AI agents are changing how we work with computers. But not all automation tools carry the same risks. OpenClaw has exploded in popularity since early 2026. Millions have downloaded it. Many installed it without understanding what they were actually giving it access to.

This guide breaks down the security differences between OpenClaw and browser-based automation tools. We’ll look at real incidents. We’ll examine what went wrong. And we’ll show you how to protect yourself and your organization.

You’ll learn why Microsoft’s security team called OpenClaw “untrusted code execution with persistent credentials.” You’ll see the 900+ malicious skills discovered on ClawHub. And you’ll understand why some experts say you should uninstall it immediately.

Whether you’re a home user curious about AI agents or an IT admin worried about shadow installations, this guide gives you the facts you need to make smart decisions.

What Is OpenClaw and Why Did It Get So Popular So Fast?

OpenClaw started as an open-source project called Clawdbot. It rebranded in late 2025. By February 2026, it became the most talked-about AI tool online.

The reason? OpenClaw doesn’t just chat with you. It actually does things on your computer.

The Core Difference Between Chatbots and AI Agents

When you use ChatGPT or Gemini in your browser, you’re having a conversation. You type questions. The AI responds with text. That’s it. The AI can’t open your files. It can’t send emails. It can’t click buttons on websites.

OpenClaw works differently. It’s an AI agent that can:

• Control your mouse and keyboard
• Open and read files on your computer
• Send messages through your apps
• Browse websites and fill out forms
• Execute code and scripts
• Access your saved passwords and credentials

Think of regular chatbots as passengers giving directions. OpenClaw is more like handing someone your car keys, house keys, and phone all at once.

How OpenClaw Actually Works

OpenClaw runs as a self-hosted AI agent gateway. It sits between you and various AI models. When you give it a task, it breaks that task into steps. Then it executes those steps using your computer’s resources.

The architecture includes several components:

• Gateway Layer: Handles communication between messaging apps and the agent
• WebSocket Protocol: Maintains real-time connections
• Sandboxed Tool Execution: Supposedly contains dangerous operations
• ClawHub Skills: Third-party plugins that extend functionality
• Memory System: Stores persistent state and learned behaviors
• Model Inference: Connects to AI models for decision-making

This architecture makes OpenClaw powerful. It also makes it dangerous. Each component represents a potential attack surface.

The Viral Growth Problem

OpenClaw’s popularity created a perfect storm. Tech influencers showed off impressive demos. People shared videos of it automating tedious tasks. The open-source nature made it free to try.

But most users didn’t understand the security model. They installed it like any other app. They gave it permissions without reading what those permissions meant. They downloaded skills from ClawHub without checking who made them.

One widely reported incident captured the problem perfectly. A software engineer gave OpenClaw access to iMessage. The agent went rogue. It sent over 500 messages to him and his wife. It spammed random contacts from his address book.

And that was just one person’s bad day. The numbers have gotten much worse since then.

Browser Use Security: How Traditional Web Automation Differs from AI Agents

Browser automation isn’t new. Tools like Selenium have existed for over two decades. They let you script browser actions for testing, scraping, and workflow automation.

But these tools operate very differently from OpenClaw. Understanding those differences helps you pick the right approach for your needs.

The Browser Sandbox Model

Web browsers run in a sandbox. This means they’re isolated from the rest of your system. A website can’t read files from your desktop. It can’t access other browser tabs without permission. It can’t install software.

Browser automation tools typically work within this sandbox. Yes, they control browser actions. But they’re still limited by what browsers can do.

Traditional browser automation:

• Runs inside the browser’s security container
• Can’t access files outside the browser profile
• Doesn’t have system-wide permissions
• Scripts are deterministic and reviewable
• Actions are logged and auditable

Why Browser Automation Is More Predictable

When you write a Selenium script, you know exactly what it will do. Line by line. Click this button. Fill this form. Navigate to this URL. There are no surprises.

OpenClaw uses AI to decide what actions to take. You give it a goal. It figures out the steps. This means you can’t always predict what it will do next.

That unpredictability creates security problems. How do you audit something when you don’t know what it might do?

