Openclaw: The Viral Phenomenon

Over the weekend, we had a bit of virality named Openclaw. It started as Clawdbot but had to change its name to Moltbot due to a cease and desist by Anthropic according to the owner of Moltbot, then it finally became Openclaw.

What is this you might ask? It is a personal AI that works in your device and does administrative tasks for you, you can connect it to different interfaces such as Whatsapp, Telegram etc and it autonomously does things for you. This project became a sensation that almost everyone started creating their own Openclaw bot, it even led to high resell price for Mac minis because people were spinning up bots using them. Both technical and non-technical people were (and still) building theirs.

What made it more sensational was the creation of Moltbook, a place for these agents to hang out. We started seeing screenshots of what these agents were posting — some hilarious, some raising eyebrows, and some downright chilling. Different postulations were being spun up and to be honest, it actually created comedic relief and also kept people busy.

Personal experience

I tried out Openclaw by using a Thinkpad that was relatively new in the event something happens, I’m able to nuke the entire system. My setup followed this pattern:

• Ran LMStudio with a local model instead of using LLM provider APIs
• Curated my own custom skills rather than downloading what was available on Clawhub
• Using throwaway accounts for all tools and API integrations as a disaster mitigation strategy

I tried running the agent but couldn’t get it to work. At that point I started wondering if it was my fault due to improper setup or that Openclaw wasn’t that ready to run complex, multi-turn tasks.

When Things Went South

It started going downhill when people started spinning up bots that were accessing private things they weren’t supposed to access like API keys and the rest because the humans were trusting. Then security vulnerabilities started being discovered especially a blatant prompt injection embedded in one of the skills that was within Clawhub — a hub with specialized skills for these bots.

Vulnerabilities Found:

The findings according to OsMo99, a Twitter user included:

1. The Exposure Crisis

The first discovery was via Shodan, a search engine for internet-connected devices, what was found:

1,009 publicly exposed Openclaw gateways on the internet

• Hundreds running with NO authentication whatsoever
• Discovered within minutes using basic search techniques

What’s at Risk:

• API Keys Fully Exposed: Anthropic Claude keys, OpenAI tokens, Telegram bot credentials, Slack OAuth secrets were all accessible to anyone who found these instances
• Chat History Leaked: Months of private conversations, including personal and business communications
• Identity Hijacking: Attackers can impersonate users and their AI assistants
• Remote Command Execution: Some instances running with root privileges, allowing complete system takeover

This can be traced to users setting their openclaw.json config to bind: all instead of bind:loopback

2. The Localhost Loophole:

This vulnerability is more of a design flaw present in Openclaw’s authentication logic:

if (socket.remoteAddress === '127.0.0.1') {
  return autoApprove();  // Auto-approve localhost connections
}

This code makes a dangerous assumption: if a connection appears to come from localhost (127.0.0.1), it must be trusted and authentication can be bypassed.

The Attack Flow:

1. Attacker sends malicious request from the internet
2. Request passes through a reverse proxy (Nginx, Caddy, Cloudflare Tunnel)
3. Proxy forwards request, making it appear as localhost traffic
4. Openclaw sees “127.0.0.1” and auto-approves
5. Authentication bypassed, attacker has full access

The Root Cause:

• Default configuration: gateway.trustedProxies = []
• X-Forwarded-For headers completely ignored
• ALL traffic through common proxy setups appears local
• Authentication mechanisms rendered completely useless

This means many users who thought they were “securing” their deployments with proxies actually opened a gaping security hole.

3. The Data Heist: What Attackers Can Steal

Once inside a compromised Openclaw instance, attackers gain access to your entire digital identity:

Credentials & Keys:

• Anthropic, OpenAI, and other AI service API keys (potentially worth hundreds of dollars)
• Telegram bot tokens
• Slack OAuth secrets
• Discord webhook URLs
• WhatsApp session data

Conversation Archives:

• Complete chat histories spanning months
• Personal and business communications
• File attachments and documents shared with the agent
• Voice message transcripts
• Strategic planning discussions and confidential information

System Configuration:

• Full server configuration files
• Environment variables containing secrets
• Database credentials
• Integration endpoints
• Custom automation workflows and scripts

Identity & Agency:

• Device pairing metadata
• User behavioral patterns and preferences
• Social graphs and contact lists
• Delegation permissions (what the agent can do on your behalf)
• Command execution rights

The Impact:

• 100% identity compromise
• ∞ persistent access (attackers can maintain access indefinitely)
• 0% detection chance (no audit trail, no alerts, no indication of breach)

Attackers don’t just see what you see, they can act as you, with your full authority, across every platform you’ve connected.

4. The Structural Problem: Security by Design or Insecurity by Necessity?

This wasn’t really a bug, more like a realization that the very features that make AI agents useful create impossible security trade-offs.

