In brief: A new local AI assistant first popularized under the name "Clawdbot" is experiencing a surge in popularity because it fulfills many of the promises made by prior smart assistants and AI agents. However, its impressive range of capabilities requires full access to the user's device, files, and login credentials – and security researchers have found gaping vulnerabilities.
OpenClaw, previously named Moltbot and before that, Clawdbot, is an open-source AI agent that runs locally on users' machines and autonomously interacts with websites, reads and writes files, and accesses email accounts. Fans of the assistant have used it to manage schedules, book flights, perform research, reorganize email inboxes, and perform many more tasks that previously required direct human input.
Furthermore, using OpenClaw can be much more intuitive than ChatGPT, Copilot, or Gemini, as it doesn't feature a traditional chat window. Instead, users send messages to it through WhatsApp, Telegram, Discord, Slack, Signal, or iMessage as if it were a human contact.
The agent supports most Windows, macOS, and Linux devices, but the installation process is intended for power users. After it connects to the LLM of the user's choice, such as Claude (the inspiration for its original name), Gemini, or GPT, OpenClaw can assemble briefings, retain information between sessions, and even expand its own capabilities based on user commands.
However, accessing this impressive range of functionality requires users to grant the agent unfettered access to their files, apps, and login credentials. Some have given it the power to make purchases by handing over their credit card details.
Alarmingly, OpenClaw has few protections against cyberattacks. Creator Peter Steinberger admits the agent is not a polished product and that users should understand the risks.
For example, the assistant is just as vulnerable to prompt injection attacks as other AI tools, so hijacking it could grant hackers total control over a target device and the user's accounts. Furthermore, the assistant's connection to chat apps might make this shockingly easy – other contacts in chatrooms could message OpenClaw to perform actions on the device where it's installed.
To make matters worse, at least one security researcher discovered that the agent can leak crucial information on the open internet, potentially exposing conversations and login credentials. Researchers at Token discovered that one-fifth of the security company's clients currently use OpenClaw, possibly without approval from IT departments.
Anyone who installs OpenClaw is strongly advised to practice robust sandboxing. At the very least, running it on a dedicated device or virtual machine is far safer than exposing a user's primary machine and accounts to it.