OpenClaw is an AI agent designed to act like a personal assistant, managing your email, calendar, social media accounts, and more, all from a messaging app like WhatsApp or Signal. While it has amassed a great deal of popularity — at the time of this writing it has over 180,000 stars on GitHub — many security experts are recommending caution.
Giving an AI agent access to your sensitive personal accounts may allow it to act more like a personal assistant, but it also opens you up to a great deal of risk.
In a recent episode of SD Times’ podcast, Jeff Malnick, GM of developer and AI at 1Password, said that until now a lot of experimentation with AI agents has been limited to the domain of software engineers who have an understanding of how systems work, but the popularity of OpenClaw has allowed agentic AI to escape out of the software development bubble.
“People are going out, downloading it, running it, and getting all these productivity gains, but what they don’t realize is this is essentially a self-inflicted root kit for your machine,” he said. “People don’t understand that it has access to your file system, so if you have any credentials in the clear, any text files, anything on your system, OpenClaw can access it.”
For instance, if you’re a developer, that might be your .AWS directory with your credentials in it or your .SSH directory with your SSH key in it.
“You certainly wouldn’t give any stranger on the street access to your laptop, but essentially what a lot of people have done is given it root capabilities on their machine and they don’t necessarily know that’s what’s going on,” he said.
Ben Marr, security engineer at the exposure management organization Intruder, echoed that sentiment, saying that OpenClaw “prioritizes ease of deployment over secure-by-default configuration,” and non-technical users can easily deploy it and connect it to sensitive accounts without any thought to security.
“There are no enforced firewall requirements, no credential validation, and no sandboxing of untrusted plugins. This isn’t theoretical – we’re seeing active exploitation. If you’ve had an instance running with default configurations, assume compromise and act accordingly,” he said.
Marijus Briedis, chief technology officer at NordVPN, said some of OpenClaw’s other issues are that malware is spreading through community-created skills in its marketplace, and just as with other agents, prompt injection can occur. “Because OpenClaw can read your emails and messages, a malicious actor can craft content that hijacks the agent’s behavior, essentially weaponizing your own AI assistant against you,” he said.
He explained that a first step to safely using OpenClaw is to ensure it’s not exposed to the public internet by setting up a secure tunnel to access it, rather than using an open port. Beyond that, it’s also important to configure OpenClaw’s permissions to lock down what services it has access to.
“If you’re not confident in your ability to secure a self-hosted deployment, consider whether the risks outweigh the benefits,” said Briedis.
1Password’s Malnick added that anyone who wants to experiment with OpenClaw despite the risks should run it in a sandbox and isolate its resources as much as possible. He cautioned people to create new accounts to give it access to instead of handing over existing personal accounts, and run it on dedicated hardware.
Additionally, follow the old advice of not trusting software you download from the internet. “Even if it says it’s going to do X, it’s probably going to do Y, so just approach everything with a zero trust philosophy,” he said.