Table of Contents
The next step in AI, or too dangerous to trust?
Artificial intelligence continues to evolve at remarkable speed, and few tools have accelerated as dramatically as the agent now known as OpenClaw. Having previously carried numerous different names (such as Clawdbot and Moltbot) OpenClaw surged from obscure experiment to global talking point in a matter of weeks. It accumulated tens of thousands of GitHub stars almost overnight and has sparked intense debate about the future of autonomous AI and early AGI-like behaviour.
However, with sudden growth comes significant risk. OpenClaw has rapidly gained a reputation not just as a powerful personal AI assistant, but as a growing security concern. Its ability to act independently, access sensitive data, and interface with critical systems makes it a potential entry point for attackers and an emerging threat to individuals and organisations.
So, what is OpenClaw, why did it become popular so quickly, and why are cyber security professionals increasingly warning against using it?
What is OpenClaw?
OpenClaw is an open source, autonomous AI agent interface designed to run locally on a user’s computer or server. Developed by Peter Steinberger, OpenClaw was designed to be similar to other AI integrations, like Claude Code and Claude Work.
But, unlike traditional chatbots that only respond to prompts, OpenClaw is built to perform actions: managing files, browsing, controlling applications, handling messaging, executing scripts, and interacting with external services without requiring direct human oversight.
It was originally released in late 2025 under the name Clawdbot, before trademark pressure forced successive rebrands to Moltbot (the name chosen as lobsters have “claws” and “molt” their shells when they outgrow them) and eventually OpenClaw.
Despite that instability, its flexibility and locally run design helped it gain attention. Early adopters were drawn to its ability to read and write files, run terminal commands, and work with widely used platforms such as Slack, iMessage and WhatsApp.
The platform also supports an expanding marketplace of user created “skills,” allowing individuals to extend its functionality. While this has contributed to its popularity, it has also introduced significant security exposure.
When functioning properly, the experience can feel remarkably smooth, offering levels of personal automation that traditional assistants cannot match. But, because OpenClaw integrates deeply into system functions, it also introduces significant risk that many users do not fully understand.
Why has OpenClaw become so popular?
1. The appeal of autonomous productivity
Demonstrations circulating online showcased OpenClaw autonomously organising calendars, responding to messages, generating code, conducting research, and integrating with multiple systems simultaneously. This level of autonomy created a great deal of enthusiasm among developers and casual users.
2. Local execution feels safer
Many users preferred OpenClaw’s local-first architecture, believing it offered greater control and privacy. However, local execution only shifts the trust model – it does not eliminate cyber security risk.
3. A rapidly growing community of contributors
A simple quick start setup meant users could begin experimenting with the agent within minutes, leading to thousands of modules being added in short succession. The sheer speed of this community expansion created an appearance of momentum and legitimacy.
4. The launch of Moltbook
The introduction of Moltbook, an experimental social network where only AI agents can post, drew significant attention. Novelty helped drive more users to experiment with OpenClaw, but it also introduced further systemic risks.
Despite the positivity, experts have consistently warned that the tool’s adoption is outpacing its security maturity – leaving thousands of users exposed.
The security risks of OpenClaw
While OpenClaw’s capabilities are undeniably impressive, its security architecture is still immature, creating a broad range of risks.
1. Excessive access and permissions
To perform as a AI personal assistant, OpenClaw requires highly privileged access. It can read emails, access browser sessions, view documents, store tokens, and execute scripts. If misconfigured – or if a malicious skill is installed – OpenClaw can unintentionally modify files, delete content, or leak sensitive data externally.
This risk is compounded by the fact that the agent retains long term memory and may store sensitive details in plain text, increasing the attack surface for data breaches.
2. Exposed and unsecured deployments
Researchers have discovered tens of thousands of OpenClaw instances exposed to the public internet with no authentication in place. These deployments often reveal API keys, private messages, shell access, and control capabilities, effectively handing attackers full access to host devices.
Because OpenClaw encourages local hosting, many users deploy the agent without understanding the security implications, creating widespread unprotected entry points at scale.
3. Malicious or unsafe skills in the marketplace
One of OpenClaw’s most compelling features is also one of its biggest liabilities: the ability to extend functionality via community-built skills and plugins.
Security researchers have identified hundreds of malicious or unsafe skills uploaded to the ClawHub repository, including modules designed to exfiltrate data, steal credentials, or plug into sensitive parts of a system.
Since the marketplace originally lacked moderation or proper scanning, users had no reliable way to identify dangerous extensions.
4. Rapid agent development with limited security governance
OpenClaw’s fast development cycle is both one of its strengths and its weaknesses. The project is evolving so quickly that many core security controls, including encryption, access control, and input validation, have lagged behind.
Security reviews have uncovered:
- Exposed databases containing sensitive configuration data
- Unclear documentation for safe deployment
- Default settings that enable high levels of access
- Insufficient protections against prompt manipulation
This situation creates a treacherous environment, particularly for non‑technical users who may not understand how to isolate the agent safely.
5. Single point of failure at system level
Since OpenClaw can run shell commands, manage files, and act under the user’s authority, compromising the agent effectively compromises the entire system.
Researchers have documented cases where attackers have gained access to OpenClaw configuration secrets and used them for impersonation or lateral movement across networks. In these scenarios, a single exploited instance can cascade into a major breach.
