In the fast-evolving world of AI, few projects have grabbed attention like OpenClaw. Launched in November 2025 by Austrian developer Peter Steinberger, OpenClaw is an open-source AI agent that quickly became a breakout success in the AI world, amassing over 2 million visitors in a single week.
But what exactly is it?
Unlike traditional AI assistants that simply generate text, OpenClaw functions as an autonomous agent: it can interpret goals, interact with tools, and carry out tasks on your behalf.
Essentially, where tools like ChatGPT wait for prompts and respond, OpenClaw acts until it believes the task is done.
People are using OpenClaw to clear thousands of emails in days, deploy code from their phones, and even run entire businesses through Telegram messages. For many, it delivers the AI assistant experience they’ve always dreamed of. But this power comes with serious trade-offs.
How does it work?
OpenClaw operates as a fully autonomous agent. Unlike ChatGPT, which waits for prompts, OpenClaw can:
- Interpret goals
- Take actions across apps and systems
- Execute tasks continuously until completion
Its architecture includes:
- Agent Core: the “brain” managing conversations, state, and task execution.
- Channel Adapters: integration points for Slack, Telegram, email, WhatsApp, and more.
- Skill Engine: thousands of modular skills for tasks like sending emails, fetching web data, or running code.
- Sandbox (Optional): a restricted environment to safely execute code, though many users disable this for full functionality.
Why is OpenClaw dangerous?
While its capabilities have captivated many, OpenClaw’s security model has become a central point of discussion: OpenClaw wasn’t built with security in mind. Creator Peter Steinberger developed the initial version (then called WhatsApp Relay) over a single weekend. The project launched with insecure defaults: early versions bound to 0.0.0.0:18789, exposing tens of thousands of cloud instances to the internet.
Security researchers quickly uncovered alarming issues:
- Hundreds of malicious skills in ClawHub
- Tens of thousands of exposed instances leaking credentials
- Zero-click attacks via Google Docs
Specifically:
- Broad Permissions and Attack Surfaces: Because OpenClaw can access local files, accounts, messaging platforms, and execute commands, it requires broad permissions, which can cause risks if misconfigured. Thousands of instances have been found publicly accessible on the internet with weak or no authentication, creating potential entry points for attackers.
- Unvetted Skill Ecosystem: Community‑shared skills hosted on platforms like ClawHub have been shown to contain vulnerabilities or even intentional malware.
- Prompt Injection and Malware Concerns: OpenClaw can interpret data from messages or documents and act on it. This means that hidden instructions embedded in trusted sources (prompt injections) can trigger unwanted behaviors.
One researcher, Paul McCarty, found malware in ClawHub within two minutes and identified 386 malicious packages from a single threat actor. When contacted, Steinberger admitted that security “isn’t really something that he wants to prioritise.”
OpenClaw now comes with a warning label: “There is no ‘perfectly secure’ setup.” Steinberger has partnered with VirusTotal and added Jamieson O’Reilly as lead security advisor, but many risks remain inherent to the design.
Is it possible to make OpenClaw safe?
For those willing to take the risk, several precautions can help reduce exposure:
- Limit the gateway to localhost so it’s not accessible externally
- Run OpenClaw in a Docker sandbox with read-only workspace access
- Require authentication tokens and pairing codes for every connection
- Disable risky tools like shell execution, browser control, and web fetching
- Only allow pre-vetted skills, blocking external or unverified code
- Rotate API keys regularly and avoid storing them in plain config files
- Enable detailed logging and set up real-time alerts for suspicious activity
- Operate OpenClaw on a dedicated, isolated machine separate from sensitive systems
The downside? These safeguards significantly limit what the agent can do. Remove internet access, restrict write permissions, and curb autonomy, and OpenClaw essentially loses its appeal.
The future of OpenClaw
OpenClaw shows no signs of disappearing anytime soon. Its promise is undeniable: automating repetitive work across emails, messaging apps, and workflows, so you can wake up to completed tasks instead of staring at an endless to-do list.
That said, the underlying challenge remains. AI agents must interact with untrusted content to be truly effective, which means prompt injection and system access vulnerabilities can’t be fully eliminated.
For now, manual task management remains the safest choice.
Want guidance on securing workflows and mitigating risks? Get in touch today to see how we can support you.
📧 info@istormsolutions.co.uk
📞 01789 608708
