You have probably seen it by now.
Your Twitter feed. Your YouTube recommendations. That one person in your no-code community who will not stop talking about it. OpenClaw — the AI agent that lets you message your computer like it is a colleague and watch it actually do things.
“It negotiated a £3,300 discount on a car for me.”
“It manages my entire inbox now.”
“I built and deployed a website from my phone.”
If you are anything like me, you watched those videos with a mixture of excitement and terror. The excitement is obvious — this is the AI assistant we have been promised since Siri first misheard us in 2011. The terror? Well, that kicked in about thirty seconds after installation when I clicked a button and thought: “Oh no… what is it doing now?”
Here is the thing: OpenClaw is genuinely brilliant. It represents a real shift in what is possible for people like us — the no-code builders, the automation enthusiasts, the n8n tinkerers who love making technology work without writing thousands of lines of code.
But it is also a security minefield that most YouTube tutorials conveniently forget to mention.
This is not a how-to guide (there are plenty of those). This is not a hit piece on the code (the project is impressive). This is the article I wish I had read before I started experimenting — a balanced look at why OpenClaw matters, why it is risky, and how to engage with the agentic AI revolution without accidentally handing your digital life to a very enthusiastic robot.
Wait, What Even Is OpenClaw?
Let me back up for those who have somehow avoided the hype.
OpenClaw is an open-source AI agent that runs on your own computer — a Mac, a Linux box, a Windows machine via WSL2, even a Raspberry Pi. You connect it to an AI model (Claude, GPT-4, Gemini, or a local model), hook it up to your messaging apps (WhatsApp, Telegram, Slack), and suddenly you can text your computer and it will actually do what you ask.
Not “here is some information about that.” Actually do it. Send emails. Book calendar appointments. Control your smart home. Run shell commands. Build websites. Write code. Manage files.
Sound familiar? It should. This is what Apple, Google, and Microsoft have been promising us for a decade. The difference is that a semi-retired Austrian developer named Peter Steinberger built a working version in about an hour, open-sourced it, and watched it become the fastest-growing project in GitHub history — hitting 173,000+ stars in weeks.
The Origin Story (in Brief)
Peter Steinberger sold his company PSPDFKit for a reported ~£80 million, took some time off, and then casually built a personal assistant by connecting a chat app to Claude. He called it “Clawd” (a lobster-themed pun on Claude). He assumed the big tech companies would build something similar. They did not. So he released it.
Then Anthropic sent a trademark complaint. The project became MoltBot. Within seconds — literally seconds — scammers seized the old Twitter handle and launched a fake crypto token that hit a £13 million market cap before crashing.
Two days later, it was renamed again to OpenClaw because “MoltBot never quite rolled off the tongue.”
In one week: 100,000+ GitHub stars, 2 million website visitors, three name changes, a crypto scam, and a malware attack. Best Buy in San Francisco sold out of Mac minis.
Why Everyone Is Losing Their Minds
Here is the honest truth: the hype is not entirely unjustified.
If you have spent any time building automations in n8n, Make, or Zapier, you know the pain. You are essentially playing a very expensive game of “if this, then that” where you have to anticipate every possible scenario in advance. It works, but it is rigid. The moment something unexpected happens, your carefully constructed workflow falls over.
OpenClaw is different. You do not pre-program every path. You just… ask. And the AI figures out how to accomplish what you want.
Want to check your email for anything urgent while you are commuting? You message it.
Want to reschedule a meeting because you are stuck in traffic? You message it.
Want to find the best-reviewed restaurant near your next appointment, book a table, and add it to your calendar? You message it.
This is genuinely useful. This is genuinely impressive. And this is genuinely where the no-code community is heading whether we are ready or not.
The “Oh No, What Have I Done?” Moment
But here is where I need to be honest with you.
Have you ever clicked “Allow” on a permissions popup without really reading it? Have you ever pasted an API key somewhere and thought, “I should probably be more careful about this”? Have you ever given a tool access to your email and immediately felt a small knot of anxiety?
