You Installed OpenClaw on Your Mac Mini. Here Is What It Can See.

You heard about it on Hacker News, or Twitter, or from a friend who would not shut up about how it triaged his inbox while he slept. You ran the one-line install command. You paired it with WhatsApp. You thought the allowlist meant you were safe. You left it running on a Mac Mini in your closet.

OpenClaw now has 172,000+ GitHub stars. It is one of the fastest-adopted open-source projects in history: 106,000 stars in its first 48 hours, a record. It runs as a background daemon on your machine. It reads your messages across twelve platforms. It has persistent memory that survives reboots. It can execute shell commands, browse the web, manage your email, and install community-built plugins from a public registry.

It runs unsandboxed. It stores credentials in plaintext. Its creator's stated development philosophy is "I ship code I never read."

Six major cybersecurity firms have published warnings about it in the past two weeks. XDA Developers told readers to stop using it. A critical remote code execution vulnerability, one click, full compromise, sat in the codebase until it was patched. And the community skill registry that extends its capabilities is already so thoroughly compromised that one in five published skills contains a vulnerability.

This is the most popular component in the autonomous AI agent stack, and its security posture is a disaster. If you are running it, what follows is what you need to know.

What OpenClaw actually does on your machine

OpenClaw is not a chatbot you open in a browser tab. It is an autonomous agent that installs as a system service (launchd on macOS, systemd on Linux) and runs continuously in the background. The project describes this as the "Heartbeat" mechanism: the agent periodically wakes up, checks your inbox, monitors your calendar, sends you briefings, and takes actions it judges appropriate. You do not have to ask it to do anything. It operates proactively.

It maintains persistent memory in local files called soul.md and memory.md. These survive session resets and accumulate a running profile of you: your communication patterns, your preferences, your schedule, your contacts. The project frames this as personalization. Security researchers frame it as a long-lived attack surface: any instruction planted in those memory files executes every time the agent wakes up.

The tool integrations span over fifty capabilities: browser control, shell execution, Gmail, GitHub, Twitter, cron jobs, file system access, and more. These are extensible through ClawHub, a community skill registry that now hosts 5,700+ skills. Installing a skill is a single command.

Messaging integration covers WhatsApp, Telegram, Discord, Slack, Signal, iMessage, Matrix, Microsoft Teams, and at least four other platforms. Most users run OpenClaw on a dedicated device, a Mac Mini, a Raspberry Pi, a cheap VPS, keeping it online around the clock. DigitalOcean offers a one-click Droplet for it.

It reads your messages. It writes files to disk. It executes commands. It runs when you are asleep. And its permission model is: everything the host user can access, it can access.

The safety mechanisms, and why they do not help

OpenClaw's documentation describes two safety features. First, unknown senders receive a pairing code that must be manually approved before they can interact with your agent. Second, a local allowlist controls which contacts can send it instructions.

These sound reasonable. They are not.

The pairing code protects against cold-contact attacks from strangers. It does nothing about the far more common vector: compromised content arriving through channels you already trust. If someone sends you an email with a hidden prompt injection, a technique researcher Matvey Kukuy demonstrated works against OpenClaw specifically, your agent processes the injected instructions because the email arrived through a trusted channel. The allowlist is irrelevant. The attacker never needed to be on it.

The documentation warns users to "treat inbound DMs as untrusted input." But the entire value proposition of OpenClaw is that it processes your messages autonomously. Telling users to treat input as untrusted while building a system that processes input as trusted is not a safety mechanism. It is a liability disclaimer.

Meanwhile, the agent runs unsandboxed on the host machine by default. There is no filesystem jail. There is no process isolation. There is no capability restriction beyond what the operating system user account provides. If you installed OpenClaw under your primary user account, and most people did, it can read your SSH keys, your browser cookies, your password manager databases, your iCloud data, your financial documents, and anything else on that machine.

CVE-2026-25253: one click, full compromise

In early February 2026, a critical vulnerability was assigned CVE-2026-25253 with a CVSS score of 8.8 out of 10. The vulnerability enabled one-click remote code execution. An attacker could craft a message that, when processed by OpenClaw, executed arbitrary code on the host machine with the full privileges of the running user.

This was not an exotic attack chain. It was a single interaction. One message, full compromise. The vulnerability has since been patched, but it illustrates the security maturity of the codebase: a trivially exploitable RCE sat in a project with over 150,000 GitHub stars. The question is not whether there are more vulnerabilities like it. The question is how many.

The skill supply chain is already compromised

ClawHub, OpenClaw's community skill registry, is the project's equivalent of an app store. Anyone can publish a skill. The vetting process, until very recently, was nonexistent.

The results are exactly what you would expect.

Koi Security: 341 malicious skills identified. 335 of them came from a single campaign dubbed "ClawHavoc," distributing Atomic Stealer, a credential-harvesting malware targeting macOS. One threat actor, one campaign, over three hundred weaponized skills that looked like legitimate tools.

Bitdefender: ~900 malicious skills identified. Approximately 20% of all skills in the registry contained vulnerabilities or actively malicious code. One in five.

Snyk: Reverse shell delivery documented. Skills that used social engineering to convince the agent, not the user, the agent, to open a reverse shell back to an attacker's server. The user never sees a prompt.

Palo Alto Networks / Unit 42: OpenClaw analysis. Documented the full attack surface including supply chain risks, excessive permissions, and interaction with other compromised components in the agent ecosystem.

CrowdStrike, Cisco, and Trend Micro have all published their own analyses. Trend Micro specifically flagged prompt injection risks and supply chain concerns in the skill ecosystem. This is not one researcher sounding an alarm. This is the entire cybersecurity industry converging on the same conclusion.

