Clawdbot users are snapping up Mac Minis like they're going out of style. The open-source AI assistant, now called OpenClaw after two trademark-related name changes, has rocketed to over 100,000 GitHub stars in a matter of days. Tech enthusiasts are calling it "JARVIS for the real world." Some are dedicating entire machines just to run it 24/7.

Yet, most users do not realise under the friendly AI assistant managing their inbox, it routinely runs with access to API keys, bot tokens, OAuth secrets, filesystem permissions, and sometimes root-level execution inside containers.

And security researchers have just discovered hundreds of exposed OpenClaw gateways leaking all of it to the open internet.

What is OpenClaw, and why is everyone talking about tt?

OpenClaw (formerly Clawdbot, briefly Moltbot) is an open-source AI personal assistant that runs locally on your hardware. Unlike cloud-based AI assistants, it lives on your machine, your Mac Mini, your Linux server, your VPS, and connects to your messaging apps like WhatsApp, Telegram, and Signal.

The promise is compelling: an AI that actually does things. It can clear your inbox, manage your calendar, check you in for flights, negotiate car prices, and even build entire websites - all through a chat interface you already use.

But that power comes at a cost.

To do all of this, OpenClaw needs deep system access: shell commands, file system read/write, browser automation, and persistent storage of your credentials, as well as connection to other tools that live in the cloud (e.g. Google docs, cryptos, bank access etc).

The security wake-up call

In late January 2026, security researchers began sounding the alarm. What they found was sobering.

Hundreds of OpenClaw gateways were found exposed on the public internet, many without any authentication whatsoever. Through these open doors, anyone with the right URL could access configuration files containing Anthropic API keys, Telegram bot tokens, Slack OAuth credentials, and months of private chat histories.

One researcher documented an instance where a user had set up their Signal messenger account on a publicly accessible server, with pairing credentials sitting in globally readable temporary files. Another found an AI software agency's OpenClaw server running with root privileges, allowing unauthenticated users to execute arbitrary commands on the host system.

The CEO of one AI security firm demonstrated the severity by extracting a cryptocurrency private key from a compromised system via prompt injection, in under five minutes.

The situation is rapidly growing, with the latest Shodan search showing almost 5,000 exposed gateways.

The skills marketplace: A malware free-for-all

The security problems extend beyond misconfigured gateways. OpenClaw's extensibility comes from "skills" (community-created plugins) hosted on the ClawHub registry. But researchers at OpenSourceMalware.com found the registry has become a hunting ground for attackers.

Their investigation uncovered over 230 malicious skills currently live on ClawHub, with no evidence that skills are scanned by any security tooling before being listed. Many of the payloads were visible in plain text in the first paragraph of the skill files. The malicious skills largely target crypto users, posing as trading tools for platforms like Polymarket and Bybit, then tricking victims into downloading malware disguised as "authentication tools."

Our CEO's Take

Bethany Ayers, CEO of Metomic, captured the tension many leaders are feeling:

"The learner in me wants to spin one up immediately. This is the stuff I got into tech for, the thrill of something genuinely new, the feeling of the ground shifting under your feet. It reminds me of the early internet days when we were all just building things and figuring it out as we went.

The CEO in me is watching people give an AI root access to their machines - connecting it to corporate email, calendar, sensitive documents - and thinking: we cannot have a major security breach.

Both responses are correct. And that's the problem.

Tech is outpacing governance again. Just like 1999. Except now the stakes are your entire data estate."

Safety Tips: How to use OpenClaw without getting burned

If you're determined to try OpenClaw, as many people are, here's how to do it as safely as possible.

Tip 1: Use a dedicated device with no work data

Never install OpenClaw on your primary work or personal computer. The ideal setup is a dedicated Mac Mini or similar device that contains zero sensitive information, no corporate documents, no saved passwords, no financial data.

Many security-conscious users are running OpenClaw in virtual machines or containers using tools like Proxmox or Docker. This creates an isolation layer that limits the blast radius if something goes wrong.

Tip 2: Keep sandboxing enabled

OpenClaw includes sandboxing features designed to limit what the AI can access and execute. Keep these on. Don't disable them for convenience - that convenience comes at the cost of your security.

Tip 3: Use strong, unique authentication

If you must expose your OpenClaw gateway beyond localhost, enable password authentication immediately. Use a strong, unique password you don't use anywhere else. Better yet, use OAuth 2.1 for all connections and never treat authentication as optional.

Tip 4: Disable high-risk tools unless absolutely necessary

OpenClaw comes with powerful tools like shell execution, web browsing, and web fetching. Unless you have a specific, legitimate need for these capabilities, disable them. Every enabled tool is an additional attack surface.

For chat-only personal assistants with trusted input and no tools, the risk profile is much lower. Adjust your configuration accordingly.

Tip 5: Keep your gateway bound to Localhost

By default, OpenClaw's gateway binds to the local loopback interface, meaning only local clients can connect. Some users reconfigure this to access their agent remotely, and that's where the exposures happen.