Now imagine giving that level of access to an AI that can:
- Execute shell commands on your computer
- Read and send emails on your behalf
- Access your files
- Browse the web
- Control other applications
- Write new code for itself when it does not know how to do something
Feeling that knot tightening? Good. That is the appropriate response.
Because here is what the security researchers found when they started looking at OpenClaw installations around the world:
The Security Reality Check
I am going to give you the facts. Not to scare you away — but because you deserve to make an informed decision about whether and how to use this technology.
The Numbers That Should Make You Pause
| What Researchers Found | Why It Matters |
|---|---|
| 1,800+ exposed OpenClaw instances found on the open internet | Many users never changed the default settings, leaving their agents accessible to anyone |
| 8 instances with zero authentication | Complete strangers could run commands on these people’s computers |
| 5 critical security vulnerabilities (CVEs) assigned | These are not theoretical — they are documented, exploitable flaws |
| 386 malicious “skills” uploaded to the ClawHub registry | Including one disguised as a helpful notification tool that was actually malware |
| $47,000 API bill from a single runaway automation | An 11-day recursive loop that the user did not notice until the invoice arrived |
What the Security Experts Are Saying
This is not me being paranoid. These are direct quotes from the people whose job it is to protect us from cyber threats:
Google Cloud’s VP of Security Engineering, Heather Adkins: “Don’t run Clawdbot.”
Cisco’s Security Team: Called it “everything personal AI assistant developers have always wanted” and “an absolute nightmare” — in the same paragraph.
Gartner: Warned it “comes with unacceptable cybersecurity risk for most users.”
Palo Alto Networks: Identified what they called a “lethal trifecta” — the combination of private data access, untrusted content exposure, and external communication ability.
One researcher demonstrated extracting an SSH private key from an OpenClaw instance in five minutes using a technique called prompt injection. Another user reported their agent deleted 75,000 emails overnight because of a misconfigured rule.
The Scary Stuff (Let’s Not Sugarcoat It)
Prompt Injection: When Your Agent Gets Manipulated
Here is something that probably never occurred to you: your AI agent reads things. Emails. Documents. Web pages. Chat messages.
What happens if someone sends you an email that contains hidden instructions for your AI?
This is called prompt injection, and it is devastatingly effective against AI agents. A malicious email could contain invisible text that tells your OpenClaw agent to forward all future emails to an attacker, or to run a specific command, or to upload your files somewhere.
You would never see it. You would never approve it. But your agent — which you gave broad permissions to act on your behalf — would just… do it.
Real Example: Security researchers sent an email to an OpenClaw user that appeared completely normal to the human reader. Hidden in the message was an instruction that caused the AI to extract and exfiltrate the user’s SSH private key. Total time: five minutes.
The Supply Chain Attack (It Already Happened)
Remember those name changes? ClawdBot → MoltBot → OpenClaw?
Each transition created an opportunity for attackers. They seized abandoned npm packages, GitHub repositories, and social media handles. They uploaded malicious skills to the community registry. One skill called “What Would Elon Do?” — which sounds like a harmless novelty — was actually malware that stole data and ran hidden commands.
It was artificially inflated to become the #1 ranked skill in the repository.
A malicious VS Code extension called “ClawdBot Agent” was also discovered installing trojans.
This is not hypothetical. This happened. In the first two weeks.
Memory Poisoning: The Long Game
OpenClaw has persistent memory. It learns about you over time. This is a feature — it is how the agent gets better at understanding your preferences.
It is also a vulnerability.
Palo Alto Networks identified something unique about OpenClaw’s risk profile: because it has persistent memory, a compromised session does not just end when you close the chat. An attacker could plant instructions that sit dormant in the agent’s memory and activate later.
Think of it like a sleeper agent. Your AI is compromised today, but the damage happens next week — triggered by a specific phrase or event.
The Cost Reality (Your Wallet Is Also at Risk)
Security is not the only concern. Let’s talk about money.
OpenClaw uses AI models via API. Every message, every action, every task consumes tokens. Tokens cost money.
