OpenClaw Explained: The Viral AI Agent’s Surge and Security Risks

OpenClaw, a “weekend project” that became a viral sensation, continues to gain in popularity despite mounting security concerns and increasing compute constraints across the AI platforms it relies on. 

Introduced on GitHub in November 2025 as Clawdbot (then renamed Moltbot and OpenClaw), this free, open-source agentic AI tool has quickly become one of the most discussed autonomous AI agents in the market. Developers are experimenting with it. Novices are installing it. And cybersecurity firms and major platforms are sounding alarms. 

Let's discuss what OpenClaw is, how it works, why it exploded in popularity and what enterprises need to know before it shows up on your networks. We’ll also discuss how to protect your organization from risk. 

What is OpenClaw? 

OpenClaw is a self-hosted, open-source AI agent designed to execute tasks on your behalf. It runs locally on your machine and connects to generative AI models, such as ChatGPT, Gemini, Claude, Grok, DeepSeek, to power its actions. 

Chatbots vs. agents

Traditional AI chatbots are conversational. You enter a prompt, get a response and act on it yourself. Ask a chatbot to clean your inbox and it will explain how you should do it, but execution is left to you. When you close the tab, the chatbot is gone.

OpenClaw is different. It doesn’t explain. It acts. It performs the cleanup for you, keeps working until the job is done, and retains memory across sessions. An AI agent is AI-powered software that can interpret instructions, make decisions and take actions autonomously. It:

• Understands a goal (e.g., “organize my inbox”)
• Decides which tools or data sources are needed
• Executes tasks using connected systems (files, apps, APIs, scripts)
• Returns results and continues to act until the objective is achieved

How does OpenClaw work?

OpenClaw functions as a powerful gateway or universal connector that allows a single AI agent (that can now generate subagents) to operate across your devices, apps and platforms, regardless of operating system. You interact with OpenClaw through the messaging apps you already use, like WhatsApp, Telegram, Discord, Slack, Signal, iMessage, Microsoft Teams, Gmail and others. 

You just text OpenClaw on a chat platform and ask it to do something. It interprets your natural language instructions, and the AI agent responds or carries out your instructions within that same conversation. 

The agent: 

• Interprets your intent
• Plans the required steps
• Executes actions across connected systems
• Evaluates the results
• Continues until the goal is complete. 

This is agentic AI in practice. The assistant follows you across apps and works proactively around the clock. 

What access does OpenClaw need?

OpenClaw requires broad permissions to:

• Access, read and write local files
• Integrate with your APIs
• Integrate with your messaging, productivity, social media, automation, smart home and creative platforms
• Run commands or scripts
• Manage and control emails, tasks and workflows using automation

Those permissions enable OpenClaw to do things like:

• Read, organize and send emails
• Manage your calendar
• Write or modify files
• Conduct web searches and fill out forms
• Check you in for flights 
• Set price alerts
• Execute scripts and interact with APIs

There are lots of use cases. OpenClaw takes multi-step actions with minimal guidance and retains memory across sessions. Because OpenClaw is open source and MIT-licensed, developers continually extend its capabilities by building new “skills” and integrations, which have expanded rapidly, reaching tens of thousands by April 2026. 

The official openclaw.ai site emphasizes that the software runs locally and keeps data private “by default.” That local-first model is part of the appeal. And a key source of risk. When choosing community skills, proceed carefully. Threat actors target open-source ecosystems, and not every skill is what it claims to be. 

