OpenClaw Is a Security Nightmare Dressed Up as a Daydream

While promising a future of perfect automation, OpenClaw is sparking intense debate in the tech community due to its severe security flaws and deep access to personal data.

Back in 2023, the internet was buzzing about AutoGPT and BabyAGI. It was just after GPT-4 had arrived. Everyone was talking about autonomous agents taking jobs, how they can, and I remember how scared and paranoid people looked. However, they didn’t stand up to their promise. The conversations died off in a few weeks.

Fast forward to exactly three years, and people are having the same conversation. This time it’s OpenClaw powered by Opus. However, this time the models are much better, significantly better, with far fewer hallucinations, and the ecosystem has matured enough for OpenClaw to actually get things done. By “get things done,” I mean it can interact with your local system files, the terminal, browsers, Gmail, Slack, and even home automation systems.

It's been almost a month, and they are still out there on Twitter talking about it. And people talked so much about it that OpenAI acquihired Peter Steinberger. One man unicorn might've actually become a reality.

However, every gain has a cost, and in this case, it’s the security. The underlying tech, however impressive it looks, has serious holes that can put a bigger hole in your pocket. It's capable, it's expensive, and it's insecure.

This blog post talks about some of the good things and a lot of bad things about OpenClaw and its ecosystem, and how you can work around this if you’re truly motivated to use the tech. Though I personally didn't like it, neither saw its promise, or maybe I am employed.

OpenClaw: The Daydream

Imagine you wake up and open your laptop, and all your inboxes are cleared, meetings have been slotted with prep notes, weekend flight is booked, Alexa is playing “Every Breath You Take, Every move you make, I'll be watching you” by the Police (pun intended), without you doing anything but just typing it out to a bot or better, just talk to it. It will feel magical, almost like living in the future. This is the promise of OpenClaw. Human desire for automation is primal; that’s how we came up with gears, conveyor belts, machines, programming languages, and now a new breed of digital super-assistants powered by AI models.

Federico Viticci in Macstories writes,

For the past week or so, I’ve been working with a digital assistant that knows my name, my preferences for my morning routine, how I like to use Notion and Todoist, but which also knows how to control Spotify and my Sonos speaker, my Philips Hue lights, as well as my Gmail. It runs on Anthropic’s Claude Opus 4.5 model, but I chat with it using Telegram. I called the assistant Navi (inspired by the fairy companion of Ocarina of Time, not the besieged alien race in James Cameron’s sci-fi film saga), and Navi can even receive audio messages from me and respond with other audio messages generated with the latest ElevenLabs text-to-speech model. Oh, and did I mention that Navi can improve itself with new features and that it’s running on my own M4 Mac mini server?

If this intro just gave you whiplash, imagine my reaction when I first started playing around with OpenClaw, the incredible open-source project by Peter Steinberger (a name that should be familiar to longtime MacStories readers) that’s becomeverypopular in certain AI communities over the past few weeks. I kept seeing OpenClaw mentioned by people I follow; eventually, I gave in to peer pressure, followed the instructions from the funny crustacean mascot on the app’s website, installed OpenClaw on my new M4 Mac mini (which is not my main production machine), and connected it to Telegram.

To say that OpenClaw has fundamentally altered my perspective of what it means to have an intelligent, personal AI assistant in 2026 would be an understatement. I’ve been playing around with OpenClaw so much, I’ve burned through 180 million tokens on the Anthropic API (yikes), and I’ve had fewer and fewer conversations with the “regular” Claude and ChatGPT apps in the process.

The bull case for OpenClaw-like bots

Brandon Wang puts forward a very fair and just bull case for OpenClaw in his essay, where he outlines everything he has done with OpenClaw, from inbox reminders to appointment booking and more. He explains the ease and convenience of OpenClaw, as well as its stickiness.

The more your usage grows, the more the bot learns from patterns, creates tools, workflows, and skills, and fetches them when needed. The bot can store these workflows and skills in a database or folders for future reference.

clawdbot writes a human-readable version of each workflow and pushes it up to a notion database. these workflows can be incredibly intricate and detailed as it learns to navigate different edge cases.

For example, if a restaurant has a reservation cancellation fee, Clawdbot now inform the fee, asks me to confirm again whether it's non-refundable, and includes the cancellation deadline in the calendar event it creates.

There are certainly a lot of people who will benefit from this, but it comes at a cost. Even if you take the security angle out, the tech almost never works as advertised. To test a simillar scenario, I gave my OpenClaw my Calendar, Slack, and Gmail. I was pretty enthusiastic about it because I hate touching it. It worked pretty well until it didn't. It pulled up a conversation from Slack with a colleague where I was talking about taking a break, and this sonuvabitch marked me OOO for all upcoming meetings and posted in the #absence channel.

And then I remembered I gave it a personality (SOUL.md) of Sebastian Michaelis from Black Butler. It's an anime character, a demon bound by a Faustian contract to serve Ciel Phantomhive as a butler. And then it made sense.

The Faustian bargain of security and privacy

And, of course, this level of automation always comes with hidden costs. You have to submit your security and privacy to the machine god. It's a Faustian contract of your privacy and security for automation. Brandon writes,

it can read my text messages, including two-factor authentication codes. it can log into my bank. it has my calendar, my notion, my contacts. it can browse the web and take actions on my behalf. in theory, clawdbot could drain my bank account. this makes a lot of people uncomfortable (me included, even now).

On the shape of trust, he explains

all delegation involves risk. with a human assistant, the risks include: intentional misuse (she could run off with my credit card), accidents (her computer could get stolen), or social engineering (someone could impersonate me and request information from her).

With Clawdbot, I'm trading those risks for a different set: prompt injection attacks, model hallucinations, security misconfigurations on my end, and the general unpredictability of an emerging technology. i think these risks are completely different and lead to a different set of considerations (for example, clawdbot's default configuration has a ton of personality to be fun and chaotic on purpose, which feels unnecessarily risky to me).

The only difference here is that the human can be held accountable and can be put in prison.

Should you?

OpenClaw’s charm lies in yolo’ing past all the boring guardrails. But isn’t Claude Code the same, and doesn't everyone seem to be trusting their million-dollar code bases with it? Yes, but it happened when the system around it became sufficiently mature, whereas ClawdBot is a notch above it and requires you to grant access to apps (WhatsApp, Telegram) that can become attack vectors. The tech eco-system isn’t there yet. If you’re someone who doesn’t have an internal urge to try out the next fancy tech in town and learn, you’re fine not giving in to FOMO.

On this note, consumers should avoid OpenClaw given its obvious downsides. A nice essay from Olivia Moore sums it up pretty well.