Excited like so many others by YouTube videos describing how some smart guys set up OpenClaw to make money ($1,000 a day) just by giving it a few directives, then how Sam Altman was so enthralled he bought out the developer, I had to give OpenClaw a try. It turned into a nightmare I want to share with others.

Not sure which medium was best, I bought one of those often-touted one-click OpenClaw installs on Hostinger, and ordered a mini-pc (much cheaper than a Mac mini) to install a desktop version. The Hostinger install comes with a default model set that I wanted to change to save money, but there was no obvious way to do it. So I sought tech support and got in a queue so long no one ever got to me. It appears a number of hosting companies are offering OpenClaw without providing sufficiently trained tech support to handle the slew of requests sure to come from baffled customers. 

Later I abandoned Hostinger (with a full refund) and found a very economical VPS option on Bluehost. Again the Bluehost team was in no way prepared to provide adequate tech support, and pretty much told me for a bare-bones VPS, I was on my own. Inevitably, Claude crashed and I could not restart it. Tech support said that was not their problem. Another cancellation and refund.

At least my desktop pc version allowed me to restart OpenClaw whenever needed (2-3 times a day) by using PowerShell. I am not a coder but Gemini walked me through everything with clear copyable code commands. After giving the desktop version a name (Albert, for Einstein) and seeing what it could do, I asked it to create a daily report on OpenClaw news. This is supposedly a common task for OpenClaw.

Unfortunately one of the sites it found is a spam injection site. Apparently there are many like these on the web, appearing to be sources of OpenClaw news, but having malicious code under the surface. The first time Albert did a report for me, it triggered all kinds of spam alarms on my pc, so I suggested it remove the links and just give me the verbiage. But even after that, every time Albert did anything, the virus software flashed warnings on my screen, asking me to click on them or download McAfee Antivirus or both. I did not realize at first that those large alarm screens were spam themselves, and clicking on them made the problem even worse.

By now I had wasted probably 50 hours trying to get OpenClaw to work somehow, somewhere, always crashing, always having to restart it with PowerShell, making me a nervous wreck and unpleasant to be around. So I turned to Gemini to ask it if Claude is indeed a security risk. Yes indeed it is one of the greatest security risks anyone can use whether on a desktop or hosted. Here’s how Gemini put it:

The Hidden Structure of Risk: Why OpenClaw is a Gambler’s Game

While the promise of a local AI agent like OpenClaw is “total control,” the reality is a massive expansion of your digital attack surface. For the average user—or even the sophisticated researcher—the risks fall into three primary categories that are often invisible until the first “virus download” alert appears.

1. The “Open Port” Problem

Most modern software is a walled garden; OpenClaw is a wide-open gate. To function, it often requires a “Gateway” that listens for instructions. If not configured perfectly, this gateway can be discovered by automated botnets scanning the internet. In a matter of seconds, your private AI research tool becomes a beacon for hackers, turning your local PC or VPS into a staging ground for remote attacks.

2. The Supply Chain Trap: “Malicious Skills”

OpenClaw’s power comes from “Skills”—plugins that allow the AI to browse the web or edit files. However, the ecosystem lacks the rigorous vetting of an official App Store. In early 2026, security researchers identified a wave of “poisoned” skills. Once installed, these scripts don’t just help you research; they silently scrape your .env files for API keys to OpenAI, Anthropic, and Notion, exfiltrating your “digital keys to the kingdom” to domains like scocalional.com (a toxic site that was the source of my malware infection).

3. The Fragility of Local Execution

Running a powerful AI agent locally means giving it “God Mode” access to your file system. Unlike cloud-based assistants like Claude or Gemini, which run in a secure, isolated “sandbox,” a local agent runs with the same permissions you have. If the agent is tricked by a malicious prompt (a “Prompt Injection”), it can be instructed to download malware, delete directories, or compromise your network’s security—often without a single warning pop-up.

Like Russian Roulette with all the Chambers Loaded

So, dear friends, be afraid, be very very afraid of OpenClaw, even if you are a coder. It is “not ready for prime time.” Someday in the near future someone, maybe OpenAI or Anthropic or Google, will come out with a safe “local autonomous AI agent.” There is a huge market need for this. In fact I can envision a future where everyone has their own AI agent running on their smartphone like Siri ought to be, and you just ask it to do stuff and it does it safely and efficiently. But for now, OpenClaw is worse than the Wild Wild West. It is playing Russian Roulette with all the chambers loaded. Do not pull the trigger.