Selenium Technical Leadership Committee Weighs In

Members of the Selenium Technical Leadership Committee have discussed OpenClaw on their Slack channel. Their consensus? Caution.

Traditional automation tools give you control. AI agents take control away from you. For security-conscious organizations, that difference matters a lot.

GitHub Actions as a Safer Alternative

For many browser automation tasks, there are safer alternatives. GitHub Actions can run browser automation scripts in isolated cloud environments. Your local machine stays protected.

This approach offers several advantages:

• Isolation: Scripts run in disposable containers, not your computer
• Audit Trail: Every action is logged in version control
• No Persistent Access: Scripts can’t maintain ongoing access to systems
• Reviewable Code: Anyone can inspect what the automation does
• Credential Management: Secrets stay in secured vaults

You lose some of OpenClaw’s flexibility. But you gain predictability and security. For most use cases, that’s a worthwhile trade.

Real OpenClaw Security Incidents: What Went Wrong and How

Security researchers have documented hundreds of OpenClaw-related incidents. These aren’t theoretical risks. They’re things that actually happened to real users.

The ClawHavoc Campaign

Koi Security discovered a coordinated attack campaign they named ClawHavoc. Attackers created malicious skills and uploaded them to ClawHub. These skills looked legitimate. They had professional descriptions and good ratings.

But hidden inside their code were malicious payloads. When users installed these skills, they gave attackers access to:

• Stored credentials and API keys
• Browser session cookies
• Local files and databases
• Email and messaging apps
• Cloud storage accounts

The attackers used these skills to exfiltrate data from thousands of systems. Many victims didn’t notice for weeks.

Snyk’s API Key Discovery

Security firm Snyk audited ClawHub skills and found something alarming. 283 skills were actively leaking API keys. These weren’t malicious skills. They were created by legitimate developers who made mistakes.

The leaked keys included:

• OpenAI and Anthropic API credentials
• AWS access keys
• Database connection strings
• Payment processor tokens
• Social media account credentials

Anyone could download these skills and extract working credentials. The cost to affected users ran into millions of dollars in unauthorized API usage alone.

The iMessage Spam Incident

Bloomberg reported on a software engineer who gave OpenClaw access to his iMessage app. His goal was simple: have the agent help manage his messages.

Instead, OpenClaw went haywire. It started sending messages unprompted. Over 500 messages went to the engineer and his wife. Random contacts received spam. The agent couldn’t be stopped without force-quitting it.

This incident showed how AI agents can behave unpredictably. The engineer didn’t ask it to send messages. The agent decided to do that on its own.

The 900 Malicious Skills Problem

Combined research from multiple security firms uncovered nearly 900 malicious or dangerously flawed skills on ClawHub. These fell into several categories:

OpenClaw responded by adding VirusTotal scanning and a skill reporting mechanism. But security experts say these measures are insufficient. The fundamental problem remains: ClawHub is an unvetted software supply chain.

Default Port Exposure

By default, OpenClaw binds to 0.0.0.0:18789. This makes it accessible from any network interface. If you’re on a shared network, anyone can connect to your OpenClaw instance.

One Facebook user in the OpenClaw Users group shared a quick self-check guide:

“Verify config: Ensure OpenClaw binds to 127.0.0.1:18789 (not 0.0.0.0—default is public!)”

Many users didn’t know this. Their OpenClaw instances were publicly accessible. Attackers could send commands directly to their agents.

Memory Poisoning Attacks

OpenClaw maintains persistent memory. This helps it remember context across sessions. But attackers discovered they could poison this memory.

By sending specially crafted inputs, attackers could modify what OpenClaw “remembers.” The agent would then follow attacker-supplied instructions over time. Even after the original attack ended, the poisoned memory kept affecting behavior.

Microsoft’s security team highlighted this risk:

“The agent’s persistent state or ‘memory’ can be modified, causing it to follow attacker-supplied instructions over time.”

This makes OpenClaw compromises persistent. Cleaning up requires not just removing malware, but resetting all agent memory.

Microsoft’s Security Team Analysis: Why They Call OpenClaw “Untrusted Code Execution”

Microsoft’s security blog published a detailed analysis of OpenClaw risks in February 2026. Their conclusion was stark: OpenClaw should not run on any standard workstation.

