How to use OpenClaw safely

OpenClaw, a new AI agent, has already amassed over 160,000 stars and 25,000 forks on GitHub since its launch in late 2025. A powerful and exciting new tool, OpenClaw also introduces serious security risks. This article explains how OpenClaw works, the associated risks, and how the Gen Agent Trust Hub can help you use it more safely.

What is OpenClaw and what does it do?

OpenClaw (formerly known as Clawdbot and Moltbot) is an open-source autonomous AI agent that runs locally on your own device. Connecting LLMs to your data and apps, OpenClaw can work across your files, browsers, and messaging platforms like WhatsApp, Slack, Discord, and Telegram. 

OpenClaw can perform tasks like managing your calendar, sending messages, and automating workflows. To teach OpenClaw how to perform a task, users can download a preconfigured, community-contributed folder called a skill — basically a set of instructions that tells OpenClaw what to do and how to do it. 

For example, if you want your fitness app to create a personalized, optimized workout routine, you can install a skill that gives OpenClaw the logic and access it needs to do exactly that.

But OpenClaw goes far beyond prepackaged features: it can also write its own skills. When prompted by a user, OpenClaw can create entirely new capabilities on the fly, extending its functionality in real time. That means it can adapt to new tasks as they arise, rather than being locked into a fixed set of features.

OpenClaw is transformative, but is it secure?

Unlike traditional AI chatbots that operate within a limited conversational interface, OpenClaw is an autonomous agent, meaning it can act independently. And, through the ClawHub marketplace, you can add third-party plugins to enhance its capabilities. Combining that independence with add-on flexibility creates powerful opportunities. But it also introduces significant risks.

As OpenClaw connects to more parts of your system and integrates additional third-party skills, it gains access to emails, files, and chats, as well as websites and external sources you don’t control. While these additional skills and broader system access can help it complete complex tasks, it also increases the potential for malicious activity.

A compromised or poorly designed skill could misuse its permissions, expose private data, or carry out actions you never intended. In short, the more third-party connections an agent has, and the more deeply it’s embedded into your digital life, the higher the stakes if something goes wrong.

How AI agents are changing the rules of security

Using an AI agent means delegating responsibility to software with extensive access to your system and limited risk controls. Instead of approving each action yourself, you’re authorizing the agent to act on your behalf. That presents an opportunity for threat actors: if they compromise your AI agent, they inherit all the data and permissions you’ve given it and could even commandeer the agent to take actions for their own purposes. 

By putting so much authority in one place, autonomous AI agents like OpenClaw introduce what researchers like Simon Willison have called a potential “lethal trifecta” of security risks:

• Access to private data: The agent can see your files, login credentials, and personal information. 
• Exposure to untrusted content: The agent can process and interact with messages, emails, websites, prompts, and third-party integrations.
• The ability to communicate externally: The agent can send messages, call APIs, and run commands on your behalf.

Some agents also have persistent memory, allowing malicious code or instructions to lie dormant rather than execute immediately, only to trigger later — much like a logic bomb.

What are the core security risks of OpenClaw?

AI agents like OpenClaw that can read information, make decisions, and act across systems present the risk of hallucinating authority — taking actions beyond their intended scope. Unlike traditional chatbots that can hallucinate text, AI agents can act as an “artificial mindless intelligence”: a system that appears justified and authoritative but lacks true understanding and responsibility. 

Here are some of the main risks that AI agents like OpenClaw introduce:

• Larger attack surface: An agent that can read messages, browse the web, and execute commands creates more opportunities for exploitation, misuse, or unintended actions.
• Prompt injection attacks: The messages and websites that OpenClaw processes and visits can contain hidden, malicious instructions that can cause real damage.
• Malicious skills and plugins: Skills are community-built, meaning they may not be vetted by security experts. Like installing malware, a skill with compromised instructions can collect information, steal credentials, or exfiltrate data.
• System-wide impact: When OpenClaw runs with extended permissions, mistakes or compromises can affect your entire system.
• Illusion of judgment: Autonomous systems can seem trustworthy, even if they’re not truly reasoning. This can lead users to delegate too much authority to systems with no accountability or real judgement.

