Article

OpenClaw: Capabilities and Vulnerabilities

My experiences running OpenClaw.

Disclaimer: I am not very experienced with computer security, so I may be using terms here incorrectly.

Introduction

OpenClaw (formerly Clawdbot and Moltbot) is a free and open-source tool, which can use LLMs to automate a wide variety of tasks. You can use basically any LLM, including local ones. In the past couple weeks I’ve heard a lot about it on social media. Given that I have access to some good LLMs and a homelab, I thought it would be a good idea to try it out and keep up to date with the AI world.

Installing

I wanted my OpenClaw instance to run all the time, not just when my desktop is on, so I wanted to try installing it on my homelab. I wanted to use local LLMs at some point for my OpenClaw agent, but this presented some problems. Firstly, the GPU in my homelab is much weaker than that in my desktop PC (RTX 2060 SUPER vs GTX 1650 SUPER). Secondly, since the 1650 SUPER is a consumer-grade GPU, it does not have Virtual GPU functionality, which is restricted to sever-grade GPUs (think Quadro, Tesla…). Virtual GPU is a technology that allows a single GPU to be split into several virtual ones, so that multiple virtualised containers can share the same physical GPU. This is important because I run many guests on my Proxmox instance, and I have another guest that needs access to the GPU, Immich. Without vGPU, only one container can control my GPU at once.

Luckily, there is a workaround, though it is specific to Immich. Immich is a self-hosted alternative to Google Photos and requires a GPU for its machine learning functionality, such as recognising faces in photos. But Immich was designed in such a way that the machine learning server can be independent of the main server. I learnt this from my friend and copied his setup. I made a virtual machine and transferred access to the GPU from Immich to this new VM. In this VM, I installed the Immich machine-learning server, and connected up the two. In this VM, I would also install my OpenClaw agent. With that out of the way, it was time to actually install OpenClaw.

I followed the instruction on the OpenClaw website to run a single curl script. This presented me with an NPM/React style installer that gave me quite a few options, one of which was to select which LLM provider I wanted to use. As a student, I have free access to GitHub Pro, and with that comes free access to GitHub Copilot. This is great because Copilot offers access to many models behind it, like Claude. But for now I just settled with OpenAI’s GPT-4.1 to avoid running into rate limits. After that I was given the option to install ‘skills’ which are the main functionality that makes OpenClaw so useful. I decided to skip it for the moment and install skills later. Then, you are given the option to ‘hatch’ your agent. This is the first conversation that you have with it, and it’s like an onboarding session.

Installing Skills

I had two main Goals with OpenClaw. First, to be able to talk to it on Discord, and secondly, to be able to send and receive E-Mails. The first was quite easy. I followed this guide, created an ‘app’ using the Discord developer portal, created a bot, gave OpenClaw my Discord bot token, and invited it to my server. Then I told OpenClaw to say ‘Hello world!’ in the server.

Names redacted for privacy. The OpenClaw bot’s username and profile picture are censored with grey, whilst mine are censored with purple.

I also installed a skill to allow it to use Brave API keys for searching Google. But the more impressive one was browser control. One of the skills allows your OpenClaw agent to use the development mode on Chrome to actually open tabs, and click on links.

OpenClaw using the Chrome development agent to traverse the BBC homepage. I could see it opening browser tabs and clicking links in real-time.OpenClaw clicking on an individual article.

The next was significantly more difficult. I followed this guide. But personally I felt that it was pretty hard to follow and not super clear. I wouldn’t be surprised if a lot of the documentation was written by OpenClaw or an LLM of some sort. But in essence, I had to create a Google Cloud project, get a token, and give it to OpenClaw, which would use the gog CLI tool (Google Workspaces) to send and receive E-Mails. After this, I asked the chat in the WebUI if it could send and E-Mail, and it could!

Receiving an E-Mail on my burner G-Mail account.

The text in the E-Mail was generated by OpenClaw, I simply just told it to ‘make up something for the subject and body’. I can easily see how this can be super useful for your personal life. I used a burner E-Mail account for this, as I’m not super comfortable with OpenClaw using my main E-Mail. I’ve also seen some horror stories online about people getting their G-Mail accounts banned rather quickly when trying to use OpenClaw, and I didn’t want to take that risk. Once I set this up, I also noticed that my bot was sending me summaries of E-Mails that I was receiving via DM to me on Discord, which I didn’t explicitly set up, and I found this quite cool.

OpenClaw giving me a summary of a spam E-Mail that my burner received. Summaries for actually useful E-Mails would be incredible.

Unfortunately, I wasn’t able to find out how to send an E-Mail through my Discord channel. No matter how much I tried, my agent kept complaining that it couldn’t access the gog skill.

Me trying and failing to send an E-Mail through Discord.

Vulnerabilities

As an LLM, OpenClaw is susceptible to trickery. I set up a Discord server with my friend, and gave him access to the bot. He decided to try and pentest it, beginning with trying to grab my IP address.

OpenClaw listens to my friend’s (green) instructions to visit a website and return my home’s IP Address.

Here is OpenClaw printing my system information. Nothing here is too compromising, but still a bit concerning.

OpenClaw prints my VM’s system information.

My friend then got the bot to download a malicious script from his server to try a reverse shell, although the bot refused to execute it initially.

OpenClaw downloading a malicious script when told .OpenClaw refusing to run the script, recognising it as a reverse shell script.

However, my friend hid the reverse shell script in a large 8mb bash file full of useless functions that did nothing to try to confuse the bot. With this, my friend was successfully able to reverse shell into my VM, and then eventually get SSH access for persistent connections.

OpenClaw executing a reverse shell script and allowing my friend to log in.

As you can see, it does clearly have some glaring vulnerabilities. But all this did hinge on me initially explicitly allowing my friend to interact with the bot. The bot will not respond to any users that aren’t in it’s config.

Conclusions

Overall, OpenClaw certainly seems to be a useful tool. Installing enough skills means that it will be able to automate a significant part of your life. However, attacks are possible, and unless you’re running a local LLM, your data is likely being sent to AI companies, and your data is probably being trained on. You will also likely incur large API costs. Not just for your LLM provider, but also access for various other APIs for your agent. I wouldn’t trust it with my personal life yet, even if I did have the money to run it. But it’s a fantastic way to extend the capabilities of current LLMs, acting as a glue between your LLM provider and various APIs.

© 2024 - 2026 Jeffrey Daniel