ClawHub has since added a VirusTotal partnership that provides security scanning for published skills. This is a step in the right direction. It is also a retrospective patch on a registry that already distributed hundreds of malicious skills to an unknown number of users. If you installed skills before early February 2026, you have no reliable way to know whether any of them were part of the ClawHavoc campaign or its equivalents.

The memory poisoning problem

OpenClaw's persistent memory files, soul.md and memory.md, are designed to make the agent smarter over time. They are also a backdoor that stays open indefinitely.

Research on memory poisoning in AI agents shows attack success rates that should concern anyone running a persistent agent. The MINJA attack achieves greater than 95% injection success and 70% attack success through normal interactions alone. AgentPoison achieves 80% or higher attack success with less than 0.1% of memory entries poisoned. The critical property of memory poisoning is temporal decoupling: instructions planted today can execute weeks or months later, long after the original interaction has scrolled out of view.

On OpenClaw, this means a single compromised skill, a single poisoned email, or a single malicious message from any connected platform can insert instructions into soul.md that persist through every future session. The agent will follow those instructions as if they were its core directives, because from its perspective, they are. Detection is what researchers call "extremely difficult" because poisoned memories are indistinguishable from legitimate stored knowledge.

What XDA said, and why it matters

On February 4, 2026, XDA Developers, a mainstream tech publication read by millions of enthusiasts, published an article titled "Please stop using OpenClaw." This is not the kind of outlet that writes alarmist security pieces. XDA covers phones, custom ROMs, and developer tools. When they tell their audience to stop using something, the security situation has crossed from "concerning" to "untenable for normal users."

The recommendation was not "be careful with OpenClaw" or "use OpenClaw with these precautions." It was stop.

The "I ship code I never read" problem

Peter Steinberger, OpenClaw's creator, is a respected engineer, the former founder of PSPDFKit, a widely used PDF framework. He built OpenClaw as a personal project in November 2025 and watched it explode beyond anything he anticipated. His public statement about the development process, "I ship code I never read," was likely intended as a candid acknowledgment of how fast the project was moving.

But candor about a dangerous practice does not make the practice less dangerous. OpenClaw accepts community contributions at scale. It integrates with over fifty external services. It runs with full user privileges on people's machines. "I ship code I never read" is not a quirky development philosophy for a project at this scale. It is a statement about the security audit posture of software that 172,000 people have starred and an unknown fraction have actually installed.

The project is open-source and MIT-licensed, which means anyone can read the code. But "anyone can" and "someone did" are different things. The gap between the rate of code contribution and the rate of security review is where vulnerabilities live, and CVE-2026-25253 is evidence of how long they can live there.

OpenClaw is the entry point to everything else

This is the part that connects OpenClaw to the broader problem this site covers.

OpenClaw is not just a personal assistant with security issues. It is the primary on-ramp to the entire autonomous agent stack. Its ClawHub registry can integrate MCP servers, including the one that connects to RentAHuman.ai, the platform where AI agents hire humans for physical-world tasks. Its crypto integrations enable financial autonomy. Moltbook, the AI social network with 1.5 million registered accounts (authenticity contested), was built using OpenClaw.

When security researchers worry about the autonomous AI agent-to-physical-world pipeline, an unsupervised agent that funds itself with crypto and dispatches a stranger to a physical address, OpenClaw is the starting point. It is the framework that runs the agent. It is the daemon on the Mac Mini. It is the thing that reads the messages, executes the skills, manages the wallet, and calls the API.

Every other layer in the stack depends on the security of this one. And this one has a one-in-five malicious skill rate, plaintext credential storage, a patched-but-instructive RCE, and a development philosophy that does not prioritize reading the code before shipping it.

What to actually do

If you are running OpenClaw, here is what matters right now:

Isolate it. Do not run OpenClaw on a machine that contains sensitive data. Use a dedicated device or a virtual machine. Do not run it under your primary user account. Create a restricted user with minimal filesystem access. This is the single most impactful step you can take.

Audit your skills. Check every installed skill against the ClawHub VirusTotal reports. If you installed skills before the security scanning was added, remove them and reinstall only from verified sources. Assume any unverified skill could be compromised.

Read your memory files. Open soul.md and memory.md and read them. Look for instructions you did not write, URLs you do not recognize, and directives that seem out of character for your configuration. This takes five minutes and may reveal a compromise that has been running for weeks.

Disable what you do not use. If you do not need shell execution, disable it. If you do not need email integration, disconnect it. Every connected service is an attack surface. Minimize the surface.

Do not run it with auto-approve. The confirmation prompts are the last human-in-the-loop checkpoint. Disabling them removes the only point where you can interrupt an attack in progress.

Update constantly. CVE-2026-25253 was patched. The next vulnerability has not been found yet. Stay on the latest version.

None of this makes OpenClaw safe. It makes it less dangerous. The fundamental issue is architectural: a system designed to operate autonomously with broad permissions on your machine, extended by untrusted community code, processing input from a dozen external platforms, with persistent memory that accumulates over time. That architecture does not become secure through configuration. It becomes secure through redesign.

172,000 people starred this project. Six cybersecurity firms published warnings. One publication told readers to stop using it entirely. And the agent on your Mac Mini is still running.

Nathan is a technology consultant and independent researcher focused on AI safety and consumer protection. The full research document behind this series is available at zeroapproval.com/research.

AI Disclosure: This post was written with substantial assistance from Claude (Anthropic), including research synthesis and prose editing from a larger source document. All statistics, CVE references, and security findings are sourced from the cited researchers and firms. Analytical judgments, framing decisions, and editorial choices are the author's.