Why OpenClaw skills are the biggest risk

Gen Threat Labs has identified OpenClaw skills as one of the first large-scale threat vectors in autonomous AI agents built for consumers. 

In a recent analysis, Gen security researchers discovered that nearly 15% of OpenClaw skills contained malicious instructions, including prompts created to download malware or steal data. And even as malicious skills were identified and removed, many quickly reappeared, often seemingly indistinguishable from legitimate plugins.

When you set up OpenClaw, you can add community-developed skills to expand its capabilities, a bit like adding apps to your phone. The problem is that skills can be added to the community and installed before they're reviewed by security experts. That creates an opening for seemingly helpful skills that are actually deliberately designed to abuse their permissions and carry out malicious behavior.

For example, a “Spotify music skill” might compile playlists as expected, while also containing hidden instructions to search your files for tax documents, extract Social Security numbers, and send that data to an external email address. 

The OpenClaw skills risk that Gen researchers have identified is called delegated compromise, which is when an attack targets an agent and thereby exploits all the permissions the agent has been given. 

How to use OpenClaw more safely

Using any AI agent, including OpenClaw, always involves risk. There’s no setup that makes an autonomous agent completely safe, especially one like OpenClaw that relies on external plugins from potentially unvetted developers. But you can take steps to mitigate the chances that a mistake, bug, or malicious skill turns into a serious problem. 

If you want to experiment with OpenClaw, here’s how to do it more safely:

• Run OpenClaw in a secure environment: Don’t install it on your main computer with all your personal data and saved credentials. A safer approach is to run it on a spare computer, inside a virtual machine, or in a Docker container. That way, if something bad happens, the fallout is contained.
• Don’t connect OpenClaw to the internet: Make sure that the local service OpenClaw runs isn’t publicly accessible, and don’t forward its default port (18789) to the open web.
• Start with limited permissions and expand slowly: To begin, give OpenClaw read-only access or limited folders. As you gain more familiarity, you can gradually grant more permissions.
• Don’t connect sensitive accounts: When testing, use secondary or dummy accounts. If personal accounts are required, isolate the agent and limit its permissions. Be very careful before you extend access to any accounts that contain personal information.
• Keep your human judgement at the center: OpenClaw is autonomous, but you need to carefully oversee it as you get going. Review activity logs and outputs, especially for actions like sending messages or modifying files. Regular reviews can help catch unusual activity early.
• Use safe communication channels: Keep conversations one-on-one or within trusted groups. Interacting with unknown or public participants increases the risk that malicious actors can inject hidden instructions to manipulate the agent’s behavior.
• Be careful with third-party skills and plugins: Treat skills like software installs. Review developers and descriptions and stick to well-known, well-reviewed sources whenever possible.

How Gen helps you use OpenClaw more safely

Gen is committed to helping users understand the opportunities and risks that new digital tools present so they can make safer choices. OpenClaw is a powerful example of emerging AI technology, but one of its biggest risks is that it’s difficult for consumers to tell whether an OpenClaw skill is trustworthy before installing it.

To address this, Gen Threat Labs has launched the Gen Agent Trust Hub, which includes free tools to help people stay safer in the agentic AI era. Within the hub is an AI Skills Scanner, a free diagnostic tool that analyzes OpenClaw skills looking for hidden patterns associated with data theft, suspicious instructions, and malicious script techniques. 

Before installing a skill, go to the Gen Agent Trust Hub and paste the ClawHub or GitHub skill URL into the AI Skills Scanner tool to find out if your system or personal information could be at risk.

The Gen Agent Trust Hub also includes the AI Skills Marketplace, a curated and closely audited repository of agent skills that have been vetted by Gen’s threat-detection engine. Taken together, the Gen Agent Trust Hub is a powerful resource to help you avoid installing a malicious tool with broad system access. Visit the Gen Agent Trust Hub to learn more.