DIY AI bot farm OpenClaw is a security 'dumpster fire'
(2026/02/03)
- Reference: 1770113654
- News link: https://www.theregister.co.uk/2026/02/03/openclaw_security_problems/
- Source link:
OpenClaw, the AI-powered personal assistant users interact with via messaging apps and sometimes entrust with their credentials to various online services, has prompted a wave of malware and is delivering some shocking bills.
Just last week, OpenClaw was known as Clawdbot, a name that its developers changed to Moltbot before settling on the new moniker.
The project, based on [1]the Pi coding agent , launched in November. It recently attracted the attention of developers with large social media followings like [2]Simon Willison and [3]Andrej Karpathy , leading to an explosion in popularity that quickly saw researchers and users find nasty flaws.
[4]
In the past three days, the project has issued three high-impact security advisories: [5]a one-click remote code execution vulnerability , and two [6]command [7]injection vulnerabilities.
[8]
[9]
In addition, Koi Security identified [10]341 malicious skills (OpenClaw extensions) submitted to [11]ClawHub , a repository for OpenClaw skills that's been around for about a month. This was after security researcher Jamieson O'Reilly [12]detailed how it would be trivial to backdoor a skill posted to ClawHub. Community-run threat database OpenSourceMalware also spotted a skill that [13]stole cryptocurrency .
Mauritius-based security outfit Cyberstorm.MU has also [14]found [15]flaws in OpenClaw skills. The group [16]contributed to OpenClaw's code with a commit that will make TLS 1.3 the default cryptographic protocol for the gateway the project uses to communicate with external services.
[17]
The list of [18]open security-related issues may also elicit some concern, to say nothing of the [19]exposed database for the related, [20]vibe-coded Moltbook project, which is presented as a social media platform for AI agents. A recent [21]security scan with AI software [PDF] from a startup called [22]ZeroLeaks [23]doesn't exactly inspire confidence , though these claims have not been validated by human security experts.
Dumpster fire
"OpenClaw is a security dumpster fire," observed Laurie Voss, head of developer relations at Arize and the founding CTO of npm, in [24]a post to LinkedIn.
Karpathy last week tried [25]to clarify that he recognizes [26]Moltbook is "a dumpster fire" full of fake posts and security risks, and that he does not recommend that people run OpenClaw on their computers, even as he finds the idea of a large network of autonomous LLMs intriguing.
Researchers Michael Alexander Riegler and Sushant Gautam recently co-authored [27]a report analyzing Moltbook posts – remember these are AI agents (OpenClaw and others) chatting with one another. As might be expected, the bots tend to go off the (guard)rails when kibitzing.
[28]Notepad++ update service hijacked in targeted state-linked attack
[29]Let them eat Pi: RAM shortage bumps Raspberry prices as much as $60
[30]Want more ads on your web pages? Try the AdBoost extension
[31]McDonald's is not lovin' your bigmac, happymeal, and mcnuggets passwords
The authors say they identified "several critical risks: 506 prompt injection attacks targeting AI readers, sophisticated social engineering tactics exploiting agent 'psychology,' anti-human manifestos receiving hundreds of thousands of upvotes, and unregulated cryptocurrency activity comprising 19.3 percent of all content."
Undeterred by this flock of stochastic parrots, people continue to experiment with OpenClaw, often at greater expense than they expected.
Benjamin De Kraker, an AI specialist at The Naval Welding Institute who formerly worked on xAI's Grok, published [32]a post on Saturday about OpenClaw burning through $20 worth of Anthropic API tokens while he slept, simply by checking the time.
[33]
The "heartbeat" cron job he had set up to issue a reminder to buy milk in the morning checked the time every 30 minutes. It did so rather inefficiently, sending around 120,000 tokens of context describing the reminder to Anthropic's Claude Opus 4.5.2 model. Each time check therefore cost about $0.75 and the bot ran about 25 of them, amounting to almost $20. The potential cost just to run reminders over a month would be about $750, he calculated.
[34]Others are [35]noticing that keeping an AI assistant active 24/7 can be costly, and proposed various [36]cost mitigation [37]strategies .