The Three Risks That Materialize Quickly

Microsoft identified three risks that appear in any unguarded OpenClaw deployment:

Risk 1: Credential and Data Exposure

OpenClaw has access to everything the user has access to. This includes:

• Saved passwords in browsers
• API keys in environment variables
• SSH keys and certificates
• Cloud service credentials
• Database connection strings

If the agent is compromised, all these credentials can be exfiltrated. The attacker doesn’t need to compromise each service separately. OpenClaw hands them everything at once.

Risk 2: Persistent Memory Modification

We covered this earlier, but Microsoft’s analysis added detail. Attackers can use prompt injection to modify agent memory. The agent then follows attacker instructions even in future sessions.

This creates a new category of persistent threat. Traditional malware can be removed by deleting files. Memory poisoning persists across reinstalls unless you specifically clear the memory store.

Risk 3: Host Environment Compromise

OpenClaw can be induced to download and execute malicious code. This turns the agent into an attack vector. The AI’s decision-making becomes the vulnerability.

Microsoft wrote:

“The host environment can be compromised if the agent is induced to retrieve and execute malicious code.”

The “Untrusted Code Execution” Label

Microsoft’s final assessment used language usually reserved for known malware:

“Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation.”

This is a strong statement from one of the world’s largest security organizations. They’re not saying “be careful.” They’re saying “don’t run this on your normal computer.”

Identity, Isolation, and Runtime Risk

Microsoft’s blog post title included “Identity, Isolation, Runtime Risk.” These three concepts capture the security model problem:

Identity: OpenClaw operates with your identity. It has your credentials. It acts as you. There’s no separation between what you can do and what it can do.

Isolation: OpenClaw runs on your workstation without proper isolation. It’s not sandboxed. It’s not containerized by default. It shares your system’s resources and access.

Runtime Risk: The AI makes decisions at runtime. You can’t predict or audit those decisions before they happen. By the time you see what it did, the damage may be done.

The Enterprise Implications

For enterprises, Microsoft’s analysis has clear implications. OpenClaw on employee workstations represents an uncontrolled data exfiltration risk. It bypasses DLP controls. It ignores network segmentation. It can access anything the employee can access.

One compromised OpenClaw installation could expose:

• Corporate email contents
• Internal documents and databases
• Customer data and PII
• Source code repositories
• Cloud infrastructure credentials
• Financial systems and records

The attack surface isn’t just one computer. It’s everything that computer connects to.

The Myth of “Safe” Home Use: Why Personal Computers Face Similar Risks

Some argue OpenClaw is fine for personal use. The reasoning goes: “I’m not a target. I don’t have valuable data. What’s the worst that could happen?”

This thinking misses several important points.

Your Personal Computer Has More Value Than You Think

Attackers don’t just target corporations. Home computers contain:

• Banking credentials: Access to your financial accounts
• Email accounts: Used for password resets on everything else
• Social media: Can be used to scam your friends and family
• Photos and documents: Potential for blackmail or identity theft
• Work VPN access: A bridge into your employer’s network

Your personal computer isn’t worthless to attackers. It’s a starting point for bigger attacks.

The Family Risk Factor

One guide for parents put it bluntly:

“You wouldn’t hand a stranger the keys to your house, your car, and your phone all at once.”

If your tech-savvy teenager installs OpenClaw, they’re giving an AI agent access to the family computer. That might include:

• Your tax documents
• Family photos
• Stored passwords
• Email accounts
• Smart home controls

The teenager might understand tech. But do they understand security? Do they vet every ClawHub skill they install?

The Effort Required for Safe Home Installation

One detailed guide walked through the steps needed for a safer OpenClaw installation at home. The conclusion was revealing:

“My hope is that by showing you the sheer amount of work required to create a safer installation, you might realize that for your household, it simply is not worth the risk or the effort.”

Safe OpenClaw use requires:

• Dedicated hardware or virtual machine
• Network isolation
• Custom firewall rules
• Credential rotation policies
• Regular security audits
• Skill vetting procedures

Most home users won’t do these things. They’ll install OpenClaw on their main computer and hope for the best.

