Skip to content

What Is OpenClaw? A Sober Look at the Viral Autonomous AI Agent

Audience: Mid-to-senior engineers interested in AI agents and security

Key Points

  • Known tech, new packaging A gateway giving LLMs PC control. The novelty is in distribution, persistence, and ownership
  • Structural security risks Four attack surface categories with official Advisory analysis. Not "how to use safely" but "whether to accept the risk"
  • Enterprise impact is real Shadow AI adoption, detection queries, and credential management playbook

TL;DR

  • OpenClaw is not a technical breakthrough. The architecture of giving LLMs system access is well-established
  • What's new is the packaging: using existing chat apps as UI, distributing capabilities via a skill marketplace, and running autonomously 24/7
  • If you try it, an isolated environment is mandatory. The official docs themselves state "There is no 'perfectly secure' setup"

In late January 2026, an open-source project began accumulating GitHub stars at an extraordinary rate. OpenClaw (formerly Clawdbot, then Moltbot). By mid-February, it had surpassed 180,000 stars and recorded 2 million visits in a single week.

On X, enthusiastic posts like "this changed my life" and "I have a secretary now" flooded timelines, while security researchers warned it was "dangerously insecure." Note that "Claws AI ($CLAWS)," which generated high-impression posts on X, is an unrelated cryptocurrency project — confusion between the two is common.

So what is it, what's actually new, and what isn't?

Note: this article is based exclusively on primary sources — the GitHub repository (including Security Advisories), official documentation, and security vendor reports from Kaspersky, Bitdefender, Bitsight, HiddenLayer, and others. Hands-on setup has not been performed; testing in an isolated environment is planned.

History of OpenClaw

A weekend side project reached 180,000 stars in three months — that growth rate alone speaks to the demand for AI agents.

Austrian developer Peter Steinberger (@steipete) started building it around November 2025 as "WhatsApp Relay." Steinberger is the founder of PSPDFKit, which he sold to Insight Partners in 2021 before retiring.

The project name changed multiple times in quick succession.

TimelineNameReason
~Nov 2025WhatsApp RelayInitial personal project
Mid-Jan 2026ClawdbotPublished as Claude + Claw portmanteau
Late Jan 2026MoltbotRenamed due to Anthropic's Claude trademark concerns
Early Feb 2026OpenClawCurrent name. openclaw.ai is the official site

These frequent renames themselves created security risks. During the Clawdbot-to-Moltbot transition, Steinberger temporarily lost control of the GitHub Organization and X handle — attackers seized them within seconds. Although quickly recovered, each rename creates a window where "official accounts under the old name" are left dangling.

This structure is fertile ground for fake-official installation lures and supply chain attacks. The ClawHub skill contamination discussed later is a direct extension of this ecosystem's unstable trust bindings.

The name kept changing, but OpenClaw's technical architecture remained consistent throughout.

Architecture Overview

In a nutshell, OpenClaw is "a gateway that gives LLMs hands and feet to operate your PC."

[Messaging Channels]          [User]
  Slack / Discord / Telegram      |
  WhatsApp / iMessage             |
         |                        |
         v                        v
+--------------------------------------+
|          OpenClaw Gateway            |
|  +------------+  +---------------+   |
|  |   Skills    |  |  Memory       |   |
|  | (plugins)   |  | (ClawVault)   |   |
|  +------------+  +---------------+   |
|  +--------------------------------+  |
|  |       Tool Execution Layer     |  |
|  |  Shell / Browser / File / API  |  |
|  +--------------------------------+  |
+---------------+----------------------+
                |
                v
+--------------------------+
|    LLM Backend (choice)  |
|  Claude / GPT-4o / Gemini|
|  Ollama (local)          |
+--------------------------+

There are five main components.

Gateway is the core, running on Node.js 22.12.0+. It relays input from messaging apps to the LLM and converts LLM output into tool executions. By default it listens on port 18789/tcp, with the web interface (Control UI) designed for local-only access.

Skills are the plugin system. Community-created skills can be installed via ClawHub. A skill consists of a SKILL.md file (natural language instructions) plus bundled scripts — granting code execution privileges upon installation.

Memory (ClawVault) is a knowledge-graph-based long-term memory. It persists context across sessions and learns user habits and preferences.

Tool Execution handles shell commands, browser control, file I/O, and API calls. This is OpenClaw's "hands and feet" — and simultaneously its largest risk factor.

HEARTBEAT runs scheduled tasks at 30-minute intervals by default. It autonomously processes instructions written in HEARTBEAT.md. This shifts the model from "answer when asked" (passive) to "act on its own" (active). If an attacker rewrites this file, it becomes a persistent backdoor.

