Security expert Johann Rehberger warns that the AI project “OpenClaw” which launched at the end of last year, is already being used by potentially millions of users within a few weeks. He calls the system risky because it is open, powerful and can be integrated with many other services.
OpenClaw is an open‑source AI agent that accepts and carries out orders sent through messaging platforms such as WhatsApp, Telegram or Signal. Once installed, it can access a computer comprehensively and act autonomously-without direct user intervention. It can trigger automated workflows across multiple services.
Rehberger identifies two main problems. First, the usual security holes that let attackers take control of the system. “As a user you must always keep the software up to date and apply patches, especially when new security updates appear” he says. Second, the danger of prompt injection, where external input can trick the assistant into harmful behaviour. The expert notes that today there is no real fix for this issue. For example, the assistant could be coaxed to read an email, then pull additional data from the computer and send it to an attacker or delete files.
He recommends testing OpenClaw only in isolated environments and carefully deciding what data to share. “I would dissuade people from running the assistant directly on their own machine with full access to all data. Instead, use a separate environment dedicated to the assistant and selectively share only the data you want it to handle” he stresses.
Rehberger is also skeptical about the “Moltbook” platform that OpenClaw launched, where AI agents supposedly exchange information and humans can only watch. He says it is heavily infiltrated by scammers who target participants with political and cryptocurrency messages. The platform will likely be populated by ordinary users and typical spambots posing as AI. Because the operator can’t reliably distinguish between normal users, bots, or real AI, the risk remains high.
The system was largely built with “Vibe Coding” meaning it was created primarily through AI‑driven inputs. This approach pre‑programs security weaknesses. Rehberger pointed out that it was possible to obtain simple access to the entire database, including all registered users, agents, and their access tokens. He tried to alert the developer to these vulnerabilities last week, but received no response. He likens the situation to the early Wild West days of the internet and urges caution.