But given that Moltbook's circular discussion group of AI agents [38]purportedly created a religion dubbed the [39]Church of Molt or "Crustafarianism," and there's now a website evangelizing a [40]$CRUST crypto token, it's doubtful that any appeal to caution will cure the contagion until resource scarcity hobbles AI datacenters or a market collapse changes priorities. ®
Get our [41]Tech Resources
[1] https://lucumr.pocoo.org/2026/1/31/pi/
[2] https://simonwillison.net/2026/Jan/30/moltbook/
[3] https://x.com/karpathy/status/2017442712388309406?s=20
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2026/02/02/openclaw_security_issues/
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585
[7] https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting
[11] https://www.clawhub.ai/
[12] https://x.com/theonejvo/status/2015892980851474595
[13] https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto
[14] https://x.com/CyberstormMu/status/2018423603327340619/
[15] https://x.com/CyberstormMu/status/2018402654242615399
[16] https://x.com/CyberstormMu/status/2018173307657351437
[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[18] https://github.com/openclaw/openclaw/issues?q=is%3Aissue%20state%3Aopen%20security
[19] https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys
[20] https://x.com/mattprd/status/2017386365756072376
[21] https://zeroleaks.ai/reports/openclaw-analysis.pdf
[22] https://github.com/ZeroLeaks/zeroleaks
[23] https://x.com/NotLucknite/status/2017967447089750220?s=20
[24] https://www.linkedin.com/posts/seldo_openclaw-analysispdf-activity-7423936260798484480-8qK_?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAAEUrwBGDapdyAWPL2MZIjljoJFUQRWVlo
[25] https://x.com/karpathy/status/2017442712388309406
[26] https://www.moltbook.com/
[27] https://zenodo.org/records/18444900
[28] https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
[29] https://www.theregister.com/2026/02/02/raspberry_pi_ram_shortage_price_hike/
[30] https://www.theregister.com/2026/02/02/ads_web_pages_adboost_extension/
[31] https://www.theregister.com/2026/02/02/mcdonalds_password_advice/
[32] https://x.com/BenjaminDEKR/status/2017644773356548532
[33] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[34] https://rezhajul.io/posts/reducing-openclaw-heartbeat-token-usage/
[35] https://x.com/voronkoveth/status/2018268940682551483?s=20
[36] https://x.com/OpenRouterAI/status/2017742972163445070?s=20
[37] https://x.com/marcgregory_/status/2017875153305158098?s=20
[38] https://www.forbes.com/sites/johnkoetsier/2026/01/30/ai-agents-created-their-own-religion-crustafarianism-on-an-agent-only-social-network/
[39] https://molt.church/
[40] https://dexscreener.com/solana/b3q4q1gzxxggt1ivj3mbxbmhm5zwqf9ckngm9xs7es8k
[41] https://whitepapers.theregister.com/
Just last week, OpenClaw was known as Clawdbot, a name that its developers changed to Moltbot before settling on the new moniker.
The project, based on [1]the Pi coding agent , launched in November. It recently attracted the attention of developers with large social media followings like [2]Simon Willison and [3]Andrej Karpathy , leading to an explosion in popularity that quickly saw researchers and users find nasty flaws.
[4]
In the past three days, the project has issued three high-impact security advisories: [5]a one-click remote code execution vulnerability , and two [6]command [7]injection vulnerabilities.
[8]
[9]
In addition, Koi Security identified [10]341 malicious skills (OpenClaw extensions) submitted to [11]ClawHub , a repository for OpenClaw skills that's been around for about a month. This was after security researcher Jamieson O'Reilly [12]detailed how it would be trivial to backdoor a skill posted to ClawHub. Community-run threat database OpenSourceMalware also spotted a skill that [13]stole cryptocurrency .
Mauritius-based security outfit Cyberstorm.MU has also [14]found [15]flaws in OpenClaw skills. The group [16]contributed to OpenClaw's code with a commit that will make TLS 1.3 the default cryptographic protocol for the gateway the project uses to communicate with external services.
[17]
The list of [18]open security-related issues may also elicit some concern, to say nothing of the [19]exposed database for the related, [20]vibe-coded Moltbook project, which is presented as a social media platform for AI agents. A recent [21]security scan with AI software [PDF] from a startup called [22]ZeroLeaks [23]doesn't exactly inspire confidence , though these claims have not been validated by human security experts.
Dumpster fire
"OpenClaw is a security dumpster fire," observed Laurie Voss, head of developer relations at Arize and the founding CTO of npm, in [24]a post to LinkedIn.
Karpathy last week tried [25]to clarify that he recognizes [26]Moltbook is "a dumpster fire" full of fake posts and security risks, and that he does not recommend that people run OpenClaw on their computers, even as he finds the idea of a large network of autonomous LLMs intriguing.
Researchers Michael Alexander Riegler and Sushant Gautam recently co-authored [27]a report analyzing Moltbook posts – remember these are AI agents (OpenClaw and others) chatting with one another. As might be expected, the bots tend to go off the (guard)rails when kibitzing.
[28]Notepad++ update service hijacked in targeted state-linked attack
[29]Let them eat Pi: RAM shortage bumps Raspberry prices as much as $60
[30]Want more ads on your web pages? Try the AdBoost extension
[31]McDonald's is not lovin' your bigmac, happymeal, and mcnuggets passwords
The authors say they identified "several critical risks: 506 prompt injection attacks targeting AI readers, sophisticated social engineering tactics exploiting agent 'psychology,' anti-human manifestos receiving hundreds of thousands of upvotes, and unregulated cryptocurrency activity comprising 19.3 percent of all content."
Undeterred by this flock of stochastic parrots, people continue to experiment with OpenClaw, often at greater expense than they expected.
Benjamin De Kraker, an AI specialist at The Naval Welding Institute who formerly worked on xAI's Grok, published [32]a post on Saturday about OpenClaw burning through $20 worth of Anthropic API tokens while he slept, simply by checking the time.