This architecture is a combination of existing technologies. So where did 180,000 stars come from?

What's New and What Isn't

If you had to summarize OpenClaw's evaluation in one line: "The tech is known; the packaging is new."

What isn't new

The concept of "giving an LLM PC control and having it autonomously execute tasks" is not unique to OpenClaw.

ProjectReleaseOverview
AutoGPTMar 2023GPT-4-based autonomous agent. Similar viral moment occurred
Claude CodeFeb 2025CLI tool where Claude generates and executes code in terminal
ManusMar 2025General-purpose AI agent including browser control
Computer Use2024~PC operation APIs released by Anthropic, Google, etc.

OpenClaw's technical core is a simple "call LLM APIs and execute tools" structure. The creator himself acknowledged it was weekend-project scale.

Aikido noted that "it's not that Anthropic couldn't have built the same thing — they presumably chose not to due to security concerns." In other words, it's a risk judgment issue, not a capability issue.

AutoGPT went viral in a similar fashion in March 2023, but hit the practical utility wall due to GPT-4's performance limits at the time and rapidly faded. OpenClaw may have crossed the practical utility threshold thanks to improved LLM capabilities, but the security wall could serve as the same brake.

What's new: "Removing adoption barriers"

OpenClaw's novelty lies not in the technology itself, but in "who can start using it and how."

Replacing the on-ramp. ChatGPT and Claude.ai require users to come to a dedicated web interface. OpenClaw uses existing WhatsApp, Telegram, Slack, and iMessage as its UI. The AI agent goes to where users already are.

From passive to active. Traditional LLM applications are fundamentally passive — they answer when asked. OpenClaw's HEARTBEAT enables scheduled execution, autonomously processing tasks without prompting. This "always-on + periodic execution" model marks a qualitative shift from "AI assistant" to "AI agent."

Distribution via ClawHub. The emergence of a skill marketplace means individual customizations can be distributed across the entire community. This is the same "package registry" pattern as npm or PyPI — bringing both convenience and supply chain risk.

The sense of "ownership." Rather than "renting" a cloud service, the experience of "owning" an AI assistant on your own hardware resonated with the developer community. An IBM researcher described it as "the moment the community chose a personal AI assistant they own over renting a cloud service." The sense of control from ownership was the killer feature.

This novelty matters in two ways. As proof of concept, it demonstrated "what happens when you give an LLM hands and feet" in the most accessible way yet. With LLM capabilities far beyond the AutoGPT era, the level of practical utility is qualitatively different. As a market signal, 180,000 stars is strong evidence that the developer community wants to "own their AI locally rather than rent cloud AI."

However, the convenience of distribution and persistence is also the flip side of security risk.

Security Risks: The Reality

OpenClaw's security issues are not hype — they are structural facts. At the same time, the project serves as a "textbook" that condenses agentic AI security risks into real-world (not theoretical) examples. Prompt injection, supply chain attacks, and shadow IT problems are all concentrated in a single project.

The attack surface falls into four categories.

Surface 1: Exposure (open ports / misconfiguration)
  -> Default 18789/tcp, reverse proxy misconfiguration bypasses auth

Surface 2: Supply Chain (Skills)
  -> Unvetted ClawHub distribution, SKILL.md + scripts = executable payloads

Surface 3: Boundary Collapse (Control UI <-> Gateway API)
  -> Localhost-trust design, token theft via gatewayUrl

Surface 4: Prompt Injection (indirect commands + persistence)
  -> Command injection via external data, HEARTBEAT rewrite for persistence

Surface 1: Exposure

Numerous OpenClaw instances are publicly accessible on the internet without authentication.

OpenClaw's web interface is designed for localhost-only access, trusting connections from 127.0.0.1. However, reverse proxy misconfigurations caused external requests to be treated as localhost in many cases.

Bitsight conducted internet-wide scans (18789/tcp) from January 27 to February 8, 2026, confirming the scope of the problem. Security researcher Jamieson O'Reilly successfully accessed Anthropic API keys, Telegram bot tokens, Slack accounts, and chat histories through exposed instances — ultimately achieving command execution with system administrator privileges.

Surface 2: Supply Chain (ClawHub Skill Contamination)

ClawHub's skill marketplace has effectively become a malware distribution channel. The root cause is inadequate static analysis and moderation at submission time.

Kaspersky's investigation (January 27 – February 1, 2026) identified over 230 malicious skills in one week. Bitdefender's scan found that approximately 20% of analyzed skills contained malware.

