OpenClaw is a security nightmare dressed up as a daydream

airstrike

I wonder just how many are compromised and waiting on a command that hasn't been given yet

vessenes

Yes, yes it is. And it's amaaaazing. We're going to have lots of sharp edges getting stuff like this secured, but it is not going to go away. Too useful.

somewhereoutth

I would like a personal assistant on my phone that, based on my usual routine and my exact position, can tell me (for example) which bus will get me home the quickest off the ferry, whether the bridge is clogged with traffic, do I need an umbrella? what's probably missing from my fridge, time to top up transit pass, did I tap in? etc etc. These things would appear on my lock screen when I most probably need to know them. No email stuff, no booking things, no security problems.

rickdg

Related: https://news.ycombinator.com/item?id=47475997

Oarch

Responding to the tweet quoted in the article: why are the examples given of futuristic capabilities always so visionless - it's always booking a flight or scheduling a meeting. Doing this manually is already pretty trivial, it's more productivity theatre than genuinely life-changing. There are real, impressive examples of the power of agentic flows out there. Can we up the quality of our examples just a bit?

dfabulich

> Separate Accounts for your OpenClaw > As I have mentioned, treat OpenClaw as a separate entity. So, give it its own Gmail account, Calendar, and every integration possible. And teach it to access its own email and other accounts. In addition, create a separate 1Password account to store credentials. It’s akin to having a personal assistant with a separate identity, rather than an automation tool. The whole point of OpenClaw is to run AI actions with your own private data, your own Gmail, your own WhatsApp, etc. There's no point in using OpenClaw with that much restriction on it. Which is to say, there is no way to run OpenClaw safely at all, and there literally never will be, because the "lethal trifecta" problem is inherently unsolvable. https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

bigstrat2003

Not just OpenClaw. Anyone giving an LLM direct access to the system is completely irresponsible. You can't trust what it will do, because it has no understanding. But people don't give a shit, gotta go fast - even if they are going in a bad direction.

chewbacha

This read like an AI generated piece and seems to be an advertisement for their product.

AlienRobot

>it can read my text messages, including two-factor authentication codes. it can log into my bank. it has my calendar, my notion, my contacts. it can browse the web and take actions on my behalf. in theory, clawdbot could drain my bank account. this makes a lot of people uncomfortable (me included, even now). I think it's interesting that if this was a normal program this level of access would be seen as utterly insane. A desktop software could use your cookies to access your gmail account and automatically do things (if you didn't want to use the e-mail protocols that already exist for this kind of stuff), but I assume the average developer simply wouldn't want to be responsible for such thing. Now, just because the software is "AI," nothing matters anymore?

zer00eyz

> In 2025, the number of data compromises in the United States stood at 3,322 cases. Meanwhile, over 278.83 million individuals were affected in the same year by data compromises, including data breaches, leakage, and exposure. While these are three different events, they have one thing in common. As a result of all three incidents, the sensitive data is accessed by an unauthorized threat actor. Source: https://www.statista.com/statistics/273550/data-breaches-rec... Between the number of public hacks, and the odious security policies that most orgs have, end users are fucking numb to anything involving "security". We're telling them to close the door cause it's cold, when all the windows are blown out by a tornado. Meanwhile, the people who are using this tool are getting it to DO WHAT THEY WANT. My ex, is non technical, and is excited that she "set up her first cron job". The other "daily summaries" use case is powerful. Why? Because our industry has foisted off years of enshitification on users. It declutters the inbox. It returns text free of ads, adblock, extra "are you a human" windows, captchas. The same users who think "ai is garbage at my work" are the ones who are saying "ai is good at stripping out bullshit from tech". Meanwhile we're arguing about AI hype (sam Altman: AGI promises) and hate (AI cant code at all). The last time our industry got things this wrong, was the dot com bubble. Meanwhile none of these tools have a moat (Claude is the closest and it could get dethroned every day). And we're pouring capital into this that will result in an uber like price hike/rug pull, till we scale the tools down (and that is becoming more viable).

love2read

One more "AI is a security threat" post gets to the top of HN.

gos9

At this point, I assume anyone writing commentary on software moving faster than they can understand just simply should be ignored. So when such commentary is advertising a product worth zero

politelemon

The overlap between the target audience for openclaw in spite of its attack surface, and the audience that considers a mac mini to be a sandbox while handing over the keys to their digital life is a Venn Eclipse.

_pdp_

It is, but I thought security wasn't the point. The point was to give it unlimited access to your entire digital life and while I'd never use it that way myself, that's what many users are signing up for, for better or worse. Obviously, OpenClaw doesn't advertise it like that, but that's what it is. Needless to say, OpenClaw wasn't even the first to do this. There were already many products that let you connect an AI agent to Telegram, which you could then link to all your other accounts. We built software like that too. OpenClaw just took the idea and brought it to the masses and that's the problem.

operatingthetan

I'm using openclaw for a personal development system running obsidian. It doesn't have access to anything else. Having an LLM trigger based on crons is very powerful and helps with focus and organizing. The security risks of this setup are lower than most openclaw systems. The real risks are in the access you give it. It's less useful with limited access, but still has a purpose. I know a guy using openclaw at a startup he works at and it's running their IT infrastructure with multiple agents chatting with each other, THAT is scary.

justinhj

As a site for people curious about technology, where is the sense of adventure? People are inventing the future of human/ai interaction themselves because big tech could not do it within their own constraints. Don't get me wrong, those constraints are there for a reason, but the hacker mentality seems muted lately.

robotswantdata

Wasn’t the point of openclaw to YOLO your credentials to the internet? Only ever a creative prompt injection away from a leak. Saw some smarter people using credential proxies but no one acknowledges the very real risk that their “claws” commit cyber crime on their behalf once breached.

rvz

The security issues in OpenClaw is not even the main issue, the hype will die if there is no monetary incentive. Like I said before: If you are spending more money on tokens than the agents are making you money (or not), then it is unfortunately all for nought. The question is, who is making money on using Openclaw other than hosting?

taurath

I love how despite all this, the author still uses the language: > We’re simply not there yet to let the agents run loose As if there aren’t fundamental properties that would need to change to ever become secure.

pama

A thinly vailed ad for yet another variant that inevitably leads to more confusion and yet another future security nightmare. The authors (should) know better. No, the purpose of OpenClaw is not to immediately give it all your private accounts and live in bliss and no, their system is not better long term than following the mainline developments that have enough eyes (and bots) on them by now.