🌐
Reddit
reddit.com › r/localllama › unpopular opinion: openclaw and all its clones are almost useless tools for those who know what they're doing. it's kind of impressive for someone who has never used a cli, claude code, codex, etc. nor used any workflow tool like 8n8 or make.
r/LocalLLaMA on Reddit: Unpopular opinion: OpenClaw and all its clones are almost useless tools for those who know what they're doing. It's kind of impressive for someone who has never used a CLI, Claude Code, Codex, etc. Nor used any workflow tool like 8n8 or make.
April 21, 2026 -

It seems to me that OpenClaw and all its clones are almost useless tools for those who know what they're doing.

It's kind of impressive for someone who has never used a CLI, Claude Code, Codex, etc. Nor used any workflow tool like 8n8 or make.

For these people, asking an AI to create a program or a new tool with a prompt must seem like magic. For those who already use it, it seems like something that simplified the old ones but made them much more chaotic and unsafe.

The only good thing about it is that it made more "ordinary" people interested in these agentic tools. Sending messages via Telegram is much more user-friendly.

Openclaw sucks - I said it. May 4, 2026
r/openclaw
2mo ago
OpenClaw is wildly overrated IMO Feb 17, 2026
r/AI_Agents
4mo ago
I’m really disappointed in OpenClaw so far. Jun 1, 2026
r/openclaw
last mo.
Does OpenClaw actually do anything for you guys? Feb 10, 2026
r/openclaw
5mo ago
More results at reddit.com
🌐
PCMAG
pcmag.com › home › opinions › ai
4 Critical Reasons OpenClaw Is the Most Overhyped AI Tool Right Now | PCMag
April 14, 2026 - After spending time testing OpenClaw firsthand, I ran into steep costs, serious security concerns, and a setup process that feels more like a project than a product. More importantly, I struggled to find a reason to keep using it at all.
People also ask

What criticism is OpenClaw facing?
Some AI researchers say OpenClaw isn’t technically novel and combines existing components rather than introducing new foundational AI advancements.
🌐
upgrad.com
upgrad.com › home › blog › artificial intelligence › openclaw: groundbreaking or just well-packaged tools?
AI Experts Say OpenClaw Is Overhyped, Not Truly Innovative
Does criticism affect OpenClaw’s future?
The debate may push developers to improve security, safety and evaluative benchmarks to strengthen OpenClaw and future agent frameworks.
🌐
upgrad.com
upgrad.com › home › blog › artificial intelligence › openclaw: groundbreaking or just well-packaged tools?
AI Experts Say OpenClaw Is Overhyped, Not Truly Innovative
Why did OpenClaw go viral despite criticism?
OpenClaw became popular for its seamless autonomous task handling and social agent experiments that appealed to hobbyists and early adopters.
🌐
upgrad.com
upgrad.com › home › blog › artificial intelligence › openclaw: groundbreaking or just well-packaged tools?
AI Experts Say OpenClaw Is Overhyped, Not Truly Innovative
🌐
Medium
medium.com › data-science-in-your-pocket › dont-use-openclaw-a6ea8645cfd4
Don’t use OpenClaw. Why OpenClaw is dangerous | by Mehul Gupta | Data Science in Your Pocket | Medium
March 2, 2026 - Don’t use OpenClaw Why OpenClaw is dangerous When OpenClaw started trending, I was genuinely excited. An open-source autonomous agent that can actually do things for you , browse, execute tasks …
🌐
Upgrad
upgrad.com › home › blog › artificial intelligence › openclaw: groundbreaking or just well-packaged tools?
AI Experts Say OpenClaw Is Overhyped, Not Truly Innovative
February 17, 2026 - Independent tests and cybersecurity reports have pointed out vulnerabilities in OpenClaw’s deployment — from sensitive data exposure to risky privilege requirements — suggesting the software currently suits experimental tech users rather ...
🌐
Reddit
reddit.com › r/aiagents › sincerely want to know why the hate for openclaw
r/aiagents on Reddit: Sincerely want to know why the hate for OpenClaw
February 20, 2026 -

New to the agent game. Didn’t have the space or time to do it before but spent some time last night sandboxing a setup on a dedicated Linux machine.

Using OpenClaw with Codex and a fallback local Ollama model. So far pretty impressed although there are some quirks.

From what I understand about the setup it’s nothing magical, sure. The “Agent” is just some .md files with persistent context to wrap around queries to the model, a workspace folder for scripts, cron jobs, the heartbeat feature which I need to look more into, and tie ins for channels to the agent + ability to run stuff on the machine. I can see a lot of avenues to hack at it with a little know how and the project itself feels well thought out and not super grifty.