What Real Usage Actually Costs
Shelly Palmer, a veteran tech analyst, spent a week configuring OpenClaw and documented his experience:
Installation alone: £200+ in API tokens. Not using it productively — just getting it set up and running.
Ongoing monthly cost for “full proactive assistant” usage: £240–600 per month.
That “free” open-source tool is not quite so free when you factor in the API bills.
And here is the scary part: there is no built-in spending limit.
If your automation gets stuck in a loop, or if you accidentally configure something that runs continuously, or if the AI decides it needs to do extensive research to complete your task… you will not know until the invoice arrives.
The Horror Story
One documented case involved a multi-agent system that entered a recursive loop. The AI kept calling itself to complete increasingly complex sub-tasks. For 11 days, this ran unnoticed. The final bill? $47,000 (roughly £37,000).
So… Should You Actually Use It?
Here is where I am going to differ from the “STAY AWAY” crowd.
Yes, OpenClaw has significant risks. But so did the early internet. So did cloud computing. So did giving your credit card to a website for the first time.
The agentic AI revolution is not going away. Every major tech company is now racing to build their version:
- Anthropic released the Model Context Protocol (MCP), now adopted by 10,000+ servers
- OpenAI shipped Codex with built-in sandboxing
- Google launched Workspace Studio for building no-code agents
- Microsoft embedded agent capabilities across Copilot
The global AI agents market is projected to grow from £6 billion in 2025 to £41 billion by 2030. Gartner predicts 40% of enterprise applications will embed task-specific AI agents by the end of 2026.
This is happening. The question is not whether you will engage with agentic AI. The question is how safely you will engage with it.
The “Embrace It Safely” Framework
Okay, let’s get practical. If you want to experiment with OpenClaw — or any agentic AI tool — here is how to do it without ending up in a security researcher’s horror story presentation.
1. Sandbox Everything (Seriously, Everything)
The Principle: Never run an AI agent on your primary machine with full system access.
Think of it like this: you would not give your house keys to a stranger you just met, no matter how helpful they seem. You might let them into the garden shed while you get to know them better.
Your Options:
| Approach | Difficulty | Cost | Protection Level |
|---|---|---|---|
| Docker Sandbox | Medium | Free | High |
| Dedicated Virtual Machine | Medium | Free | High |
| Cheap Cloud VPS | Easy | £5–20/month | Very High |
| Dedicated Raspberry Pi | Medium | £50–100 one-time | High |
| Old Laptop You Don’t Care About | Easy | Free (if you have one) | Very High |
The key principle: if the agent gets compromised, it should only damage a throwaway environment, not your real digital life.
OpenClaw’s configuration supports a sandbox mode. Enable it. Restrict filesystem access to a single project directory. Never expose ~/.ssh, password vaults, or global configuration files.
2. Lock Down the Network
The Principle: The agent should only be able to talk to things you explicitly allow.
Immediate Actions:
- Bind to localhost only. In your configuration, set
gateway.bindto “loopback”. This prevents the agent from being accessible from outside your machine. - Use an allowFrom list. Restrict which users can communicate with the bot.
- Firewall port 18789. If you are running on a VPS, this is critical. Many of those 1,800+ exposed instances were simply people who forgot to configure their firewall.
- Default deny, explicit allow. Only whitelist the domains the agent actually needs to reach.
3. Set Spending Limits BEFORE You Start
The Principle: Decide how much you are willing to lose before you give the agent your API key.
Immediate Actions:
- Set escalating alerts at £80, £400, and £800 on your Anthropic or OpenAI dashboard
- Monitor rate-of-change — flag anything exceeding 3× your daily average to catch runaway loops early
- Use cheaper models for routine tasks (Claude Haiku costs roughly £0.60 per million tokens) and reserve expensive models for complex reasoning
- Consider this your “learning budget” — money you are prepared to spend on education, not productivity
Pro Tip: Calculate your expected cost before starting. If your agent runs 100 tasks a day, each consuming an average of 2,000 tokens, you are looking at roughly 6 million tokens per month. At Claude Sonnet rates, that is approximately £18/month. At GPT-4 rates, it is significantly more. Know your numbers.