The Four Security Paradoxes:

Paradox 1: Broad Access vs. Least Privilege

• What Agents Need: Access to email, calendar, files, messaging apps, APIs, shell commands, browser sessions, everything across every platform you use
• What This Breaks: The security principle of least privilege. Each permission multiplies the attack surface. One compromise equals total access to your entire digital life

Paradox 2: Persistent State vs. Sandboxing

• What Agents Need: Long-term memory of conversations, context, preferences, the ability to remember what you discussed yesterday, last week, last month
• What This Breaks: Application sandboxing and data containment. Stored conversations become an intelligence goldmine and permanent record of private thoughts and plans

Paradox 3: Autonomous Action vs. Human Control

• What Agents Need: The ability to execute commands without asking, send messages proactively, make decisions independently, act on your behalf 24/7, even while you sleep
• What This Breaks: Human-in-the-loop security and approval workflows. Compromised agents act maliciously with your full authority, no approval needed, no questions asked, no rollback possible

Paradox 4: Cross-Platform vs. Trust Boundaries

• What Agents Need: Unified access across WhatsApp, Telegram, Slack, email, Discord, SMS, a single interface to control everything, with seamless integration everywhere
• What This Breaks: Security isolation between platforms and services. Trust boundaries collapse into a single point of failure. One breach gives attackers keys to every service simultaneously

The Truth:

These discoveries aren’t patchable bugs or implementation mistakes fixed with a better code review, they are fundamental architectural choices inherent to how AI agents work. You can’t build a useful autonomous agent without giving it access, persistent memory, independent decision-making, and cross-platform integration. But every feature that makes an agent powerful makes it catastrophic when compromised.

Traditional security models assume trust boundaries: your email provider doesn’t have access to your Slack, your Telegram doesn’t know your Discord credentials, your work systems are isolated from personal accounts. AI agents functionalities erase these boundaries in the name of convenience and capability.

What You Should Do

Based on these findings, here’s my advice for anyone using or considering Openclaw:

Immediate Actions If You’re Already Running Openclaw:

1. Check if you’re exposed: Search for your IP address on Shodan immediately
2. Rotate ALL credentials: Every API key, token, and password your agent has touched should be considered compromised and changed
3. Enable authentication: Configure proper gateway authentication mechanisms
4. Fix proxy configuration: Set gateway.trustedProxies correctly if using reverse proxies
5. Audit access logs: Check for suspicious activity (though lack of logs is itself a red flag)
6. Consider shutting down: Until you fully understand the security implications, taking your instance offline may be the safest option

Best Practices for Deployment:

Use a Dedicated Sacrificial Device:

• If you have a spare laptop or can afford a dedicated machine, use it exclusively for Openclaw
• Ideally something you can completely wipe if things go wrong
• Keep minimal sensitive information on this device
• Treat it as a DMZ: isolated from your main computing environment

If You Don’t Have a Spare Device:

• Implement strict restrictions on what your agent can and cannot access
• Never hit “continue” without carefully reading what the agent wants to do
• Use file system permissions to limit which directories the agent can access
• Consider running in a virtual machine with snapshots for easy rollback

Network Security:

• Set your bind config to loopback not all
• Use VPN tunnels (Tailscale, WireGuard) for remote access instead
• If you must use a reverse proxy, configure trusted proxy settings correctly
• Implement firewall rules to restrict access to known IP addresses

Credential Management:

• Use separate “bot accounts” for all integrations rather than your personal accounts
• Create API keys with minimum necessary permissions
• Use throwaway email addresses and phone numbers for bot registrations
• Never give your agent access to your primary email, banking, or other critical accounts

Skills and Code:

• Do NOT install skills from Clawhub blindly (blatant prompt injection vulnerabilities have been found)
• Review every skill’s code before installation
• Start with vanilla/default setup before adding customizations
• Consider running a prompt injection scanner on any skills before using them

Model Selection:

• Use local models (Ollama, LMStudio) instead of third-party API services when possible
• If you must use cloud APIs, use dedicated bot accounts with spending limits
• Never hardcode API keys in configuration files, use environment variables

Hold Off Entirely If:

• If you’re not technically inclined: Wait until security practices mature and user-friendly hardened distributions are available
• If you’re not security-minded: The risk/reward ratio isn’t worth it yet
• If you handle sensitive data: Medical, legal, financial, or confidential business information should never be accessible to current agent implementations
• If you can’t afford a dedicated device: Using your primary machine is too risky given current security posture

Intent Matters

I want to be clear: this is not an attack on Openclaw or its creators. What they’ve built is genuinely impressive and represents important work in making AI agents accessible, the 64,000+ GitHub stars reflect real enthusiasm for this technology, and the problems it aims to solve are legitimate.

The developer community values Openclaw because it demonstrates what’s possible. This is pioneering work, and pioneering work always comes with growing pains.

Security vulnerabilities are inevitable in fast-moving projects, what matters is how we respond. The security research that uncovered these issues was conducted in the spirit of responsible disclosure and community improvement, not to tear down the project.

The path forward requires collective action:

If you’re a user:

• Audit your deployments immediately
• Enable authentication and follow hardening guidelines
• Treat your agent as privileged infrastructure that needs serious security consideration
• Make informed decisions about what data to expose

If you’re a developer:

• Contribute security improvements and review pull requests critically
• Share best practices with the community
• Help build security tooling and monitoring solutions
• Consider these architectural trade-offs in your own projects

If you’re a maintainer:

• Implement fixes for known vulnerabilities quickly
• Update documentation with security warnings and best practices
• Consider implementing security audit tooling within Openclaw itself
• Make security the default, not an opt-in

If you’re a researcher:

• Study agent security patterns and help define new security paradigms
• These architectural challenges aren’t unique to Openclaw — they affect all agentic systems
• We need new security models designed for the agentic computing era