Johann Rehberger, a security expert, warns about the AI project “OpenClaw” which began at the end of last year and is already believed to be used millions of times within a few weeks. He says the system is risky because it is very open and powerful, and can be integrated with many other platforms.
OpenClaw is an open‑source AI‑agent-a computer program that can accept and execute tasks through messaging apps such as WhatsApp, Telegram, or Signal. It enables automated workflows across different services, requires extensive access to a computer, and operates autonomously, without direct input from the user who installed it.
Rehberger identifies two main problems. First, there are classic security vulnerabilities that could let attackers take control of the system. “Users must keep their software up to date and apply patches promptly, especially when security updates are released” he says. Second, the issue of prompt injection allows external content to trick the assistant into malicious behavior. “There is currently no real fix for this problem” Rehberger notes. A malicious prompt could, for example, cause the assistant to read an email, pull other data from the computer, and send it to an attacker or even delete data.
He advises anyone experimenting with the system to do so in an isolated environment and to carefully consider which data they share with the assistant. “I would recommend against running the assistant directly on your own computer with full access to all data. Instead, use a separate environment dedicated to the assistant and share only the data you want it to process” he says.
Regarding “Moltbook” a platform supposedly launched alongside OpenClaw where AI agents exchange with each other while humans can only observe, Rehberger is skeptical. “Clearly the system is heavily infiltrated by scammers who primarily try to influence others with political and cryptocurrency messages” he says. Many ordinary users and typical spambots that simply portray themselves as AI are on the platform. “Technically, the operator cannot distinguish between a normal user, a bot, or an AI” the expert explains.
The system was largely built using “Vibe Coding” meaning it was created through AI input, which effectively preprograms security holes. “We already saw that it was possible to gain simple access to the entire database-every registered user, agent, and their access tokens” Rehberger told the dts news agency. He attempted to point these vulnerabilities to the developer last week but received no response. “In many ways this reminds me of the early days of the Wild West of the internet” he added. “Caution is therefore advised”.