OpenClaw’s meteoric rise and troubles

• November 2025: Peter Steinberger releases Clawdbot on GitHub as an open-source autonomous AI agent. 
• December 2025: Clawdbot gains viral traction across developer communities
• January 2026: Rapid rebranding after Anthropic asks Steinberger to rename the project because it is too similar in name to Claude. “Moltbot” is chosen as new name, but soon after it is changed to “OpenClaw.” 
• February 2026: OpenClaw surpasses 200,000 GitHub stars in under three months, eventually reaching 250,000 shortly after. The ecosystem expands rapidly, with thousands of community-built “skills” and integrations.
• February 2026: Security researchers begin publishing findings on exposed deployments and potential security risks. Major platforms begin restricting certain forms of OpenClaw use. New releases and patches come out rapidly to address security vulnerabilities.
• February 14, 2026: OpenClaw creator Steinberger announces he is joining OpenAI, showing a commitment to the broader autonomous AI agent paradigm.
• April 4, 2026: Anthropic announces that Claude Pro and Max subscribers can no longer apply their flat-rate subscription usage to third-party agent frameworks like OpenClaw. To continue using OpenClaw and similar tools with Claude, users must switch to a separate pay-as-you-go (extra usage) billing model, signaling growing platform pushback against high-consumption third-party agent workloads.

Why did OpenClaw go viral so quickly? 

OpenClaw went viral because it delivers the long-awaited ability for everyday users to have a personal AI assistant that takes action. AI chatbots are great for drafting, summarizing and answering questions. But the user must copy, paste, send, schedule, upload or execute the results. OpenClaw eliminates the time-consuming execution. 

A single chat message prompts the AI agent to handle the rest using connected systems. The interactions feel simple and effortless since they happen inside apps you already use. OpenClaw is a novelty, but that’s not the only reason for growth and attention. Five structural factors accelerated adoption: 

1. Natural-language agentic automation. Users automate digital workflows by typing a command. The agent executes, then reports back. Developers can delegate scripting tasks. Knowledge workers can offload administrative processes without building complex automation pipelines. Power users can custom build without complex code. 

2. Open-source transparency. Anyone can download, modify and extend OpenClaw. Developers can inspect the code, modify it and build plugins and custom skills to extend capabilities. In this case, the community expanded OpenClaw’s functionality faster than almost any other recent GitHub project. 

3. Self-hosted architecture. Running locally appeals to users who want their data to stay on their personal hardware rather than entirely in the cloud. The promise of greater control over your data and how you configure the tool continues to be a huge draw.

4. AI-model flexibility. OpenClaw is model agnostic. It connects to multiple AI models, freeing users from being locked into a single provider. You can experiment with different models and cost structures to find the right fit for your budget and performance needs.

5. Integrates with existing workflows. You don’t need to learn a new interface since OpenClaw operates inside your existing messaging platforms. 

Where the risk begins: Emerging security issues

The same features that make OpenClaw powerful create exposure. Enterprises are rightfully wary because OpenClaw has access to private data (messages, files, credentials and even stored payment information). And just because your data is local doesn’t mean hackers can’t find ways in. OpenClaw operates with elevated permissions. It retains credentials, executes code and interacts with external input. Those factors combined expose significant security risks that OpenClaw has begun to address. 

Elevated system permissions and exposed deployments

OpenClaw typically runs locally with broad read/write access to files, connected services and credentials. Tools with this level of privilege must be hardened (reduce the attack surface and vulnerabilities) and sandboxed for isolation, something OpenClaw still doesn’t do by default. However, its sandbox capabilities were recently improved, adding the ability to run OpenClaw in a Cloudflare Sandbox. If misconfigured, OpenClaw can access files, credentials and system resources beyond what typical sandboxed applications allow. 

Security analysts warn that poorly isolated installations can bypass traditional defensive controls. There are already reported stories of exposed instances discoverable on public networks due to weak authentication or improper deployment. 

In February 2026, SecurityScorecard, a global enterprise that rates cybersecurity risk, initially reported 40,000+ instances of OpenClaw agents being exposed to the internet due to misconfiguration.

Later scans by the organization’s STRIKE Threat Intelligence team showed exposures quickly surpassed 135,000 instances across dozens of countries, with a significant amount flagged as vulnerable to remote code execution (RCE). SecurityScorecard provides a continuously updated view of exposed attack surfaces on the declawed.io dashboard.