[33]
The "heartbeat" cron job he had set up to issue a reminder to buy milk in the morning checked the time every 30 minutes. It did so rather inefficiently, sending around 120,000 tokens of context describing the reminder to Anthropic's Claude Opus 4.5.2 model. Each time check therefore cost about $0.75 and the bot ran about 25 of them, amounting to almost $20. The potential cost just to run reminders over a month would be about $750, he calculated.
[34]Others are [35]noticing that keeping an AI assistant active 24/7 can be costly, and proposed various [36]cost mitigation [37]strategies .
But given that Moltbook's circular discussion group of AI agents [38]purportedly created a religion dubbed the [39]Church of Molt or "Crustafarianism," and there's now a website evangelizing a [40]$CRUST crypto token, it's doubtful that any appeal to caution will cure the contagion until resource scarcity hobbles AI datacenters or a market collapse changes priorities. ®
Get our [41]Tech Resources
[1] https://lucumr.pocoo.org/2026/1/31/pi/
[2] https://simonwillison.net/2026/Jan/30/moltbook/
[3] https://x.com/karpathy/status/2017442712388309406?s=20
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2026/02/02/openclaw_security_issues/
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585
[7] https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting
[11] https://www.clawhub.ai/
[12] https://x.com/theonejvo/status/2015892980851474595
[13] https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto
[14] https://x.com/CyberstormMu/status/2018423603327340619/
[15] https://x.com/CyberstormMu/status/2018402654242615399
[16] https://x.com/CyberstormMu/status/2018173307657351437
[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[18] https://github.com/openclaw/openclaw/issues?q=is%3Aissue%20state%3Aopen%20security
[19] https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys
[20] https://x.com/mattprd/status/2017386365756072376
[21] https://zeroleaks.ai/reports/openclaw-analysis.pdf
[22] https://github.com/ZeroLeaks/zeroleaks
[23] https://x.com/NotLucknite/status/2017967447089750220?s=20
[24] https://www.linkedin.com/posts/seldo_openclaw-analysispdf-activity-7423936260798484480-8qK_?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAAEUrwBGDapdyAWPL2MZIjljoJFUQRWVlo
[25] https://x.com/karpathy/status/2017442712388309406
[26] https://www.moltbook.com/
[27] https://zenodo.org/records/18444900
[28] https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
[29] https://www.theregister.com/2026/02/02/raspberry_pi_ram_shortage_price_hike/
[30] https://www.theregister.com/2026/02/02/ads_web_pages_adboost_extension/
[31] https://www.theregister.com/2026/02/02/mcdonalds_password_advice/
[32] https://x.com/BenjaminDEKR/status/2017644773356548532
[33] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYHVUfSaJC9w3xhO8DFqmAAAAdY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[34] https://rezhajul.io/posts/reducing-openclaw-heartbeat-token-usage/
[35] https://x.com/voronkoveth/status/2018268940682551483?s=20
[36] https://x.com/OpenRouterAI/status/2017742972163445070?s=20
[37] https://x.com/marcgregory_/status/2017875153305158098?s=20
[38] https://www.forbes.com/sites/johnkoetsier/2026/01/30/ai-agents-created-their-own-religion-crustafarianism-on-an-agent-only-social-network/
[39] https://molt.church/
[40] https://dexscreener.com/solana/b3q4q1gzxxggt1ivj3mbxbmhm5zwqf9ckngm9xs7es8k
[41] https://whitepapers.theregister.com/
Use case?
Joe W
About at least half of what people show to be automated by this can be done with a few IF..THEN..ELSE and a cron job - and this won't burn through wads of wonga just to remind you to buy milk. Or the new technology called "making a list". FFS, a roll of cash register paper on the fridge does at leas a quarter of the jobs. Take milk out of the fridge, realise there's only another carton left, write it down. There used to be milkmen (like Ronnie Soak) that would leave a bottle at your door, each day, every day (mostly).
All of this molten clawed AI (and related stuff) looks like solutions looking for problems - and boy, problems they found. No wonder: stuff's been "vibe coded" to hell and back, taking basic examples from stackoverflow (which never include basic security considerations and often: sense) as the training data. Directory traversals and SQL injections, auth bypass and unproteded and unauthenticated APIs - I thought we were past that, especially the first two are so late 90s. Not that I'm not prone to reminisce about "good old times" - but those are some things I do not miss.
Let's face it.
jake
The way modern AI is being used in general is a dumpster fire.
Ho Hum !!!
If you are surprised ... welcome to planet Earth ... you must have arrived today !!!
This is an original way of getting some money back for the Tech Bros behind 'AI' and its 'Slop' !!!
Lots of people who don't know better running very inefficient 'AI' bots or even worse creating the next 'accidental' 'AI' contagion to waste peoples time & money, from the usual suspects !!!
Is there no limit on what Bad 'AI' can do without any pushback from the masses !!!???
Its like the ultimate 'write your own malware kit' BUT hidden behind a 'AI' flag which excuses all ills.
When oh when will the bubble burst ... for all our sakes ???
:)