The open-source AI agent that's been taking over tech Twitter has gone through three names in a week: Clawdbot, Moltbot, and now OpenClaw. It's hit 100,000+ GitHub stars, attracted 2 million visitors in a single week, and sparked serious security concerns along the way.
As a cybersecurity professional, I've been watching this unfold with a mix of fascination and concern. Here's what you need to know—and how to stay safe if you decide to run it.
What Is OpenClaw?
OpenClaw is an open-source, self-hosted AI assistant created by Peter Steinberger (@steipete), the Austrian developer who founded PSPDFKit. Unlike cloud-based AI assistants, it runs locally on your own hardware and integrates with messaging apps you already use.
Core Features:
- Runs on your own machine (Mac Mini, laptop, VPS, homelab)
- Connects to WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Teams
- Uses any LLM backend (Claude, GPT-4, local models)
- Full system access: shell commands, file read/write, browser control
- Persistent memory across conversations
- Can program its own extensions on request
The project launched in November 2025. According to the DEV Community, it went from ~5,000 to ~20,000 GitHub stars in less than two days. Andrej Karpathy praised it. David Sacks tweeted about it.
Source: DEV Community
The Rebrand Chaos
On January 27, 2026, Anthropic sent a trademark request. During the rename process, Steinberger made a critical mistake. According to his own posts:
Had to rename our accounts for trademark stuff and messed up the GitHub rename and the X rename got snatched in 10 seconds.
Crypto scammers grabbed the old @clawdbot handles on both X/Twitter and GitHub within seconds. The original accounts started pumping crypto scams to followers who didn't know about the rebrand.
As of January 30, 2026, the project has been renamed again to OpenClaw.
Source: DEV Community
The Security Vulnerabilities
1. Exposed Control Panels
Security researcher J.V. O'Reilly discovered that hundreds of Clawdbot instances were publicly accessible on the internet without authentication.
According to Bitdefender:
A recent investigation has uncovered hundreds of internet-facing control interfaces linked to Clawdbot... In multiple cases, access to these interfaces let outsiders view configuration data, retrieve API keys and browse full conversation histories.
Using Shodan, searching for Clawdbot Control returned exposed instances containing:
- API keys (Anthropic, OpenAI)
- Bot tokens
- OAuth secrets
- Full conversation histories
- The ability to send messages as users
Source: Bitdefender
2. Authentication Bypass
The Register reported:
The security vulnerability apparently arises from an authentication bypass when the gateway is operated behind an improperly configured reverse proxy.
Some deployments allowed unauthenticated command execution on the host system, in certain cases running with elevated privileges.
Source: The Register
3. Prompt Injection Attacks
Researcher Matvey Kukuy (CEO of Archestra AI) demonstrated a prompt injection attack:
In one demo, Kukuy sent a malicious email with prompt injection to a vulnerable Moltbot instance. The AI read the email, believed it was legitimate instructions, and forwarded the user's last 5 emails to an attacker address. It took 5 minutes.
Source: Trending Topics EU
4. Plaintext Secrets Storage
Hudson Rock researchers found:
Some of the secrets shared with the assistant by users were stored in plaintext Markdown and JSON files on the user's local filesystem.
If the host machine gets infected with infostealer malware, credentials are easily exfiltrated.
Source: The Register
5. Supply Chain Attack via Skills Library
O'Reilly published a proof-of-concept supply chain attack against ClawdHub:
He was able to upload a publicly available skill, artificially inflate the download count to more than 4,000, and watch as developers from seven countries downloaded the poisoned package.
Source: The Register
6. Infostealer Targeting
VentureBeat reported that malware authors added Clawdbot to their target lists within 48 hours of the security disclosures.
Source: VentureBeat
Understanding Prompt Injection
Prompt injection is the most dangerous attack vector against AI agents.
What Is It?
Prompt injection occurs when an attacker embeds malicious instructions in content that an AI will process. The AI cannot distinguish between legitimate user instructions and attacker instructions hidden in emails, documents, or web pages.
Why It's Dangerous for OpenClaw
OpenClaw has:
- Full system access — read/write files, execute shell commands, control browsers
- Always-on operation — monitors your messages 24/7
- Multi-platform integration — connected to email, messaging apps, calendars
- Autonomous action — can act without asking for confirmation
An attacker who successfully injects a prompt can make OpenClaw:
- Forward your emails to them
- Read and exfiltrate files
- Execute arbitrary commands on your system
- Send messages impersonating you
- Install additional software
The Project's Own Admission
There is no perfectly secure setup when operating an AI agent with shell access.
Prompt injection remains an unsolved industry-wide problem.
How to Protect Yourself
If you decide to run OpenClaw despite the risks, here's how to minimize your exposure:
1. Network Isolation
Never expose the control panel to the internet. Block external access to OpenClaw ports using UFW or iptables. Only allow localhost connections. If you need remote access, use a VPN or SSH tunnel.
2. Use IP Whitelisting
If you must allow remote access, only allow specific trusted IPs through your firewall.
3. Run Behind a Properly Configured Reverse Proxy
If using nginx, ensure X-Real-IP and X-Forwarded-For headers are set correctly, and add HTTP basic authentication.
4. Enable Docker Sandbox Mode
The documentation recommends sandbox mode for untrusted inputs. Enable this for ANY input source you don't fully trust.
5. Audit and Limit Integrations
Don't connect everything just because you can:
- Do you need email integration? Email is the #1 prompt injection vector
- Do you need group chat access? Groups expose you to untrusted users
- Do you need shell access? Consider disabling if not essential
Follow the principle of least privilege.
6. Rotate Credentials Regularly
Since secrets may be stored in plaintext:
- Use separate API keys for OpenClaw (not your main keys)
- Rotate them monthly or after any security incident
- Monitor API usage for anomalies
7. Monitor for Unusual Activity
Set up alerts for messages sent from your accounts that you didn't write, unusual API usage patterns, file access in sensitive directories, and outbound connections to unknown hosts.
8. Run on Isolated Hardware
Do not run OpenClaw on your primary machine. Use a dedicated Mac Mini, Raspberry Pi, separate VPS, or a VM with limited network access.
9. Verify Installed Skills
The skills library has no verification process. Don't trust download counts—they can be artificially inflated. Read the source code before installing any skill.
10. Keep It Updated
The team has shipped 34 security-related commits recently. Stay on the latest version.
The Bigger Picture
OpenClaw isn't unique—it's a preview of challenges facing all AI agents. The fundamental tension is:
Useful agents need access. Access creates risk.
This is why at RocketCore, our Prometheus platform takes a different approach. Our agent reports threats—it doesn't act on them. The decision to block an IP or alert a customer happens server-side, where it can be validated, logged, and audited.
There's a reason we don't give our agent shell access to customer systems. The attack surface is simply too large.
Key Takeaways
- OpenClaw is a real project by a respected developer with 100K+ GitHub stars
- Real vulnerabilities exist — exposed panels, auth bypass, prompt injection, plaintext secrets, supply chain attacks
- The architecture has inherent risks — full system access creates massive attack surface
- You can reduce risk with network isolation, sandboxing, credential rotation, and monitoring
- Prompt injection is unsolved — even the developers acknowledge this
- This is not for casual users — only run it if you understand the risks