So the OpenClaw agent becomes a new attack surface inside the organization. Systems connected to it might be vulnerable to RCE by threat actors. “When OpenClaw runs with permissions to email, APIs, cloud services or internal resources, an RCE vulnerability can become a pivot point. A bad actor does not need to break into multiple systems. They need one exposed service that already has authority to act,” the Security Scorecard article stated. 

Similarly, cybersecurity company Bitsight found 30,000+ instances of exposure in a 12-day analysis of OpenClaw. “Because of its omnipotent control over whatever you integrate with, OpenClaw is a huge security and privacy risk for the naïve user,” wrote Joao Crux, Principal Security Research Scientist at Bitsight. The issue is not with agentic AI itself, but how it is deployed. 

Prompt injection: When execution amplifies risk

OpenClaw interacts with external content, which opens the door to prompt injection attacks. All agentic AI systems are vulnerable to prompt injection attacks. 

So, if OpenClaw unknowingly processes maliciously crafted instructions that are embedded in emails, documents or web content, those instructions translate into harmful actions since OpenClaw is designed to execute. 

Demos show how agents are manipulated into performing unintended actions.  It’s one thing when the harmful actions are limited to a machine. In an enterprise setting, the problem becomes more serious. A cleverly disguised instruction in an email or document could escalate into a script execution or data modification that has system-level consequences. For this reason, we recommend enterprises do not allow the use of OpenClaw until such issues are resolved. 

Malicious skills and supply chain problems

OpenClaw’s “skills” ecosystem creates another risk surface. To extend capabilities, you need to download skills and integrations. But Security researchers identified hundreds of skills and add-ons that masquerade as legitimate tools. Such malware can steal credentials and enable remote access you don’t want. 
This introduces a supply-chain attack vector (a pathway hackers use to gain access to a system). The takeaway is that you should vet skills carefully before downloading.

Real-world security incident raises questions

In February 2026, Meta’s director of AI alignment reported that an OpenClaw agent deleted more than 200 emails from her inbox, despite her trying to intervene. The AI agent ignored explicit commands to confirm actions before execution. The problem reportedly didn’t stop until someone cut power to the machine. 
The cause wasn’t explained (configuration issues, misunderstanding instructions or error execution), but the incident went viral, demonstrating that autonomous agents move faster than users anticipate, and there are very limited ways to interrupt. 

Platform warnings and account restrictions

Platforms that host AI services and integrations are pushing back to regain control. Microsoft posted a Feb. 2026 warning about OpenClaw’s limited built-in security controls and advises that OpenClaw should be deployed only in a fully isolated environment and use non-privileged credentials and access only non-sensitive data. 

“OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation,” Microsoft’s warning said.

“Running OpenClaw is not simply a configuration choice. It is a trust decision about which machine, identities and data you are prepared to expose when the agent processes untrusted input. For most environments, the appropriate decision may be not to deploy it,” according to Microsoft Security blog.

Agent-generated traffic and unauthorized access patterns are also creating new challenges for infrastructure providers. In February, Anthropic and Google began issuing warnings and suspended some heavy-usage users who connected OpenClaw to the flat-rate Claude or Gemini subscriptions, citing heavy token consumption and policy violations. 

A Google DeepMind engineer wrote on X that Google saw “a massive increase in malicious usage of the Antigravity backend that tremendously degraded the quality of service for our users.”

On April 4, 2026, Anthropic stopped allowing Claude Pro and Max subscribers to use their flat-rate subscription limits with third-party agent frameworks like OpenClaw. Users can still connect OpenClaw to Claude models, but they must switch to a separate pay-as-you-go, metered billing model (API keys or add-ons) or use Anthropic’s native Claude Code/Cowork tools. Anthropic said the change was driven in part by infrastructure constraints and the strain that autonomous agent traffic places on shared capacity. 

Steinberger commented on X, “Both me and @davemorin tried to talk sense into Anthropic, best we managed was delaying this for a week. Funny how timings match up, first they copy some popular features into their closed harness, then they lock out open source.”

