Explainer · Inside the Code

If You Installed OpenClaw, Watch This Immediately

Everyone is talking about OpenClaw as the ultimate open-source AI agent. But under the hood, it's a security minefield with full disk access, zero safety boundaries, and vulnerabilities that act as a remote control for hackers.

Feb 15, 2026 · 8 min

The video version · same thesis, looser edits

The Ultimate AI Agent or a Glass Cannon?

Everybody is talking about OpenClaw. It promises to be the ultimate open-source AI agent runner, automating everything right on your local machine. But before you install it and give it full access to your computer, we need to talk about what’s actually compiling under the hood.

Based on my audit of the February 2026 releases codebase, OpenClaw is fundamentally flawed. It’s built on a foundation of “Vibe Coding” where developers assumed that keeping an agent “Local Only” inherently made it safe. It didn’t.

Here are the critical security failures you need to watch out for.

The “Open” Source Illusion

The engine running OpenClaw is surprisingly opaque. Much of the heavy lifting is handled by hidden core packages (pi-agent-core) developed by a solo third-party maintainer. While the upstream TypeScript library is extremely efficient, OpenClaw’s implementation of it turns the agent into a Glass Cannon.

OpenClaw exposes the raw core loop without implementing adequate guardrails, essentially executing whatever arbitrary commands the backend LLM generates. Because it includes a built-in package manager with unrestricted shell access, the AI can independently npm install any library it wants. That is the equivalent of handing a toddler a loaded gun and a corporate credit card.

Security Theater

When assessing an agent, you check the repository’s SECURITY.md file. In OpenClaw’s case, their security policy explicitly lists Prompt Injection and Public Internet Exposure as “Out of Scope.”

Translation: If a malicious website tricks your local agent into deleting your file system, the maintainers do not view it as a software bug. If your agent is exposed to the internet and hijacked, it’s not their problem.

The Danger of Unvetted “Skills”

OpenClaw extends its capabilities using “Skills”—directories containing raw Python or Bash scripts. However, there is no vetted app store or secure package repository. The installation scripts allow these skills to silently run pip install or brew install automatically upon download.

If you download a “Productivity Helper” script from a community forum, you are executing unverified code directly on your host machine. This operates as a catastrophic supply chain vulnerability. In January 2026, the “ClawHavoc” attack devastated users when hackers flooded open registries with 335 fake skills that actively stole crypto wallet hashes and SSH keys.

Once an agent like OpenClaw is compromised, it becomes “Patient Zero” for your entire home or office network. The agent scans locally—targeting your NAS drives, wireless printers, and family laptops. Additionally, when the “Moltbook” network was breached recently, over 1.5 million agent communication tokens were stolen.

The scariest part? You won’t feel the breach immediately. Hackers hoard session files (like WhatsApp auth_info data) which permanently bypass 2FA until you explicitly revoke every token.

The “Free” AI Trap

Can you run OpenClaw using your $20/month GitHub Copilot subscription instead of paying expensive per-token API fees? Yes—but it’s a trap.

OpenClaw has built-in code designed to mimic a VS Code client, actively hijacking your Copilot or Claude web session to execute autonomous operations for free. While the official open-source documentation recommends this cost-saving trick, they bury the massive red flag: doing this violates Terms of Service and routinely triggers permanent account bans. Guiding beginners to effectively wager their primary GitHub or enterprise accounts to save API credits is highly unethical.

The “Dirty Secret” of Integrations

The highly-marketed ecosystem integrations are nothing more than precarious lifecycle hacks.

  • WhatsApp: It uses the unauthorized “Baileys” library to trick Meta servers into seeing a web client. Doing this risks getting your personal phone number permanently banned.
  • iMessage: Operating this requires you to grant the agent Full Disk Access, breaking the macOS sandbox. It allows one malicious prompt to read your personal photos, tax documents, and emails.
  • Screen Reading: The agent actively demands constant Screen Recording, Camera, and Accessibility tracking permissions. You are handing over the keys to the castle.

Complete Failure of Industry Standards

I ran the OpenClaw codebase against the OWASP Top 10 for AI and NIST Safety Standards. It failed nearly every check:

  1. Prompt Injection: Fails
  2. Sensitive Data Protection: Fails
  3. Supply Chain Security: Fails

In professional circles, this is referred to as “Excessive Agency.” Let’s call it what it really is: a remote control for hackers. Under the protection of the MIT License, the developers retain absolute zero liability. If the agent hallucinates and burns $1,000 of your Gemini API credits, or introduces malware that ransoms your company, you accept the entire fallout singlehandedly.

Should you use OpenClaw? No. If you do, ensure it runs inside an air-gapped virtual machine holding zero sensitive credentials.

securityagentsopenclawauditowasp
In this series View all →
  1. $460 Million in 45 Minutes: The Knight Capital Disaster
  2. Inside the Code: The 50-Year Legacy of the Buffer Overflow
  3. 72KB of Code That Reached the Moon
  4. Hermes Agent Technical Review: Safety via Transparency
  5. If You Installed OpenClaw, Watch This Immediately
More in Inside the Code
Explainer · inside-the-code
72KB of Code That Reached the Moon
The Apollo Guidance Computer had less memory than a favicon. Its source code is public domain. I opened every file.
Apr 20 · 14 min
Review · inside-the-code
Hermes Agent Technical Review: Safety via Transparency
Hermes is one of the most architecturally interesting AI agents I've reviewed this year. The maintainers chose a bold philosophy: 'Safety via Transparency'. But is transparency actually a safety control? I took it line-by-line through the OWASP Top 10 for LLM Agents to find out.
Apr 17 · 10 min
Explainer · inside-the-code
Inside the Code: The 50-Year Legacy of the Buffer Overflow
A look at the bugs that shaped the internet, and why C's design philosophy from 1972 is still the floor your AI models are standing on.
Apr 23 · 8 min