What matters more than the numbers is the mechanism. OpenClaw skills consist of "SKILL.md (natural language instructions) + bundled scripts," and code execution privileges are granted upon installation. Malicious skills disguised themselves as trading bots and financial assistants, bundling malware named "AuthTool." Targets included macOS Keychain data, browser passwords, cryptocurrency wallets, and cloud service credentials.

Bitdefender identified 14 accounts involved in posting malicious skills. Account hijacking and typosquatting (asleep123 → aslaep123) were also confirmed. The supply chain attack patterns repeatedly seen in npm and PyPI are being replicated in ClawHub.

Surface 3: Boundary Collapse

The localhost-based boundary design collapses with a single click. Multiple High-severity vulnerabilities stemming from this boundary have been reported in GitHub Security Advisories.

AdvisorySeveritySummary
GHSA-g8p2-7wf7-98mqHighAuth token theft via gatewayUrl, enabling 1-Click RCE
GHSA-q284-4pvr-m585HighOS command injection via sshNodeCommand project root path
GHSA-mc68-q9jw-2h3vHighCommand injection via PATH environment variable in Docker
GHSA-g55j-c2v4-pjcgUnauthenticated local RCE via WebSocket config.apply
GHSA-r8g4-86fx-92mqModerateLocal file inclusion via MEDIA path

The 1-Click RCE via gatewayUrl (GHSA-g8p2-7wf7-98mq) is particularly notable. An attacker only needs to trick a user into clicking a crafted URL — the authentication token is sent externally, granting full access to the Gateway API. A textbook example of "it's local so it's safe" collapsing with one click.

Surface 4: Prompt Injection

The most fundamental issue — and one with no current solution.

HiddenLayer researchers instructed OpenClaw to summarize web pages, including one embedded with a malicious prompt. This successfully triggered the download and execution of a shell script. They further demonstrated that appending commands to HEARTBEAT.md creates a persistent backdoor executing every 30 minutes.

On the extension of this attack surface lies Moltbook — a social network of OpenClaw agents. According to VentureBeat, Moltbook works by having agents execute external shell scripts to rewrite config files for participation. Context leakage is the default "admission requirement," and the prompt injection attack surface automatically expands through this structure.

VentureBeat calls this the "lethal trifecta." Read external data, extract information, execute actions. An agent combining all three is structurally vulnerable to semantic manipulation.

As long as agents process untrusted external data — emails, web pages, documents — prompt injection has no fundamental fix. OpenClaw's own documentation states it plainly: "There is no 'perfectly secure' setup."

The Security-Usability Tradeoff

Applying recommended security measures significantly degrades OpenClaw's usefulness.

Recommended MeasureLost Functionality
Bind Gateway to localhost onlyNo external access
Docker sandboxing (read-only)Limited file operations
Disable shell/browser controlMost "hands and feet" lost
Block external skillsDisconnected from ecosystem
Restrict DMs to pairing modeLimited chat-app commands

Aikido summarizes it plainly: "Implement all of these, and OpenClaw becomes nearly useless as an assistant, losing most of what makes it fun." With security and usability in fundamental tension, the decision required is not "how to use it safely" but "whether to accept the risk."

This risk doesn't stay within personal use.

Enterprise Impact

OpenClaw has become impossible for enterprise security teams to ignore. It can't be dismissed as a personal hobby because infiltration into business environments has already begun.

OpenClaw as Shadow AI

Bitdefender's telemetry data confirms cases of employees installing OpenClaw on work machines and connecting it to corporate GitHub repositories, email, and Slack. VentureBeat noted that "enterprise security teams didn't deploy this tool, and firewalls, EDR, and SIEM alike failed to detect it." It sits in a blind spot of existing security stacks.

The blast radius exceeds typical shadow IT. Every service connected to OpenClaw becomes part of the attack surface if OpenClaw is compromised. Token Security's analysis states it "creates persistent non-human identities and access paths outside traditional IAM and secrets management." New access routes emerge beyond conventional security boundaries.

Operational Response

Outright bans alone lack effectiveness — employees will use personal devices. A realistic approach considers three lanes.

  • Ban lane: Explicitly prohibit OpenClaw execution on business machines and networks; detect and block
  • Exception lane: Permit research/evaluation use via application process with mandatory isolation requirements
  • PoC lane: Security team leads isolated environment setup for organizational risk assessment

Detection

Process name detection alone is insufficient; a layered approach is preferable.