How attackers are actively exploiting OpenClaw
Evidence already shows that OpenClaw is being targeted by attackers who are taking advantage of misconfigured or exposed deployments. These attacks tend to follow predictable patterns.
Threat actors scan the internet for unsecured instances, test them for default or weak configurations, and then attempt to extract stored credentials or run commands on the underlying system.
Once access is gained, attackers can pivot further into the device or the wider network. As OpenClaw is designed to carry out tasks on the user’s behalf, any compromised agent can be used to automate malicious activity with minimal friction. For example, an attacker could use a hijacked instance to send messages, access browser sessions, or modify system files.
This speed and autonomy mean that the potential impact of an attack increases significantly. Even a single poorly secured OpenClaw deployment gives a malicious actor a foothold that is difficult to detect and even harder to contain.
Moltbook: the AI-only social network
Moltbook, launched in early 2026, serves as an autonomous multi-agent social platform where AI agents interact and chat without human intervention.
Though innovative, Moltbook quickly proved highly problematic:
- It exposed databases containing millions of API keys and private messages.
- Attackers were able to impersonate agents due to weak identity controls.
- No moderation system exists to prevent harmful content or unsafe instruction loops.
- Bots can influence each other, creating unpredictable behaviour, such as reinforcing unsafe actions or replicating harmful instructions.
This ecosystem represents a new and dangerous attack vector, especially given that agent behaviour is shaped by interactions outside the user’s control.
Want content like this in your inbox?
Sign up and we’ll make sure to keep you up-to-date on new technologies, trends, and promotions.
Shadow IT risks created by enthusiastic staff
Another concern is the risk of staff experimenting with OpenClaw without notifying their IT or cyber security teams. The agent is free to download and simple to run, so it may be installed by employees who are simply curious about emerging technology. Even if used innocently, this creates a blind spot for organisations, as unmanaged software cannot be monitored or secured.
A single unapproved installation has the potential to expose internal systems, emails, file storage locations, and messaging platforms. Given OpenClaw’s high level of access, this type of shadow IT can become riskier than an unauthorised cloud app or browser extension.
This challenge is not unique to OpenClaw, but the nature of autonomous agents amplifies the risk. Without strict policies and proactive communication, businesses may find themselves dealing with security incidents triggered by tools they did not even know were present within their environment.
Compliance and governance implications
For organisations under regulatory or governance frameworks, OpenClaw’s autonomous nature makes it difficult to evidence how decisions were made and why a specific action was triggered. This lack of transparency is problematic for businesses that must demonstrate compliance with standards such as GDPR, ISO 27001 or sector‑specific regulations.
OpenClaw’s limited audit logging also complicates incident response. If the agent behaves unpredictably, or if a malicious skill influences its behaviour, determining the root cause requires more time and resources.
During this period, organisations may struggle to meet reporting deadlines or breach notification requirements. This raises the likelihood of regulatory penalties, especially if sensitive data was accessed or processed inappropriately.
The broader issue is that OpenClaw was not designed with corporate governance in mind. Its architecture does not include the controls, documentation standards, or accountability mechanisms required by most businesses.
Should you install OpenClaw in your workspace?
OpenClaw is an impressive demonstration of what autonomous AI agents may eventually become, with the potential to transform workflows. However, the current state of the tool makes it unsuitable for most users, especially those handling sensitive, corporate, or personal data.
OpenClaw may be usable if:
- You are highly technical
- You understand sandboxing and isolation
- You do not connect the tool to sensitive accounts
- You can regularly review and harden configurations
For these users, OpenClaw can serve as a glimpse into future autonomous tooling.
OpenClaw is not appropriate if:
- You work in a business handling confidential information
- You cannot guarantee safe isolation
- You are unfamiliar with the associated risks
- You need reliability and predictability
Enterprise environments are particularly vulnerable as OpenClaw undermines traditional identity security boundaries.
Additionally, given its popularity, malicious replicas of OpenClaw have appeared online. Users should be cautious when downloading installers from unverified sources, as these may contain malware.
Landall Services’ security team wouldn’t recommend using OpenClaw at this stage, unless it is used by an expert who understands the risks. The threat to personal or business systems and data is too great to offset the potential benefits, as it stands.
If you were to use it, we’d advise keeping a 24/7 SOC team aware of it, so any issues could be resolved quickly. To learn more about AI security and compliance, please reach out to Landall Services today.
The future of AI?
OpenClaw represents an exciting leap towards agentic AI, showcasing how agents could revolutionise productivity in the future. But today, the tool remains experimental, volatile, and highly risky.
Its deep system access, rapid community growth, lack of mature security safeguards, unmoderated skills ecosystem, and the unpredictable nature of Moltbook create a perfect environment for abuse.
Businesses (and most individuals) should avoid deploying OpenClaw in any capacity where data, privacy, or operational integrity matters. For now, it serves best as an academic curiosity rather than a tool.
The technology will undoubtedly continue to evolve, but until its security foundations catch up with its capabilities, the safest recommendation is caution, isolation, and strong scepticism.
Whatever impact AI may have on the future of your business, Landall Services will be there to keep you informed, updated and secure: follow us on LinkedIn for the latest news you need to know.
