What is OpenClaw? the "friendly lobster" that’ became a security nightmare

From viral sensation to rce disaster: how the "open-source ai with hands" exposed thousands to data theft.

OpenClaw, an open source AI automation tool designed to connect large language models directly to users’ emails, files, messaging apps, and other services, is drawing mounting criticism from security researchers who warn that its design could expose both individuals and businesses to serious cyber risks.

From Weralay to OpenClaw: A troubled history

Originally launched under several different names, including Weralay, Clawdis, Clawdbot and Moltbot, the project recently rebranded as OpenClaw after legal pressure and community confusion. Despite the branding changes, its core promise has remained the same: a simple, plug-and-play layer that allows an AI assistant to act on a user’s behalf across connected accounts and systems.

Convenience at a cost

The appeal is obvious. Users can ask the agent to summarize emails, fetch files, scrape websites or automate workflows without writing scripts or using complex APIs. What once required technical know-how can now be done through plain language prompts.

Security experts say that convenience is precisely the problem.

Why experts are calling it a security nightmare

To function, OpenClaw typically requires broad permissions, including access to email inboxes, cloud drives, chat platforms, session tokens, local files, and, in some cases, shell command execution. Consolidating that level of access into a single always-on service creates what researchers describe as a high-value target for attackers.

Because large language models are not fully predictable, the system may also misinterpret instructions or fall victim to prompt injection attacks. A malicious message or webpage could trick the agent into exposing sensitive data or executing unintended commands, according to analysts.

Researchers have already demonstrated real-world exploits. Malicious plugins, sometimes disguised as harmless “skills,” have been found exfiltrating credentials and tokens to remote servers. In other cases, users have deployed OpenClaw dashboards to the internet without authentication, effectively giving anyone who discovers the instance remote access to their system.

One security scan earlier this year reportedly identified more than 20,000 publicly exposed OpenClaw servers online.

Poor oversight and risky defaults

Additional concerns stem from how the project is maintained. With hundreds of contributors and rapid code changes, critics argue that oversight has lagged behind feature growth. Past versions reportedly stored API keys and login credentials in plain text, and multiple vulnerabilities, including an unauthenticated websocket flaw, allowed attackers to issue commands or steal tokens.

OpenClaw’s documentation acknowledges that there is no perfectly secure configuration and leaves many protections, such as authentication and network restrictions, optional. Experts say that places too much responsibility on non-technical users who may not understand the implications.

Corporate risks: A backdoor into sensitive data

For businesses, the risks may be even greater. If an employee connects OpenClaw to corporate accounts, a compromised instance could provide attackers with access that appears indistinguishable from legitimate user activity, potentially bypassing traditional security tools.

“Agents like this blur the line between automation and control,” one researcher said, noting that once compromised, the software effectively becomes a backdoor into everything it can access.

Proceed with extreme caution

As AI agents become more capable of performing real actions instead of simply answering questions, security professionals warn that tools like OpenClaw highlight a growing tradeoff between convenience and safety. For now, many researchers advise extreme caution or avoiding such broad-access AI automation tools entirely until stronger safeguards are in place.