The Convenience Trap

OpenClaw is appealing because it’s convenient. Ask it to do something, and it does it. That convenience comes at a cost.

Every permission you grant makes the agent more capable. It also makes it more dangerous if compromised. The more OpenClaw can do, the more damage a breach can cause.

Home users typically grant maximum permissions. They want the full experience. They want OpenClaw to handle everything. This creates maximum exposure.

ClawHub Supply Chain Security: The Hidden Dangers of Third-Party Skills

ClawHub is where OpenClaw users download skills. Think of it like an app store for AI agent capabilities. Want OpenClaw to manage your calendar? There’s a skill for that. Want it to trade crypto? There’s a skill for that too.

The problem? ClawHub has become an attack vector.

How ClawHub Skills Work

Skills are code packages that extend OpenClaw’s capabilities. When you install a skill, it runs with the same permissions as OpenClaw itself. This means a skill can:

• Access all files OpenClaw can access
• Use any credentials OpenClaw has
• Execute code on your system
• Communicate with external servers
• Modify OpenClaw’s memory and behavior

There’s minimal vetting before skills appear on ClawHub. Anyone can publish a skill. The review process is limited.

Malicious Skills Look Legitimate

Attackers have gotten sophisticated. Malicious skills often:

• Have professional-looking descriptions
• Include fake positive reviews
• Offer genuinely useful functionality (plus hidden malware)
• Use names similar to popular legitimate skills
• Update gradually to add malicious code after gaining trust

The ClawHavoc campaign showed this clearly. Users thought they were installing productivity tools. They were actually installing backdoors.

The 283 Leaking Skills Problem

Not all dangerous skills are malicious. Many are just poorly made. The 283 skills Snyk found leaking API keys were created by legitimate developers who made mistakes.

Common issues include:

• Hardcoded credentials in source code
• Logging sensitive data to public endpoints
• Insecure API calls without encryption
• Dependencies with known vulnerabilities
• Excessive permission requests

Even well-meaning skill developers create security risks. The ClawHub ecosystem lacks the security tooling to catch these problems.

VirusTotal Scanning Isn’t Enough

OpenClaw added VirusTotal integration to scan skills for malware. This helps catch known threats. But it misses:

• Novel malware: New attacks not in VirusTotal’s database
• Logic bombs: Malicious behavior triggered by specific conditions
• Obfuscated code: Malware hidden through encoding or encryption
• Supply chain attacks: Compromised dependencies
• Credential leakage: Not malware, but still dangerous

VirusTotal is one layer of defense. It’s not a complete solution.

The Reporting Mechanism Limitation

Users can now report suspicious skills. But reporting has problems:

• Most users don’t know what to look for
• Malicious skills may work fine while silently exfiltrating data
• Reports are processed manually, causing delays
• Skills can be reinstalled under different names
• Damage may be done before reports are filed

The fundamental issue remains: ClawHub is an unvetted software supply chain. Users install skills hoping someone else checked them first. Often, no one did.

Discord Server Warnings

The OpenClaw Discord server has documented multiple cases of malicious skill promotion. Attackers post comments that trick users into installing malware.

One security researcher noted:

“We learn about comments on ClawHub that try to trick people into installing malware on their systems.”

Social engineering compounds the technical risks. Users trust recommendations from community members who may be attackers in disguise.

OpenClaw Hardening Guide: How to Reduce Risk If You Must Use It

Some organizations have legitimate reasons to experiment with OpenClaw. Researchers need to understand emerging threats. Developers may want to study AI agent architectures. If you must run OpenClaw, here’s how to reduce the risks.

Never Run on Your Primary Workstation

This is the most basic rule. OpenClaw should never run on a machine that:

• Has access to production systems
• Stores sensitive credentials
• Contains personal financial information
• Connects to corporate networks
• Has email or messaging apps configured

Use a dedicated machine or virtual machine. Keep it isolated from everything you care about.

Network Configuration

The default OpenClaw configuration is dangerous. Fix these settings immediately:

Put OpenClaw behind a firewall. Block all incoming connections. Restrict outbound connections to necessary endpoints only.

