In late January 2026, the digital world was swept up in a wave of hype surrounding Clawdbot , an autonomous AI agent that racked up over 20 000 GitHub stars in just 24 hours and managed to trigger a Mac mini shortage in several U.S. stores. At the insistence of Anthropic — who weren’t thrilled about the obvious similarity to their Claude — Clawdbot was quickly rebranded as “Moltbot”, and then, a few days later, it became “OpenClaw”. This open-source project miraculously transforms an Apple computer (and others, but more on that later) into a smart, self-learning home server. It connects to popular messaging apps, manages anything it has an API or token for, stays on 24/7, and is capable of writing its own “vibe code” for any task it doesn’t yet know how to perform. It sounds exactly like the prologue to a machine uprising, but the actual threat, for now, is something else entirely. Cybersecurity experts have discovered critical vulnerabilities that open the door to the theft of private keys, API tokens, and other user data, as well as remote code execution. Furthermore, for the service to be fully functional, it requires total access to both the operating system and command line. This creates a dual risk: you could either brick the entire system it’s running on, or leak all your data due to improper configuration (spoiler: we’re talking about the default settings). Today, we take a closer look at this new AI agent to find out what’s at stake, and offer safety tips for those who decide to run it at home anyway. What is OpenClaw? OpenClaw is an open-source AI agent that takes automation to the next level. All those features big tech corporations painstakingly push in their smart assistants can now be configured manually, without being locked in to a specific ecosystem. Plus, the functionality and automations can be fully developed by the user and shared with fellow enthusiasts. At the time of writing this blogpost, the catalog of prebuilt OpenClaw skills already boasts around 6000 scenarios — thanks to the agent’s incredible popularity among both hobbyists and bad actors alike. That said, calling it a “catalog” is a stretch: there’s zero categorization, filtering, or moderation for the skill uploads. Clawdbot/Moltbot/OpenClaw was created by Austrian developer Peter Steinberger , the brains behind PSPDFkit . The architecture of OpenClaw is often described as “self-hackable”: the agent stores its configuration, long-term memory, and skills in local Markdown files, allowing it to self-improve and reboot on the fly. When Peter launched Clawdbot in December 2025, it went viral: users flooded the internet with photos of their Mac mini stacks, configuration screenshots, and bot responses. While Peter himself noted that a Raspberry Pi was sufficient to run the service, most users were drawn in by the promise of seamless integration with the Apple ecosystem. Security risks: the fixable — and the not-so-much As OpenClaw was taking over social media, cybersecurity experts were burying their heads in their hands: the number of vulnerabilities tucked inside the AI assistant exceeded even the wildest assumptions. Authentication? What authentication? In late January 2026, a researcher going by the handle @fmdz387 ran a scan using the Shodan search engine, only to discover nearly a thousand publicly accessible OpenClaw installations — all running without any authentication whatsoever. Researcher Jamieson O’Reilly went one further, managing to gain access to Anthropic API keys, Telegram bot tokens, Slack accounts, and months of complete chat histories. He was even able to send messages on behalf of the user and, most critically, execute commands with full system administrator privileges. The core issue is that hundreds of misconfigured OpenClaw administrative interfaces are sitting wide open on the internet. By default, the AI agent considers connections from 127.0.0.1/localhost to be trusted, and grants full access without asking the user to authenticate. However, if the gateway is sitting behind an improperly configured reverse proxy, all external requests are forwarded to 127.0.0.1. The system then perceives them as local traffic, and automatically hands over the keys to the kingdom. Deceptive injections Prompt injection is an attack where malicious content embedded in the data processed by the agent — emails, documents, web pages, and even images — forces the large language model to perform unexpected actions not intended by the user. There’s no foolproof defense against these attacks, as the problem is baked into the very nature of LLMs. For instance, as we recently noted in our post, Jailbreaking in verse: how poetry loosens AI’s tongue , prompts written in rhyme significantly undermine the effectiveness of LLMs’ safety guardrails. Matvey Kukuy, CEO of Archestra.AI, demonstrated how to extract a private key from a computer running OpenClaw. He sent an email containing a prompt injection to the linked inbox, and then ask