OpenClaw went from 9,000 to 210,000 GitHub stars in weeks. It's an open-source personal AI agent that plugs into WhatsApp, Slack, Discord, Signal, iMessage, your email. Every channel you use, handled by one self-hosted assistant running on your own hardware. The idea is killer.
Then the security audits started dropping.
The numbers are brutal
512 vulnerabilities found in the first audit. Eight classified as critical. Over 390,000 OpenClaw instances exposed on the public internet, with more than 60% of them exploitable. A one-click remote code execution flaw called "ClawJacked" that lets attackers hijack your agent through a single malicious link. And the skills marketplace? Out of 10,700 listed skills, more than 820 turned out to be straight-up malware: keyloggers, credential stealers, fake wallet trackers that install Atomic Stealer on macOS.
This isn't a security story, though. It's a product story.
Ship everything, protect nothing
OpenClaw shipped a product that does everything and protects nothing. The team focused entirely on "what can this do" and never paused to ask "what happens when this goes wrong." That distinction is the most important product decision you'll make as a solo builder.
I get the temptation. When you're building alone, the pressure to ship is relentless. Every day without users feels like falling behind. So you cut corners. Not because you don't care about security, but because security doesn't have a demo. Nobody tweets about your input validation. Nobody stars your repo because of your WebSocket authentication.
But here's what OpenClaw proved: when your product has access to someone's WhatsApp, email, and Slack, a security flaw isn't a bug. It's a full breach of trust that can kill your product overnight. Chinese government agencies issued official warnings. Cisco, Kaspersky, and every major security firm published takedowns. The rebranding chaos (from Clawd to Moltbot to OpenClaw after Anthropic's trademark complaint about similarity to "Claude") made it worse. Scammers exploited each name change to distribute fake versions loaded with malware.
The concept is right. The execution is terrifying.
A self-hosted AI agent that connects your channels and runs on your hardware? That's the dream. I've wanted exactly this for years. The problem isn't the vision. It's that they treated security as a feature to add later instead of a constraint to build within from day one.
For solo devs and indie hackers, the lesson is concrete: if your product touches user data, the security layer IS the product. Not a nice-to-have. Not a v2 thing. The trust architecture you design on day one determines whether your users stick around after day thirty.
My verdict
I won't be running OpenClaw on anything connected to real accounts. Not yet. Maybe not ever, at least not this version. The concept deserves better execution, and I suspect a fork or well-funded competitor will eventually ship the secure version of this idea. Until then, 210,000 stars mean nothing if 243,000 instances are sitting there waiting to be hijacked.
Ship fast? Absolutely. Ship without thinking about what your product can do to your users when it fails? That's not speed. That's negligence.