OpenClaw AI Explained: 200K GitHub Stars but 20% Malware

Posted on by

There is this open source project on GitHub right now. More than 200,000 stars growing every single day. It’s an AI agent that runs on your machine, connects to your WhatsApp, your Slack, your email, your calendar, and it just does things for you while you sleep.

Sounds amazing, right? Well, security researchers just found out that 20% of its plug-in marketplace is malware, and Meta just banned it internally.

So today, let’s break down what OpenClaw actually is, how it works under the hood, and why it might be the most dangerous project on GitHub right now.

Let’s get started.

All right, so let’s start with the basics.

What is OpenClaw?

Most AI tools you have used, Chat, GPT, Cloud, Gemini, they work like this. You ask a question, you get an answer. It’s a back and forth. You type a response.

Open Claw flips that.

It’s not a chatbot. It’s a self-hosted AI agent that runs on your machine, your laptop, a VPS, a Mac Mini, and it connects to the LLM of your choice.

Could be cloud, could be a GPT, could be deepseec.

The model doesn’t matter.

What matters is what OpenCloud builds around it.

It gives the model access to your file system, your terminal, your browser, your messaging apps, be it WhatsApp, Telegram, Discord, Slack, Signal, even iMessage.

And then it just runs.

It can send you a message at 3:00 a.m. saying, “Hey, I noticed your staging server was running low on dispace. So I cleaned it up and post the new build.”

Now, this was built by a solo developer from Austria. Started as a weekend side project in November 2025. By late January, it had 100,000 GitHub stars in 48 hours.

And just last week, OpenAI hired him.

Sam Hartman called him a genius and said OpenClaw will become core to our product offerings.

So clearly something interesting is happening here architecturally.

So here is what I want you to understand.

Think about the AI tools you already use.

Cloud code, GitHub copilot, chat GPT.

They are great at I prompt agents act iterate right?

You type something, it does something. You go back and forth.

But what they can’t do is act on their own.

Nothing happens unless you type something first or you say something first.

So to go from that a foreground agent to something that’s always on, always watching, always acting, you really only need two things.

First, autonomous invocation.

The agent needs a way to wake up and do things without you typing.

Could be a chron job that runs every hour.

Could be a web hook like whenever I get an email from my boss, summarize it and send it to my Slack.

Second, persistent state.

Every time the agent wakes up, it can’t start from scratch.

It needs to remember what happened before, what tasks are pending, what your preferences are, what it did yesterday.

That’s it.

Those two primitives are what separate a chatbot from an autonomous agent.

Everything else, the multiplatform support, the fancy UI, the plug-in system, that’s all nice to have.

But the core delta is just these two things.

Now, let’s see how open claw actually implements this.

Open claw has four layers and if you studied system design these patterns are going to look very familiar.

Layer one, the gateway.

This is the central nervous system.

It’s a websocket server running locally on your machine.

Every messaging platform, WhatsApp, Telegram, Discard connects through this single point.

It normalizes all incoming messages into a unified format.

Think of it as message broker plus orchestrator.

Layer two is the reasoning layer.

This is where the LLM sits.

OpenClaw takes your instructions, merges them with available context and system state into what they call a megaprom and sends it to whatever model you have configured.

It manages token budgets, context windows, model selection all per session.

Layer three is the memory system.

And this is where it gets really interesting from a system design perspective.

Open claw doesn’t use a vector database.

It stores everything in plain markdown files on disk.

Session logs, user preferences, semantic memories, all just files.

And now here is the clever part.

When your context window gets full, because remember LLM have limited context, open claw has a compact command that summarizes everything and writes it to disk.

But before it compacts, it runs a write durable notes step first.

If you have studied databases, you will recognize this pattern immediately.

It’s basically write ahead logging.

You persist the important stuff before you throw anything away.

Same principle just apply to AI memory instead of database transactions.

So think of it this way.

The context window is your RAM.

The files on desk are your storage.

And the compact operation is like virtual memory paging.

RAM is limited.

Disk is large.

And paging decides what comes back when you need it.

Layer four skills and execution.

This is where OpenClaw actually does things.

Run shell commands, executes Python scripts, control your browser, calls APIs.

Skills are defined in plain English markdown files and there is a marketplace called Claw Hub with over 10,000 community contributed skills.

One more thing worth noting, session isolation.

Each conversation channel gets its own isolation session.