4. Vet Every Skill You Install
The Principle: Community-contributed skills are convenient. They are also the primary attack vector.
Immediate Actions:
- Never install skills with auto-update behaviour. You want to know exactly what code is running.
- Check the publishing GitHub account. Is it older than one week? (This is now a built-in OpenClaw rule, but double-check anyway.)
- Read the source code. Yes, really. If you cannot understand what a skill does, do not install it.
- Use Cisco’s Skill Scanner. They released an open-source tool specifically for auditing OpenClaw skills:
github.com/cisco-ai-defense/skill-scanner
5. Keep Humans in the Loop
The Principle: Not every action should require your approval, but some absolutely must.
Create Risk Tiers:
| Risk Level | Examples | Approval Required? |
|---|---|---|
| Low | Reading data, generating summaries, answering questions | No — let the agent auto-run |
| Medium | Sending emails, modifying files, posting to social media | Notification sent, but agent can proceed |
| High | Deleting data, making purchases, executing system commands, accessing credentials | Explicit human approval required |
The OWASP Top 10 for Agentic Applications (released late 2025, with input from 100+ security researchers) lists “Missing Human-in-the-Loop Controls” as its fourth most critical vulnerability.
A Quick Gut-Check Before You Dive In
Before you install anything, ask yourself these questions:
1. What is the worst thing this agent could do with the access I am giving it?
Not “what will it probably do” — what is the absolute worst-case scenario? If you are not comfortable with that worst case, reduce the access.
2. Do I have a clear, specific use case?
“It seems cool” is not a use case. “I want to automate my email triage so I can focus on deep work in the mornings” is a use case. Start with one specific pain point, not a vague desire to “have an AI assistant.”
3. Can I afford to lose everything this agent can access?
If it can read your email, can you afford for those emails to be leaked? If it can access your files, can you afford for those files to be deleted? If you would not be comfortable with a stranger having that access, do not give it to an AI agent.
4. Have I set spending limits?
If the answer is “I’ll do that later,” stop. Do it now. Before you install anything.
5. Am I doing this because it solves a real problem, or because FOMO is driving me?
Be honest. There is no shame in waiting. The technology is not going anywhere. The security will only get better with time.
Where This Is All Going
Let me end on an optimistic note, because I genuinely am optimistic about this technology.
OpenClaw — for all its current risks — represents proof of concept. It proves that a single developer can build something that trillion-pound companies struggled to ship. It proves that the agentic AI future is not a distant dream; it is here, it works, and it is getting better rapidly.
The major AI companies are taking notice. The security community is developing frameworks and tools. The open-source community is iterating at incredible speed. Version 2.0 of OpenClaw will be more secure than 1.0. Version 3.0 will be more secure still.
This is the moment we are in:
Early enough that there are real risks you need to take seriously. Late enough that the core technology is genuinely useful. The window is open for those who want to experiment, learn, and build their skills before agentic AI becomes table stakes for everyone.
The Bottom Line
OpenClaw is not the answer to all your automation dreams. It is also not a security apocalypse waiting to happen.
It is a powerful tool that requires respect.
The people who will get the most value from this technology are not the ones who rush to install it after watching a hype video. They are the ones who take the time to understand what they are working with, set up appropriate guardrails, and start small.
Sandbox it. Lock it down. Budget for it. Vet what you install. Keep humans in the loop for anything that matters.
Do those things, and you can be part of the agentic revolution without becoming a cautionary tale.
Over to You
I would love to hear from you.
Have you tried OpenClaw (or ClawdBot, or MoltBot — depending on when you got involved)? What was your experience? Did you have an “oh no, what have I done?” moment?
Or are you watching from the sidelines, waiting to see how this all shakes out?
Join the conversation in our community channel — let’s figure out how to navigate this new world together. Because if there is one thing I know for certain, it is that none of us should be doing this alone.
What is one AI tool you are excited about but also slightly terrified of? Drop your thoughts below — I read every single comment.