What is OpenClaw?
OpenClaw is an open-source agentic AI tool designed to function as a “personal AI assistant,” that can be messaged anytime, anywhere. Unlike a traditional AI chatbot, agentic AI is designed to work autonomously. Rather than querying a chatbot and being given answers, agentic AI can complete tasks on a user’s behalf.
Instead of chatbots like ChatGPT that have their own app, OpenClaw works inside local user machines and connects to already-downloaded messaging apps (WhatsApp, iMessage, and Telegram) for a more personalized experience. As a consequence, it has full-access to the user’s entire local machine.
“Power users” are rapidly adopting this new tool and already integrating it into their daily routines. One user shared that he uses his OpenClaw agent to send him daily morning briefs—including notifications about urgent emails, upcoming meetings, and updates on current events. He also recommended utilizing the agent for competitor analysis and market research to stay informed on industry trends.
Benefits of OpenClaw:
The reason why this is so appealing is because OpenClaw is designed to act as a personal assistant. Unlike OpenAI which is used as a common chatbot or “search engine,” OpenClaw functions autonomously. It remembers user preferences from prior conversations, can proactively send reminders, and—when given the proper authorization—has the ability to make decisions without being asked. This all happens through access to user files, emails, and calendars.
Compare this to a tool like Claude Cowork. It functions in a similar manner to OpenClaw, acting as a user’s personal assistant to review transcripts, access calendars, and files. However, Claude Cowork isn’t fully autonomous, as it only works while the Claude application is running. OpenClaw on the other hand has the ability to run 24/7 on virtual servers, even when a user closes their PC.
Convenience is another proposed benefit of OpenClaw. Instead of downloading an entirely separate app or system in order to use it, it works inside messaging apps users already have. Consider Apple’s “Mac Mini” as an example. Part of its appeal was that it was designed to work with hardware users already owned—like keyboards and speakers—rather than requiring them to buy an entirely new Mac computer. Ironically, OpenClaw has driven its own Mac Mini craze: with users wanting a dedicated machine to host their agent 24/7, demand surged to the point that Mac Minis sold out at major retailers, prices spiked on the secondary market, and “OpenClaw rigs” became a recurring topic in power-user communities.
Furthermore, OpenClaw exists within all apps users have already downloaded, meaning they can access it from anywhere. For example, so long as a user has WhatsApp on both their computer and their phone, OpenClaw can be used on both devices.
Does It Actually Work?
Many users report positive experiences with OpenClaw. Testimonies and reviews from users mainly praise the memory and proactive nature of the tool. One user recounted how the agent, after detecting a rejection email from his insurance company, autonomously drafted and sent a response email. This prompted the insurer to reinvestigate his case.
However, the platform’s official GitHub repository tells a different story. Under the “Issues” tab, users reported several bugs such as session corruption, chat histories being accidentally deleted, and unexpected crashes. Notably, multiple issues seemed to worsen or emerge after the v2026.4.5 update.
This alone isn’t a red flag, since many issues are common in popular repositories and AI tools. However, the sheer scale of OpenClaw’s adoption makes these numbers particularly alarming. For example, Tensorflow, an open-source machine learning framework developed by Google, only has 952 issues compared to OpenClaw’s over 5,000. Granted, these issues are closed every few hours, but even this rigorous pace isn’t enough to keep up with the staggering amount.
Regardless, it seems OpenClaw’s efficiency is stronger than its drawbacks, and has remained quite popular amongst power users.
Security Issues:
It’s tempting to undertake new technology for its promised efficiency and convenience. The idea of finding an “all-in-one” solution that can do everything is incredibly enticing, especially if the user adopting it will become more productive as a result. It’s also important to recognize the pressure that individuals and businesses can feel when new AI technologies emerge. There’s a concern that not adopting the latest tools could mean falling behind, or losing to competitors who may be “ahead of the curve.”
However, sometimes the caveats of these new tools far outweigh the proposed benefits. Case and point, the fact that OpenClaw has access to users’ messaging apps, files, as well as the local machine it lives inside, mean that these areas become extremely vulnerable. Here’s a breakdown of some of OpenClaw’s major security concerns:
- •If granted access to messaging apps to read and send messages, OpenClaw (and potentially an attacker) can access your personal conversations. Additionally, AI can’t always understand the nuance of conversations (see here Apple Intelligence misunderstanding sarcasm and slang), and may create responses based on a misinterpretation.
- •If granted email and phone integration privileges, OpenClaw can access account credentials like Gmail, which can potentially be leaked. These credentials also make the agent capable of doing anything you are able to do on that computer—like send an email or call a colleague—which can be dangerous if it acts inappropriately on your behalf.
- •OpenClaw is vulnerable to prompt injection—if the agent processes an email or website containing hidden malicious instructions, it can be tricked into executing these commands. For example, this picture below depicts an email with hidden instructions written by an attacker, that will force the agent to reveal its system prompt and API keys.
- •On vulnerable instances, attackers can modify OpenClaw’s memory of user preferences, influencing its responses and actions. This can create bias in its outputs and cause the agent to make decisions that don’t reflect the user’s true intentions.
Security Scorecard, a leading cybersecurity platform, is actively researching and monitoring the risks of OpenClaw. They found that OpenClaw currently has over 50,000 vulnerable instances—classified as such due to unpatched software versions—meaning attackers can access the AI’s control panel and run malicious commands on it. Even more consequently, OpenClaw has nearly 10 million CVEs (Common Vulnerabilities and Exposures) across the instances it monitors. The single largest risk factor is leaked credentials, accounting for over 3.7 million instances.
These considerations make OpenClaw a high risk.
OpenClaw risks as of 4/18/26. Credit: https://declawed.io/
What If I Still Want to Use It?
Bearing in mind the aforementioned security concerns, if a company chooses to implement OpenClaw, there are ways to make safer installation decisions. Here are some guidepoints to reference if choosing to install OpenClaw:
- •Do NOT run OpenClaw on a personal or work machine, as these devices hold sensitive information. Either run it in a virtual environment (fully isolated sandbox) or dedicate a separate physical machine solely to its usage. That way, any consequences caused by the agent can be contained.
- •Create entirely new accounts (for your messaging app, GitHub, and Gmail) dedicated to the setup, to prevent the leak of important credentials. Dedicated accounts also come with limitations which prevent access control issues—the agent can only do so much with what it’s permitted to view.
- •To avoid an agent acting incorrectly on a user’s behalf, mandate human oversight before performing any sensitive actions. This can prevent the agent from sending unwanted emails or acting autonomously without pre-approval from users.
If a company chooses to integrate OpenClaw into their business operations, they could implement the above practices to maintain safety. However, it’s also worth considering that agents should have different levels of permissions depending on who in the organization is using them. For example, a newly-hired employee shouldn’t have access to an agent capable of emailing executives or high-profile clients. Companies can tier access based on role and seniority, restricting who—both internally and externally—the agent can communicate with and what actions it can perform.
Credit: Graphic generated by Anthropic’s Claude AI, Sonnet 4.6 model.
Stay Protected
Use our free tools to protect yourself from the threats discussed in this investigation.