Detection query examples (osquery)
-- 1. Process name detection
SELECT pid, name, path, cmdline
FROM processes
WHERE name LIKE '%openclaw%'
   OR name LIKE '%moltbot%'
   OR name LIKE '%clawdbot%';

-- 2. Default port 18789 listening detection
SELECT pid, port, address, protocol
FROM listening_ports
WHERE port = 18789;

-- 3. Communication detection for ClawHub, etc. (via network/proxy logs)
-- Target domains: openclaw.ai, clawhub.com, github.com/openclaw

Key and Credential Management

API keys and tokens connected to OpenClaw should follow these principles:

  • Issue OpenClaw-specific credentials; never reuse existing business keys
  • Issue with minimum-privilege scope (read-only if sufficient)
  • Use short-lived tokens with regular rotation (90 days or less recommended)
  • Pass via environment variables; never hardcode in config files
  • On uninstall, rotate all credentials for connected services

OX Security's report confirmed cases where credentials persisted on machines after uninstallation.

Latest Developments

The situation is moving rapidly. Here are the key events verified through primary sources.

Steinberger Joins OpenAI (Feb 14, 2026)

OpenClaw's creator Peter Steinberger announced on his blog that he is joining OpenAI. His stated goal: "My next mission is to build an agent that even my mum can use." OpenAI CEO Sam Altman also confirmed the hire on X. OpenClaw will transition to a foundation structure and remain open source, with OpenAI as a sponsor. (Sources: steipete.me, TechCrunch, CNBC)

China MIIT Issues Security Advisory (Feb 5, 2026)

China's National Vulnerability Database (NVDB), operated by the Ministry of Industry and Information Technology, flagged OpenClaw security risks. The advisory cited elevated risks under default configurations, potential for prompt-induced misuse and data leakage, and recommended auditing public network exposure, implementing robust authentication, and strengthening access controls. This is not an outright ban, but a formal warning. South Korea has issued similar restrictions. (Sources: CGTN, OpenSourceForU)

VirusTotal Integration for ClawHub (Feb 8, 2026)

OpenClaw partnered with Google-owned VirusTotal to scan ClawHub skills. Each skill gets a SHA-256 hash checked against VirusTotal's database; unknown skills are analyzed using VirusTotal Code Insight. Benign skills are auto-approved, suspicious ones get warnings, and malicious ones are blocked. VirusTotal's own analysis of 3,016+ skills found hundreds of malicious ones, including 314 from a single threat actor. The maintainers explicitly cautioned that this is "not a silver bullet" — cleverly concealed prompt injection payloads may evade detection. (Sources: VirusTotal Blog, The Hacker News)

Should You Try It?

If trying it (personal dev / evaluation)

If you can set up an isolated environment, it's worth trying.

Environment isolation:

  • Never run on business machines or personal production environments
  • Prepare a dedicated isolated environment (VPS, Raspberry Pi, dedicated VLAN) with network segmentation from production

Execution restrictions:

  • Enable Docker sandboxing with a read-only workspace
  • Limit ClawHub skill installation to manually reviewed ones; disable automatic external skill fetching

Authentication and communication:

  • Use throwaway accounts for connected messaging apps
  • Issue OpenClaw-specific API keys with minimum privileges via environment variables
  • Restrict egress traffic to block unintended external transmissions

If these measures feel like too much trouble, it's safer not to try it at this point.

If not trying it but need to prepare (ops / security teams)

You may not use it yourself, but your organization likely needs to respond — this may be the more common scenario.

  • Set up detection: Monitor across three layers — process names, 18789/tcp listening, and ClawHub communication (see osquery examples in the Enterprise Impact section)
  • Provide an exception request path alongside the ban policy. A ban alone just pushes usage to personal devices
  • Audit credentials assuming it may already be installed. OX Security's report confirmed cases where credentials persisted on machines after uninstallation

The project is only a few months old. The security framework is being rapidly developed, but the official documentation stating "there is no 'perfectly secure' setup" is where things stand.

Conclusion

What OpenClaw made visible is the fact that mass adoption of agentic AI began before the security primitives were in place. The next OpenClaw will inevitably appear. The question is how much of the security foundation the industry can build before that happens.

Action Checklist

Detection

  • Monitor process names (openclaw / moltbot / clawdbot)
  • Detect 18789/tcp listening
  • Detect communication to openclaw.ai / clawhub.com

Isolation (if trying it)

  • Network segmentation from business networks
  • Enable Docker sandboxing (read-only)
  • Disable automatic external skill fetching

Credentials

  • Issue OpenClaw-specific keys with minimum privileges
  • Pass via environment variables (never hardcode in config files)
  • Rotate all connected service credentials on uninstall

Post this article Copy link

References

Primary Sources

Security Vendor Reports

Press and Analysis