OpenClaw is the open-source AI agent that went viral in early 2026: a free assistant that runs on your own computer, connects to WhatsApp or Telegram, and actually does things — reads mail, manages files, runs code, browses the web. Within months it became one of the most-starred projects on GitHub.
It’s also the clearest warning yet about what happens when powerful agents meet careless installation. Security researchers found that roughly 12% of the skills on its official marketplace were malicious, a supply-chain campaign pushed over a thousand poisoned add-ons, and a one-click remote-code-execution flaw had to be emergency-patched. Both things are true at once: genuinely useful tool, genuinely serious risks.
This guide explains what OpenClaw does, what the documented dangers are, and how to try it without handing your digital life to strangers.
What OpenClaw actually does
Unlike ChatGPT or Gemini, which live on a company’s servers behind a chat box, OpenClaw runs on hardware you control — a laptop, a home server, a cheap mini PC. You talk to it through messaging apps you already use, and it plugs into an AI model (typically via an API key you provide) to decide what to do.
Its power comes from “skills”: community-made add-ons that teach it new tricks, published on a marketplace called ClawHub. There are skills for calendars, smart homes, trading dashboards, code deployment — thousands of them. The project started life under a different name (it launched as Clawdbot, briefly became Moltbot, then settled on OpenClaw after trademark trouble), which tells you how fast and chaotically it grew.
That local-first design is the appeal: no subscription, no data silo, an assistant that remembers everything because the memory files sit on your disk. It’s the same agent-plumbing idea behind open standards like MCP and A2A, taken to its do-it-yourself extreme.
The documented security problems
OpenClaw’s risks aren’t hypothetical. Within weeks of the project going viral, researchers published hard numbers:
- Malicious skills at scale. Investigations found 341 confirmed-malicious skills out of 2,857 on ClawHub — about 12% of the registry — with polished documentation and innocent names like wallet trackers. A wider campaign dubbed ClawHavoc pushed over 1,100 malicious skills disguised as productivity, crypto and coding tools, delivering infostealers and keyloggers on Windows and macOS.
- A one-click takeover flaw. CVE-2026-25253 allowed remote code execution via a malicious link through the control interface. It was patched in version 2026.1.29 — anyone running older builds stayed exposed.
- Thousands of exposed installs. Internet scans found over 21,000 OpenClaw instances reachable from the public internet, many with weak or missing authentication. An exposed agent that can read your messages and run code is an open door, as IBM’s X-Force analysis spells out.
- Prompt injection everywhere. Because the agent reads emails and web pages, attackers can hide instructions inside that content. Researchers found injection weaknesses in around a third of tested skills — and traditional antivirus caught none of the malicious payloads.
Risk vs reality: what each threat means
| Risk | What it means for you | Main defence |
|---|---|---|
| Malicious skills | A “helpful” add-on steals passwords or crypto keys | Install few skills; read their code or skip them |
| Exposed instance | Strangers on the internet command your agent | Never port-forward it; keep it on localhost/LAN |
| Prompt injection | A booby-trapped email tricks the agent into acting | Limit what accounts and tools it can touch |
| Old versions | Known, published exploits work on you | Update immediately, every time |
| Over-permissioning | One compromise cascades into everything | Dedicated accounts, no banking or main email |
How to try OpenClaw safely
Security researchers converge on the same checklist, and Kaspersky’s assessment is blunt: treat it as unsafe by default and contain it. If you still want to experiment, contain the blast radius:
- Isolate it. Run it in a virtual machine, a container, or on a spare machine — never your daily laptop with your password manager and tax PDFs on it.
- Give it burner accounts. A fresh email address and a separate messaging number. Never your primary Google account, and never anything connected to banking or UPI.
- Start with zero skills. The base agent is useful on its own. Every ClawHub skill you add is third-party code with your agent’s permissions; add them only after reading what they do.
- Keep it off the internet. Access it from your own network only. If you need remote access, use a VPN like Tailscale or WireGuard rather than exposing a port.
- Update on day one, every release. The RCE patch shipped before public disclosure; slow updaters were the victims.
- Watch the spend. The agent burns paid API tokens with every action — set a hard monthly cap on your API key so a runaway loop can’t empty your card.
Who should skip it entirely
If you wouldn’t be comfortable reinstalling your operating system after something goes wrong, OpenClaw isn’t for you yet. The project is improving fast — marketplace scanning got stricter after ClawHavoc, and VirusTotal integration now screens uploads — but this is enthusiast software that assumes you understand what you’re wiring it into. For most people, the sane way to get value from AI today is a hosted assistant used well — see our guide to using AI as a thinking partner — not an autonomous agent with shell access.
Common questions, answered
Is OpenClaw itself malware?
No. The core project is legitimate open source under active development. The danger comes from malicious third-party skills, misconfigured installs, and the inherent risk of giving any autonomous agent broad access.
Is it free?
The software is free. The AI model behind it usually isn’t — you supply an API key (Anthropic, OpenAI or others) and pay per use. Active agents can cost real money monthly, so set spending caps.
Can I run it on a phone?
Not natively — it wants a computer that stays on. Many users run it on a mini PC or a small cloud server and talk to it from their phone via WhatsApp or Telegram.
Would antivirus protect me?
Mostly no. The documented malicious payloads were designed to slip past scanners, and prompt-injection attacks aren’t files at all. Isolation and minimal permissions are the real protections.
Bottom line
OpenClaw is the most interesting AI project of 2026 and one of the riskiest things you can casually install. If you’re technical, curious and disciplined about isolation, it’s a fascinating look at where personal AI is heading. If you just want AI to be useful day to day, you don’t need to take these risks yet — and definitely don’t need to take them on the laptop you do your banking from.

