OpenClaw is an AI agent designed to act as a personal assistant, managing your email, calendar, social media accounts, and more, all from a messaging app like WhatsApp or Signal. Although it has gathered a lot of popularity – at the time of this writing it has more than 180,000 stars on GitHub – many security experts recommend caution.
Giving an AI agent access to your sensitive accounts may allow it to act as a personal assistant, but it also opens you up to greater risk.
In a recent episode of the SD Times podcast, Jeff Malnick, GM of engineering and AI at 1Password, said that so far most experiments with AI agents have been limited to the domain of software engineers who have an understanding of how systems work, but the popularity of OpenClaw has allowed agent AI to escape the software development bubble.
“People go out, download it, run it, and get all these productivity benefits, but what they don’t realize is that this is a self-destructive root kit for your machine,” he said. “People don’t understand that it has access to your file system, so if you have clear information, any text files, anything on your system, OpenClaw can access it.”
For example, if you are a developer, that might be your .AWS directory with your credentials in it or your .SSH directory with your SSH key in it.
“Of course you wouldn’t give any stranger on the street access to your laptop, but in reality most people who have done it are powering their devices and they don’t know that’s what’s going on,” he said.
Ben Marr, a security engineer at the exposure management organization Intruder, echoed that sentiment, saying that OpenClaw “prioritises ease of use with secure configuration by default,” and non-technical users can easily deploy it and connect it to sensitive accounts without thinking about security.
“There are no enforced security requirements, no verification of authentication, and no sandboxing of untrusted plugins. This is not a theory – we see an active exploit. If you ever have an event with automatic configuration, consider compromise and act accordingly,” he said.
Marijus Briedis, chief technology officer at NordVPN, said that some of the problems with OpenClaw are that the malware spreads through community-created capabilities in its marketplace, and like other agents, rapid injection is possible. “Because OpenClaw can read your emails and messages, a malicious actor can do things that steal the agent’s behavior, essentially arming your AI assistant against you,” he said.
He explained that the first step to using OpenClaw securely is to ensure that it is not exposed to the public Internet by setting up a secure tunnel to access it, rather than using an open port. Apart from that, it is also important to configure OpenClaw permissions to lock down which services it can access.
“If you’re not confident in your ability to secure hosted deployments, consider the risks outweigh the benefits,” says Briedis.
1Password’s Malnick added that anyone who wants to test OpenClaw despite the risks should sandbox it and isolate its resources as much as possible. He warned people to create new accounts to provide access to instead of existing personal accounts, and to use them with dedicated hardware.
Additionally, follow the old advice not to trust software you download from the Internet. “Even if it says it’s going to do X, it’s probably going to do Y, so just approach everything with a zero trust philosophy,” he said.
