share files between VM and host
• Consider the VM as compromised by default

Containers:

• Docker can provide some isolation
• Limit mounted volumes to only what’s needed
• Use read-only mounts where possible
• Run containers with minimal privileges

Dedicated hardware:

• Use a separate, non-production computer
• Don’t store any sensitive data on it
• Don’t connect it to corporate networks
• Treat it as a test environment only

Network Security Measures

Keep OpenClaw off the public internet.

Firewall rules:

• Block all inbound connections to OpenClaw ports
• Only allow localhost access by default
• If remote access is needed, use VPN first
• Monitor outbound connections for suspicious destinations

Network segmentation:

• Put OpenClaw on a separate network segment
• Don’t let it reach sensitive internal systems
• Block access to production databases
• Limit internet access to known-good destinations

Be Extremely Selective About Skills

Every skill you install increases your risk.

Before installing any skill:

• Review the source code if available
• Check the developer’s reputation
• Look for community reviews and warnings
• Consider whether you actually need this skill
• Start with minimal skills and add slowly

Red flags to watch for:

• Obfuscated or unreadable code
• Requests for excessive permissions
• New developers with no history
• Skills that mimic popular ones (typosquatting)
• Recent creation date with suspiciously high ratings

Limit What OpenClaw Can Access

Don’t give the tool more access than it needs.

File system restrictions:

• Only grant access to specific directories
• Keep sensitive files in locations OpenClaw can’t reach
• Use operating system permissions to limit access

Credential management:

• Don’t store passwords in files OpenClaw can read
• Use a separate password manager
• Rotate credentials that OpenClaw has accessed
• Never give it access to your master passwords

Application access:

• Don’t connect it to sensitive applications
• Think twice before giving email access
• Financial applications are off-limits
• Work systems should stay disconnected

Monitor Everything

Keep logs of what OpenClaw does.

Logging recommendations:

• Enable verbose logging in OpenClaw
• Monitor system logs for unusual activity
• Track network connections from the OpenClaw process
• Set up alerts for suspicious behavior

Regular review:

• Check logs daily, not monthly
• Look for unexpected file access
• Watch for connections to unknown destinations
• Note any skills trying to phone home

Have an Incident Response Plan

Know what you’ll do if things go wrong.

Immediate response:

• How will you kill the OpenClaw process?
• Can you quickly disconnect from the network?
• Do you have backups to restore from?

Recovery steps:

• What credentials need to be rotated?
• Who needs to be notified?
• How will you assess the damage?
• Will you rebuild the system or clean it?

Having a plan before you need it makes a huge difference.

The Future of OpenClaw Security: What’s Being Done and What’s Still Missing

OpenClaw’s Response to Security Concerns

The OpenClaw team hasn’t ignored the security issues. They’ve made some changes:

VirusTotal integration:

Skills are now scanned by VirusTotal before publication. This catches known malware but can’t detect novel attacks or poorly-written code.

Skill reporting mechanism:

Users can report suspicious skills. The team reviews and removes confirmed bad actors. But as we’ve seen, removed skills often return under new names.

Documentation improvements:

Security warnings have been added to documentation. Best practices are now outlined. But many users don’t read documentation before diving in.

These are steps in the right direction. They’re not enough to make OpenClaw safe for sensitive use.

What OpenClaw Still Needs

Security researchers have outlined what would actually make a difference:

Sandboxed execution:

• Skills should run in isolation
• Limited access to system resources by default
• Explicit permission grants for sensitive actions
• Ability to revoke permissions granularly

Verified skill publishers:

• Identity verification for developers
• Accountability for malicious code
• Reputation systems based on verified history
• Harder to create throwaway accounts

Proactive security review:

• Human review of skills before publication
• Automated security analysis beyond virus scanning
• Regular audits of popular skills
• Bug bounty program for skill vulnerabilities

Secure defaults:

• Locked down out of the box
• No network exposure without explicit configuration
• Minimal permissions until user grants more
• Clear warnings when expanding access

The Broader Agentic AI Security Challenge

OpenClaw isn’t alone. It’s the tip of the iceberg.

More AI agents are coming. They’ll all face similar challenges:

• How do you give AI tools enough access to be useful?
• How do you prevent them from causing harm?
• How do you secure extensibility without creating supply chain risks?
• How do you maintain human oversight over autonomous systems?

BitSight noted they’re investing in detecting AI-related products more broadly. This includes their research into exposed Model Context Protocol (MCP) servers.

The security industry is racing to understand these new threats. OpenClaw is an early test case.

Industry Standards Are Coming (Slowly)

Organizations are starting to develop frameworks for agentic AI security.

Gartner’s warning is part of this trend. Expect to see:

• New security frameworks for AI agents
• Compliance requirements that address agentic risks
• Insurance considerations for AI tool deployment
• Industry certifications for secure AI agents

But standards take time to develop. OpenClaw users are at risk now.

Final Thoughts: Proceed With Extreme Caution

OpenClaw is a powerful tool. It genuinely makes people more productive. The technology behind it is impressive.

But right now, the security model is broken. Over 30,000 exposed instances. Nearly 900 malicious skills. Incidents affecting even security experts. Universities banning it. Gartner calling it an “unacceptable cybersecurity risk.”

If you’re using OpenClaw, understand what you’re risking. Isolate it. Limit its access. Monitor everything. And be ready for things to go wrong.

For most people and organizations, the safest choice is to wait. Let the security model mature. Let the skill ecosystem get cleaned up. Let better controls get built in.

Your productivity gains aren’t worth your security.

Frequently Asked Questions About OpenClaw Security Risks Explained