Your WhatsApp context doesn’t leak into your Discord context.

Background jobs run in isolated Docker containers.

Same pattern as process isolation in an operating system.

Without it, an always on agent becomes an always confused agent.

So the architecture is actually elegant.

Event loops, durable state, process isolation.

These are the same patterns that make operating systems and databases work.

Open clause just applies them to AI agents.

Let me walk you through a real attack that was discovered in January.

So remember how the gateway is a websocket server?

Well, it wasn’t validating the origin header on incoming websocket connections.

Here is what that means in practice.

An attacker sets up a web page, just a normal looking website with some hidden JavaScript.

You click a link, maybe it came in an email, maybe someone posted in your Discord and you visit this web page.

The JavaScript on that page opens a websocket connection to your locally running OpenCloud gateway.

And because there is no original validation, the gateway accepts it.

It thinks it’s legitimate connection.

The attacker script grabs your gateway authentication token.

Game over.

They now have full access to your open claw instance.

They can read your messages, execute commands on your machine, access any service your agent is connected to.

This entire chain from clicking a link to full compromise takes milliseconds.

No passwords needed, no authentication bypass, just one click.

Now that CVE was patched, but it exposed a deeper structural problem.

OpenClaw has a plug-in marketplace called Claw Hub.

Over 10,000 skills contributed by the community.

And security researchers audited it and what they found was not great.

Over 800 malicious skills.

That’s roughly 20% of the entire marketplace.

Most of them came from one coordinated campaign.

They were disguised as popular useful tools, productivity helpers, coding assistants, API integrations.

But under the hood they were stealing data.

Specifically, they were delivering a Mac OS info stealer that grabs your credentials, API keys, browser sessions, everything.

Now, let me show you what’s at stake.

When an info steelers targets OpenClaw specifically, it goes after three files.

First, open claw JSON.

This has your gateway authentication token.

With this, an attacker can connect to your instance remotely if your port is exposed.

Second, device JSON.

This has cryptographic keys used for secure pairing.

And third, and this one is wild, soulm.

This is the file that defines your agents personality, behavior guidelines, and operational rules.

An attacker who modifies this file can fundamentally change how your agent behaves without you noticing.

And it gets worse.

Independent scans found over 30,000 Open Claw instances exposed on the public internet.

Many of them running on the default port.

No authentication, credentials stored in plain text files.

In fact, six more vulnerabilities were disclosed just yesterday.

Server side request forgery, path traversal, authentication bypasses.

Meta banned open claw internally.

And honestly, that’s probably the right call for most organizations right now.

Now, after all of that, you might be thinking, should I just stay away from this completely?

Not necessarily.

If you are a developer and you want to experiment with openclaw, you absolutely can.

You just need to treat it the way you treat any service that has full access to your digital life.

With extreme caution.

Rule number one, never run it on your personal machine directly.

Use a dedicated VPS or better yet run the entire thing inside Docker containers.

And this is the key insight.

Open Claw actually supports two-layer container isolation.

The gateway runs in one container and each agent’s execution, the shell commands, the scripts, the file operations runs in a separate sandbox container.

That sandbox has no network access, a readonly file system and memory limits.

So if the agent does something stupid, it destroys its own little sandbox, not your whole system.

Even better, if you want to go a step further, use Podman instead of Docker.

Here’s why.

Docker runs a demon as root.

If an attacker somehow escapes the container, they are root on your host.

Game over.

Pod man is rootless.

No demon, no root.

If someone escapes, they land as an unprivileged user.

Much smaller blast radius.

Rule number two, bind the gateway to local host only.

Never expose port 18789 to the internet.

That alone would have prevented most of those 30,000 exposed instances we talked about.

If you need remote access, put a reverse proxy in front with TLS and proper authentication.

Rule number three, vet every skill before you install it.

Don’t just browse CloudHub and install things blindly.

Read the source code.

Run the security scanner.

Remember, 20% of that marketplace is malware.

There is actually a built-in command, Open Cloud Doctor, that checks for risky DM policies, misconfigured sandboxes, missing authentication.

Run it.

Take it seriously.

In a normal app, you worry about SQL injection, XSS, auth bypasses.

With an autonomous agent, the threat model explodes.

Every integration is an attack surface.

Every plug-in is untrusted code running with your permissions.

The agent acts as you with your identity.

We are going to see a lot more of this as agents become mainstream.

So that’s open claw.