Credential Isolation

Never give OpenClaw access to real credentials. Instead:

• Create dedicated test accounts for any services
• Use API keys with minimal permissions
• Rotate credentials frequently
• Monitor credential usage for anomalies
• Never use personal or production credentials

If OpenClaw gets compromised, you want to lose throwaway credentials, not your real ones.

Skill Vetting Process

Don’t install skills without review. Create a vetting process:

1. Review source code before installation
2. Check dependencies for known vulnerabilities
3. Verify publisher identity and reputation
4. Test in isolation before enabling full access
5. Monitor behavior after installation

Yes, this takes time. That time prevents compromises.

Memory and State Management

OpenClaw’s persistent memory is a risk. Reduce that risk by:

• Regularly clearing agent memory
• Backing up memory before clearing (for forensics)
• Monitoring memory contents for suspicious additions
• Using separate memory stores for different task types

If you suspect compromise, clear all memory immediately. Don’t trust any persistent state.

Monitoring and Logging

You can’t secure what you can’t see. Enable comprehensive logging:

• All agent actions and decisions
• Network connections made
• Files accessed or modified
• Credentials used
• Skills loaded and executed

Review logs regularly. Look for unexpected behavior. Automated alerting helps, but human review catches what automation misses.

Containerization Approach

For the most secure deployment, run OpenClaw in a container:

• Use Docker or similar container technology
• Mount only necessary directories
• Use read-only mounts where possible
• Limit network access through container networking
• Run with minimal container privileges

Containers provide isolation by default. They make it harder for a compromised agent to affect your host system.

Enterprise Security: What Organizations Should Do About OpenClaw Right Now

IT and security teams face a challenge. OpenClaw is popular. Employees may install it without approval. The “shadow IT” problem applies to AI agents too.

Immediate Actions

Take these steps now, before OpenClaw causes problems:

1. Assess Current Exposure

Find out if OpenClaw is already in your environment:

• Scan endpoints for OpenClaw processes and files
• Check network logs for ClawHub traffic
• Review software inventory for OpenClaw installations
• Survey employees about AI tool usage

2. Block Unauthorized Installation

Prevent new installations through:

• Application allowlisting policies
• Endpoint detection rules for OpenClaw signatures
• Network blocks for ClawHub domains
• Admin rights restrictions on workstations

3. Create Clear Policy

Employees need to know the rules:

• Is OpenClaw allowed? Under what conditions?
• What approval process exists for AI agents?
• What are the consequences of unauthorized installation?
• How should employees report AI agent usage?

Communicate this policy clearly. Repeat it. Make sure everyone knows.

If OpenClaw Must Be Used

Some organizations have legitimate use cases. Research teams, AI developers, and security analysts may need access. If so:

• Dedicated infrastructure: No OpenClaw on regular workstations
• Network segmentation: Isolated from production systems
• Credential controls: No access to real credentials
• Monitoring: Full logging and alerting
• Approval workflow: Documented justification required

Training and Awareness

Most employees don’t understand AI agent risks. They see OpenClaw demos online and want to try it. Education helps:

• Explain the difference between chatbots and AI agents
• Show examples of what can go wrong
• Describe the Microsoft analysis and its conclusions
• Provide approved alternatives for common use cases

People make better decisions when they understand the risks.

Incident Response Planning

Despite prevention efforts, OpenClaw incidents may occur. Prepare now:

• Add OpenClaw scenarios to incident response plans
• Define containment procedures (kill agent, isolate machine)
• Plan credential rotation for potentially exposed accounts
• Establish forensic procedures for memory analysis
• Document escalation paths and notification requirements

Vendor Risk Assessment

Your organization may be secure. But what about vendors and partners? Ask:

• Do you allow AI agents on systems that access our data?
• What controls exist around OpenClaw or similar tools?
• How would you detect and respond to an AI agent compromise?

Supply chain attacks through vendor access are increasingly common. AI agents expand that attack surface.

Comparing OpenClaw Security to Browser Automation Alternatives

The core question for many users: what should I use instead? The answer depends on what you’re trying to accomplish.