The move reflects a broader shift where providers are beginning to limit how third-party agent frameworks consume shared resources, especially when usage patterns deviate from typical human interaction. 

What this means for enterprises

Put aside the back and forth. If you’re an enterprise, your main concern might be whether an employee running OpenClaw on a personal device can expose your enterprise. The answer is maybe. It depends on how OpenClaw is configured. If the agent connects to your enterprise email, internal APIs or corporate credentials, it unintentionally becomes a gateway into your systems. 

If the employee’s installation lacks proper isolation, is compromised or misconfigured during installation, it doesn’t just affect one user. It can expose the data and infrastructure behind them. Security experts warn that AI agents running with persistent credentials further increase the attack surface. Not every installation is dangerous, but governance matters.

OpenClaw deployments are being detected on corporate networks outside formally sanctioned projects. Agents with system access may appear as “shadow AI,” making them risky from a forensic standpoint. Infostealer malware has been observed specifically targeting OpenClaw configuration data to exfiltrate keys, tokens and credentials. 

The core danger is the execution layer. A chatbot that generates text has a limited blast radius. An autonomous AI agent that executes commands across systems does not. It acts quickly, retains credentials and operates across platforms. All of these introduce risk that compounds. Errors can happen. Malicious inputs can escalate, and a single misconfiguration can turn into systemic exposure. A personal AI agent on your network without governance quickly morphs from a productivity tool into an attack surface. 

Steinberger’s response to security concerns

Steinberger has publicly acknowledged the security criticism for the under three-month-old project. He posted on X that OpenClaw is a free, open-source project, not a hardened enterprise platform. “The amount of crap I get for putting out a hobby project for free is quite something. People treat this like a multimillion-dollar business. . . .And yes, most non techies should not install this. It's not finished, I know about the sharp edges.”

On Feb. 7, Steinberger announced a partnership with VirusTotal to provide security scanning for skills in OpenClaw’s marketplace. Each is assigned a scan status. “We’ve already seen documented cases of malicious actors attempting to exploit AI agent platforms. We’re not waiting for this to become a bigger problem.” Steinberger clarified that a “clean scan doesn’t mean a skill is safe. . . . Start with publishers you trust.” 

Subsequent updates to OpenClaw address different security issues head on to make OpenClaw safer, and we expect many more to follow. 

Conclusion and five practical takeaways

OpenClaw is an important step forward for personal AI agents. The tool demonstrates how natural language can move beyond conversation and directly control real systems. But, for all its promises, organizations and stakeholders should treat OpenClaw as an early-stage tool, not ready-to-use enterprise software. OpenClaw operates with broad system privileges and autonomous execution capabilities, so if you’re considering installing it, keep a few practical realities in mind. 

Five practical takeaways

1. Run OpenClaw in an isolated environment or on a virtual machine.

2. Turn sandboxing on from the start. Recent OpenClaw updates improve isolation, but separation is still essential while security risks remain high.

3. Monitor AI agent activity closely. Review logs, outbound messages and system interactions regularly.

4. Limit permissions and credentials aggressively. Start small and expand access incrementally. 

5. Put rigorous governance controls in place. Make sure unsanctioned installations don’t quietly connect to enterprise systems and create unmanaged access.
OpenClaw isn’t marketed as hardened enterprise software for good reason. Agentic AI in a personal assistant form is still emerging in public developer communities. 

The security issues we are seeing are no surprise when users are unleashing a quickly developed autonomous agent on their systems, granting access to files, credentials, APIs and workflows. Our advice is to let early adopters and those who have less to lose work out the kinks instead of jumping on the bandwagon and putting your organization at risk. 

Meanwhile, make it a priority to define formal policies around personal AI agents connecting to corporate systems. Excitement about OpenClaw is justified, as we’re on the precipice of something transformative. Just remember, installing it today is less a productivity upgrade and more of a security and operational decision. Platform restrictions, like Anthropic’s shift away from flat-rate subscription usage for third-party agents like OpenClaw, are an early sign that the ecosystem is still stabilizing. Choose accordingly.