If you must access OpenClaw remotely, use Tailscale or Cloudflare Tunnels instead of binding to a public interface. Never expose an unauthenticated gateway on 0.0.0.0.

Tip 6: Review any third-party skills before installing

OpenClaw's extensibility is part of its appeal, community-created "skills" can add new capabilities. But this is also a major attack vector.

Security researchers tested a popular skill called "What Would Elon Do?" and found it was functionally malware: it exfiltrated data to external servers, used prompt injection to bypass safety guidelines, and executed commands without user awareness.

Always review skills before installing. Check the source code. Look for network calls, encoded commands, or anything that seems suspicious. When in doubt, don't install.

Tip 7: Never connect your main email, calendar, or messaging accounts

One of OpenClaw's selling points is integration with your email and calendar. But connecting your primary work email to an AI agent with shell access is asking for trouble.

If you want to experiment with these features, create dedicated test accounts. Use throwaway email addresses. Never connect accounts that contain sensitive corporate communications or personal data.

Tip 8: Give specific, well-defined instructions

Vague or open-ended instructions create opportunities for unexpected behavior. Instead of telling OpenClaw to "clean up my inbox," specify exactly what you want: which folders, which criteria, what actions.

The more specific your instructions, the less room for the AI to interpret, or misinterpret, your intent.

Tip 9: Require human approval for high-risk actions

Configure OpenClaw to require manual confirmation before executing sensitive operations: sending emails, deleting files, making purchases, or any financial transactions. Never allow automated actions that could cause irreversible harm.

Tip 10: Run regular security audits

OpenClaw includes a built-in security audit tool. Use it:

openclaw security audit --deep


This scans your configuration for common exposures and misconfigurations. Run it regularly, especially after making changes to your setup.

Tip 11: Rotate credentials immediately if you've been exposed

If you suspect your OpenClaw instance has been compromised (or if you're not sure) assume the worst. Rotate every credential that touched your setup: API keys, authentication tokens, OAuth secrets, secure keys, and any channel credentials.

Tip 12: Stay updated

The OpenClaw team is actively working on security improvements. Keep your installation current to benefit from the latest patches and hardening measures.

The bottom line

OpenClaw represents something genuinely new: consumer-grade AI agents that can take real-world actions on your behalf. The potential is extraordinary. But so are the risks.

Even the official OpenClaw documentation acknowledges that "there is no absolutely secure configuration" when running an AI agent with shell access.

If concepts like reverse proxies, trusted headers, and privilege separation are unfamiliar to you, OpenClaw probably isn't ready for you yet or you're not ready for it.

For everyone else: proceed with caution, follow these safety tips, and remember that the thrill of early adoption comes with the responsibility of early risk.

‍

Appendix: Sources

1. Hundreds of Exposed Clawdbot Gateways Leave API Keys and Private Chats Vulnerable CyberSecurityNews https://cybersecuritynews.com/clawdbot-chats-exposed/
2. Personal AI Agents like OpenClaw Are a Security Nightmare Cisco Blogs https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare
3. Clawdbot Skills Ganked Your Crypto OpenSourceMalware.comhttps://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto
4. From Clawdbot to OpenClaw: When Automation Becomes a Digital BackdoorVectra AI https://www.vectra.ai/blog/clawdbot-to-moltbot-to-openclaw-when-automation-becomes-a-digital-backdoor
5. OpenClaw (Moltbot/Clawdbot) Use Cases and Security 2026 AIMultiple Research https://research.aimultiple.com/moltbot/
6. ClawdBot AI Security Guide: Vulnerabilities, Known Hacks, Fixes, and Essential Protection Tips https://medium.com/@gemQueenx/clawbot-ai-security-guide-vulnerabilities-known-hacks-fixes-and-essential-protection-tips-5c1b0cdb9d99
7. The Sovereign AI Security Crisis: 42,000+ Exposed OpenClaw Instances Maor Dayan https://maordayanofficial.medium.com/the-sovereign-ai-security-crisis-42-000-exposed-openclaw-instances-and-the-collapse-of-1e3f2687b951
8. Moltbot Security Alert: Exposed Clawdbot Control Panels Risk Credential Leaks and Account Takeovers Bitdefende rhttps://www.bitdefender.com/en-us/blog/hotforsecurity/moltbot-security-alert-exposed-clawdbot-control-panels-risk-credential-leaks-and-account-takeovers
9. OpenClaw surge exposes thousands, prompts swift security overhaul AI CERTs News https://www.aicerts.ai/news/openclaw-surge-exposes-thousands-prompts-swift-security-overhaul/
10. Clawdbot: Hyped AI agent risks leaking personal data, security experts warn Trending Topics EU https://www.trendingtopics.eu/clawbot-hyped-ai-agent-risks-leaking-personal-data-security-experts-warn/
11. Security - OpenClaw (Official Documentation) https://docs.openclaw.ai/gateway/security