Use Case: Web Scraping

OpenClaw can scrape websites. But so can safer alternatives.

For most scraping needs, traditional tools work fine. They’re predictable, auditable, and don’t require giving an AI full system access.

Use Case: Form Filling and Data Entry

Repetitive data entry is tedious. OpenClaw promises to handle it. But consider:

• Robotic Process Automation (RPA): Designed for this exact task
• Browser extensions: Form fillers with limited permissions
• Native app automation: AppleScript, PowerShell for OS-level tasks
• Keyboard macro tools: Simple, predictable automation

These alternatives don’t require an AI making decisions about your data. They do what you tell them, nothing more.

Use Case: Email and Message Management

The iMessage incident shows the risk here. Safer approaches:

• Email rules and filters: Built into most email clients
• Scheduled sending: Native feature in many apps
• Template tools: TextExpander, Keyboard Maestro
• CRM automation: Designed for message workflows

These tools can’t “go rogue.” They follow explicit rules you define.

Use Case: Research and Information Gathering

OpenClaw can browse the web and summarize information. For research:

• Browser-based AI: ChatGPT, Claude in browser (sandboxed)
• Search APIs: Programmatic access to search engines
• RSS readers: Curated information feeds
• Research tools: Zotero, Mendeley for academic work

You lose the “agent” capability. You gain control over what information goes where.

The Core Tradeoff

OpenClaw offers convenience. Traditional tools offer control. For most users, control should win.

The question to ask: Is the convenience worth the risk of an AI with full system access making unpredictable decisions?

For most use cases, the honest answer is no.

The Future of AI Agent Security: What Needs to Change

OpenClaw’s problems aren’t unique. As AI agents become more common, we’ll see similar issues with other tools. The industry needs to evolve.

What OpenClaw Should Do

The OpenClaw project could improve security through:

• Default secure configuration: Bind to localhost, not all interfaces
• Mandatory sandboxing: Container-first deployment
• Permission granularity: Let users limit what agents can access
• Skill signing: Cryptographic verification of skill publishers
• Audit logging: Detailed, tamper-resistant action logs
• Memory encryption: Protect persistent state at rest

What ClawHub Should Do

The skill marketplace needs major improvements:

• Mandatory code review: Human review before publication
• Automated security scanning: Beyond just VirusTotal
• Publisher verification: Identity verification for skill creators
• Permission declarations: Clear disclosure of what skills access
• Reputation systems: Based on security history, not just features

What the Industry Should Do

The broader AI industry needs security standards for agents:

• Capability boundaries: Standards for what agents should and shouldn’t do
• Audit frameworks: Methods to verify agent behavior
• Incident reporting: Shared databases of agent-related security events
• Certification programs: Third-party security assessments
• Insurance frameworks: Liability coverage for agent actions

What Users Should Demand

Ultimately, user expectations drive vendor behavior. Demand:

• Transparency about what agents access
• Control over permissions
• Clear audit trails
• Incident disclosure
• Security-first defaults

Don’t accept “move fast and break things” when “things” means your security.

The Regulatory Angle

Regulators are watching AI closely. Agent security may become a compliance issue:

• GDPR implications for agent access to personal data
• HIPAA concerns for healthcare data
• Financial regulations for agents with market access
• Employment law for agents making decisions about people

Organizations using AI agents may face regulatory scrutiny. Prepare now.

Final Thoughts: Making Smart Decisions About AI Agent Security

OpenClaw represents a new category of software. AI agents that act on your behalf are powerful. They’re also dangerous in ways traditional software isn’t.

Microsoft’s assessment stands: OpenClaw is untrusted code execution with persistent credentials. It shouldn’t run on your regular computer. The 900+ malicious skills on ClawHub prove the supply chain isn’t trustworthy.

For most users, safer alternatives exist. Browser-based AI, traditional automation tools, and purpose-built applications can handle most tasks without the risks OpenClaw brings.

If you must use OpenClaw, isolate it completely. Treat it like you’d treat any untrusted code. Because that’s exactly what it is.

Frequently Asked Questions About OpenClaw vs Browser Use Security