OpenClaw (a.k.a. Moltbot, a.k.a. ClawdBot) went viral and became one of the most popular agentic harnesses in a matter of days.
Peter Steinberger had a successful exit from PSPDFKit, and felt empty until the undeniable potential of AI sparked renewed motivation to build. And he's doing it it non-stop.
OpenClaw approaches the idea of an Personal AI agent as a harness that communicates with you (or multiple users) in any of the supported channels in multiple sessions connected to the underlying computer through a gateway, which is ultimately responsible for running and maintaining.
A super entertaining narration of important events is available in OpenClaw's Lore doc page (worth a read!)
A security nightmare
Everyone wanted to start playing with what is clearly shaping how the future of Personal AI assistants could look like. However, people were running OpenClaw without even an afterthought to security. And that (of course) resulted in some not so funny preventable disasters:
- Clawdbot Security Crisis Exposes Open Servers and Crypto Scams
- Moltbot security alert exposed Clawdbot control panels risk credential leaks and account takeovers
- Critical Vulnerabilities Found in Clawdbot AI Agent for Cryptocurrency Theft
As this TechCrunch article points out:
Right now, running Moltbot safely means running it on a separate computer with throwaway accounts, which defeats the purpose of having a useful AI assistant. And fixing that security-versus-utility trade-off may require solutions that are beyond Steinberger’s control.
The reason for this is, as you may have guessed, the lethal trifecta: the inherently dangerous combination of giving LLMs tools with the following characteristics:
- Access to your private data
- Exposure to untrusted content
- The ability to externally communicate
As Simon Willison (who coined the term) explains:
LLMs are unable to reliably distinguish the importance of instructions based on where they came from. Everything eventually gets glued together into a sequence of tokens and fed to the model.
As a harness with "Full System Access" and "Browser Control" as flagship features,
you can see how OpenClaw checks the three boxes.
Securing OpenClaw
OpenClaw doesn't have to be limited to throwaway accounts though. Since it blew up, security has been one of the main focus points of OpenClaw's development, and you can leverage some of that today to get a secure experience in the harness. While this still requires you to be technically savvy, you can:
- Use OpenClaw's tool policies to control which user and/or agent gets access to specific tools
- Run it in a Sandbox
- Use exec approvals to implement human-in-the-loop for specific tools that may have undesired side-effects
- Use a detached tool calling runtime like Arcade. This will make it impossible for the harness to leak any credentials and tokens, as they will be handled outside of the underlying system.
Here's how to setup that last point in your OpenClaw instance:
First, clone the Arcade plugin:
git clone --depth 1 https://github.com/ArcadeAI/openclaw-arcade-plugin /tmp/openclaw-arcadeThen, install it into your OpenClaw gateway:
openclaw plugins install /tmp/openclaw-arcade/arcadeGo to your Arcade Dashboard to get and API key
copy it, and run this command to configure your Arcade API key:
openclaw config set plugins.entries.arcade.config.apiKey "{your_arcade_api_key}"And this one to configure your Arcade User ID (this is the email you used to
sign up to Arcade):
openclaw config set plugins.entries.arcade.config.user_id "{your_arcade_user_id}"Once the Arcade plugin is configured, initialize it to load all the tools, and
restart the OpenClaw gateway
openclaw arcade init
openclaw gateway restartNow, your OpenClaw has access to more than 7000 tools, and all the tokens are
handled for you automatically, making it impossible for OpenClaw to exfiltrate
anything.
Here's a screenshot of how this works when I talk to the Telegram bot connected
to my OpenClaw instance:
Final tips
Even after taking these precautions, OpenClaw is still for early adopters that know what they're doing. Make sure to run this in a sandbox, a VPS, or even a dedicated computer. If you're sharing files to OpenClaw, make sure to set up the guardrails around the tools it can use, and be mindful of the accounts you log into in the browser it can control.
