Cybersecurity researchers have discovered roughly 1,000 unprotected gateways to OpenClaw, an open-source and proactive AI agent that can be controlled through text conversations with apps like WhatsApp or Telegram. The gateways were found on the open internet, allowing anyone to access users’ personal information. One white hat hacker also reportedly gamed OpenClaw’s skills system, which lets users add plugins for tasks like web automation or system control, to reach the top of the rankings and be downloaded by users around the world. The skill itself was innocuous, but it exploited a security vulnerability that someone more nefarious could have used to cause serious harm.
Access to those gateways would allow hackers to reach the same files and content OpenClaw can access, meaning full read and write control over a user’s computer and any connected accounts, including email addresses and phone numbers. A number of incidents exploiting those vulnerabilities have already been reported.
OpenClaw, originally called Clawdbot, was released in November 2025 by Peter Steinberger, an Austrian-born, London-based developer best known for creating a tool that lets apps display and edit PDFs natively. The launch followed a wave of advances in AI’s ability to interact with files that began in late 2025.
Late last year, many people began experimenting with Anthropic’s Claude Code, an agentic AI that links to a computer’s file system through the terminal or command line and responds to conversational prompts to build large projects independently, with some oversight. The tool excited many users but also discouraged others who were uncomfortable working in a non-graphical interface.
In response, Anthropic set Claude Code to work autonomously on a sibling product, Claude Work, which layers a more user-friendly interface on top. While it has gained some traction, it is a third-party product built by a developer outside Anthropic that has captured the most attention.
Steinberger’s OpenClaw mimics the best features of Claude Code, but with more functionality and the ability to proactively work on tasks without being prompted.
That proactivity is a key differentiator between the tool, which was forced to rename itself Moltbot and then OpenClaw last week after a request from Anthropic, and other AI systems. Its potential has energized the tech sector, driven a spike in Mac Mini sales as a popular way to host the agent, and come to dominate certain corners of X and Reddit.