OpenClaw AI is going viral. Don’t install it
A month ago, virtually no one had heard of Peter Steinberger’s personal AI side project. Today, it’s taken the AI world by storm, and it just got support from none other than OpenAI itself.
First known as Clawdbot, then Moltbot, the now-rebranded OpenClaw served as an “I know Kung Fu” moment for its early adopters, who were shaken by the capabilities and potential of the AI-powered tool. In other words, OpenClaw took what was previously an abstract concept – “agentic AI” – and made it real.
This is exciting and even dizzying stuff, and if this story marks the first time you’ve heard of OpenClaw, you definitely shouldn’t install it.
Meet OpenClaw
Developed by Peter Steinberger, an Australian software developer who was just “acquired” by OpenAI (the software itself remains open source), OpenClaw is a tool that lives on your system and, if you let it, can access your most sensitive data, from your email and calendar to your browser and personal files.
OpenClaw works best on a 24/7 system, allowing it to constantly work on your behalf. It can remember who you are and what’s important to use, using easy-to-read “markdown” files (like MEMORY.md and USER.md) to keep track of details like your name, where you live and work, what type of system you’re using, who your family members are, what your favorite color is, and basically anything you want to tell it.
If this story marks the first time you’ve heard of OpenClaw, you definitely shouldn’t install it.
OpenClaw also has a “soul” – or, more precisely, a SOUL.md file that tells the AI (you can choose from Anthropic’s Claude, ChatGPT, Google Gemini, or any other cloud-based or locally hosted LLM) how it should act and present itself, while a HEARTBEAT.md file manages OpenClaw’s long list of activities, allowing it to check your calendar daily, rummage through your inbox every hour, or scour the web for news at regular intervals.
Okay, okay, but so what? Aren’t there a number of AI tools that can go through your email and provide you with hourly updates? There actually is, but OpenClaw brings some game changers.
The first advantage of OpenClaw is the way you interact with it. Rather than having to use a local web interface or the command line, OpenClaw works with familiar chat apps like WhatsApp, Telegram, Discord, Slack, Signal, and even iMessage. This means you can chat with the bot on your phone, anytime and anywhere.
The second is that OpenClaw, when installed using its default configuration, has “host” access to your system, meaning it has the same system-level permissions as you. He can read files, modify and delete them at will, and he can even write scripts and programs to enhance his own abilities. Ask it for a tool that can generate images, check your favorite RSS feeds, or transcribe audio transcripts, OpenClaw won’t just tell you which programs to download, it will go ahead and build them, directly on your system.
In other words, OpenClaw is ChatGPT without a chatbox – or, as the official OpenClaw website puts it, an “AI that can actually do things.”
Now there is already are tools that allow AI to do things, namely “no-code” editors that allow AI to create software and websites with prompts. But Claude Code, OpenAI’s Codex, and Google’s Antigravity are designed to be AI coding aids that do the work while we look over their shoulders, monitoring their every move. OpenClaw, on the other hand, aims to work its magic autonomously, while you’re at work, sleeping, or busy elsewhere. It’s a real AI agent.
Launching OpenClaw without knowing what you’re doing is like handing a bazooka to a toddler.
Personally, I’m blown away by the possibilities of OpenClaw and its inevitable clones and ecosystem. Hell, I’ll tell you right now: this is the future, like it or not.
At the same time, I think launching OpenClaw without knowing what you’re doing is like giving a toddler a bazooka, and I’m not the only one who thinks that.
The key issue is the level of access OpenClaw gains to your system. It sees everything you do and can do everything you do on your computer, right down to deleting individual files or entire directories of them, and is therefore a hallucination away from wreaking havoc on your data.
Although OpenClaw operates under a battery of rules that regulate its behavior and (thanks to a series of new security enhancements) limit its access to a designated “workspace” directory, it is all too easy to change this behavior, and you could unintentionally give OpenClaw god-mode access by inappropriately using “sudo”, Linux’s “superuser” command.
What makes OpenClaw so exciting is also what makes it most dangerous.
OpenClaw is also vulnerable to “rapid injection” attacks, which aim to trick an LLM into ignoring its guardrails and doing things like leaking your private data, installing a backdoor on your system, or even running a root-level “rm -rf” command on your system, which would neutralize your entire hard drive. Then there’s the growing ecosystem of unverified third-party OpenClaw plugins that could be riddled with security vulnerabilities or hiding malicious payloads.
But above all, what makes OpenClaw so exciting is also what makes it most dangerous. It can stay up all day and night on its “heartbeat”, taking your suggestions and implementing them, which can lead to unexpected, surprising, or even destructive results, especially if you have paired OpenClaw with a cheap or free LLM that lacks the context and reasoning capabilities of the more expensive high-end models.
Now, I’m a moderately experienced LLM user and self-hoster, and I haven’t completely installed OpenClaw on any of my machines yet. I’ve played with it, touched it, tinkered with it in an isolated Docker container and chatted with it on Discord, and I’m even trying to make my own version with the help of Gemini and Antigravity. (Whether I actually get anywhere is a subject for another story.)
But as impressed as I am by OpenClaw’s system-wide powers (and believe me, I see the potential), I’m also scared of them, and you should be too.
