Indeed, as a cutting-edge technological marvel, it’s undeniably impressive. However, so is hurtling down the highway at 100 miles per hour without a seatbelt – an action I would strongly advise against.
Credit: Summit Art Creations/ Shutterstock
Moltbot, the advanced open-source AI “sidekick” previously known as Clawdbot, has recently undergone a rebrand to OpenClaw and has since exploded in popularity. It emerged rapidly to become the first AI agent to achieve viral status, accumulating 70,000 GitHub Stars in just a single month.
Its creator, Peter Steinberger, asserts that it is “the AI that actually does things.”
While many AI chatbots and agents perform various functions – sometimes imperfectly, it’s true – they can achieve genuine tasks when used with care.
OpenClaw’s distinctive feature is its capability to execute real-world operations on your behalf. Unlike cloud-based solutions, this agent runs directly on a user’s own hardware, frequently on Mac minis, but it’s also compatible with Windows, Linux, or other systems. Internally, it interfaces with one or more large language models (LLMs) via an application programming interface (API), offering a suite of “channels” and “tools” that allow it to observe and interact with your digital life: managing emails, running shell commands, web browsing, organizing travel itineraries, and operating your applications.
The initiative first launched as Clawdbot, a local AI agent characterized by a cartoon space lobster mascot named Clawd, and was integrated with Anthropic’s Claude models through a variety of “skills” and connectors.
Through these applications, users typically communicate with OpenClaw by articulating tasks in natural language, such as “clear my inbox,” “book my flight,” or “summarize my meetings.” Beneath the surface, the agent employs channels to receive these instructions and tools to carry them out, translating AI reasoning from Claude and other models into tangible actions like checking you in for flights, generating or modifying code, synchronizing calendars, or initiating scripts and dashboards.
A significant aspect of OpenClaw’s allure is its persistent memory. It utilizes files such as USER.md and IDENTITY.md to store personal information about you and the agent’s own identity. This functionality allows it to recall preferences, past assignments, and ongoing projects, making it feel more like an enduring colleague than a temporary chatbot. The expanding community ecosystem of “skills” on GitHub further enhances these capabilities, ranging from browser automation and automatic updates to specialized workflows for documentation, research, and coding.
This all sounds fantastic! Feel free to search online for demonstrations of individuals performing clever feats with it; you’ll find numerous examples. There’s even a “social” network for these bots, called Moltbook, where agents frequently behave foolishly (much like many human social networks I can recall) and occasionally exchange tips and tricks.
However, there are a few minor, yet critical, issues. To perform genuinely useful tasks such as reserving a hotel room, arranging pizza delivery, or decluttering your email inbox, it requires access to your name, password, credit-card number – and all the other sensitive details that any malicious actor would also desire.
Do you understand the implications? OpenClaw represents a significant security vulnerability, offering utility only up to the point where all your vital data vanishes.
As Cisco articulated, “Security for OpenClaw is an option, but it is not built in.” The product’s own documentation concedes: “There is no ‘perfectly secure’ setup.” Granting an AI agent unfettered access to your data (even if local) is an invitation to disaster should any configurations be improperly managed or compromised.” Furthermore, as the AI security firm Synk emphasizes, “If there’s one security concern that keeps AI security researchers up at night, it’s prompt injection. This vulnerability class represents perhaps the largest attack surface for any AI agent connected to external data sources, which, by definition, includes personal AI assistants that read emails, browse the web, and process messages from multiple channels.”
Let me be absolutely clear: Using OpenClaw is ill-advised.
If you’re determined to experiment with it, confine it to a securely isolated virtual machine so it cannot access any – and I mean any – of your personal or work-related data. Do not provide it with any of your private information. Yes, it will be considerably less functional, but this is the sole method to ensure its safe usage. Otherwise, you are simply inviting a hack, and when that occurs, OpenClaw will be largely powerless, if not entirely useless, in rectifying the ensuing chaos.
Generative AIArtificial IntelligenceSecurity