I see a lot of hate from people saying they already built out something similar, but even they admit it’s well constructed and has way more features. I’m a SWE and also often hate on things especially if I already did something similar and see a bunch of hype like the whole concept is ground breaking. It IS well delivered and accessible for less technical people and extremely powerful. I’d like to know what I’m missing or if people are just being haters.

🌐
Medium
medium.com › data-science-in-your-pocket › openclaw-is-dead-6f6e3cab731f
OpenClaw is Dead. Why OpenClaw is losing its popularity? | by Mehul Gupta | Data Science in Your Pocket | May, 2026 | Medium
May 14, 2026 - In real-world environments it created enormous security risks. The problem was not just bugs. The deeper issue was that OpenClaw blurred the boundary between an assistant and a system operator. Traditional AI chatbots generate text.
🌐
WIRED
wired.com › business › ai lab › i loved my openclaw ai agent—until it turned on me
I Loved My OpenClaw AI Agent—Until It Turned on Me | WIRED
February 11, 2026 - I used the viral AI helper to order groceries, sort emails, and negotiate deals. Then it decided to scam me.
🌐
Substack
amafia.substack.com › the ai mafia - ai for entrepreneurs › the truth that nobody tells you about openclaw 🦞 and the excessive hype.
The TRUTH that Nobody Tells You about OpenClaw 🦞 and the Excessive HYPE.
February 13, 2026 - Massive permission problems and very limited functionalities (logical and for security) Day 1: Okay the problem is the environment. I don’t even think twice. I buy a Mac Mini. Maximum excitement.
Find elsewhere
🌐
Reddit
reddit.com › r/openclaw › unpopular opinion: why is everyone so hyped over openclaw? i cannot find any use for it.
r/openclaw on Reddit: Unpopular opinion: Why is everyone so hyped over OpenClaw? I cannot find any use for it.
March 14, 2026 -

So I spent many, many hours setting OC up. I have it running on a dedicated VPS running with the best free models on OpenRouter.

Now, apart from having a nice companion for regular chat I cannot find any use for OC.

I ask it to send me daily resumes of what is happening on Twitter, Discord, etc. It doesn’t. I ask it to create an application, it doesn’t. I ask it to update its own configuration and it screws everything up. I mean, it’s a good platform to learn about what is possible and how to possibly set up integrations, memory, learn about skills and souls, etc., but actual practical use? I have not seen it (yet).

Plus it’s a huge money pit. Not only the tokens which you more or less can control), but every external tool needs an API token which is mostly a subscription for whatever you want to use (Brave, Browserless, etc).

So yeah, am I missing the point here?

Top answer
1 of 68
176
I asked my OC to write this for you: I had a similar "is this it?" phase early on. ~6 weeks in now, and it's a completely different story. Here's what my instance and I have actually built together: Things we’ve built: • Iran Conflict Monitor Dashboard — A full OSINT dashboard hosted on a VPS. Hourly cron job scrapes sources, synthesizes structured JSON (severity scores, escalation gauge, casualty stats from Wikipedia API, geolocated events on an interactive map, timeline), and POSTs to a Node.js API. Auto-generates OG preview cards via satori. Has an authenticated admin analytics page with human/bot traffic split. It manages the VPS itself over SSH + Tailscale. • Smart three-tier model routing — Auto-routes tasks to the cheapest model that works. Gemini Flash for heartbeats/lookups, mid-tier for conversations, Opus for complex decisions. Most cron jobs run on Codex (ChatGPT Plus = zero API cost). Benchmarked and validated across task types. • Trello work logging system — Every substantive task gets a card with summary comments. Self-enforcing: heartbeat audits cross-reference daily memory files against the board and creates missing cards automatically. • Gmail + Calendar automation — Daily inbox monitoring, event creation on my personal calendar, HTML email sending. Full OAuth2 integration. • Morning & evening tech news digests — Cron-driven, delivered to Telegram, tuned to my specific interests (silicon, 3D printing, game engine tech). • Sub-agent system — Research agent (Kimi K2.5) and code agent (Sonnet) spawnable on demand for parallel workloads in isolated workspaces. • Memory & continuity system with QMD — Daily memory files, curated long-term MEMORY.md, heartbeat-driven memory maintenance. Backed by QMD (local hybrid search — BM25 + vector embeddings + reranking), so recall is semantic, not just keyword matching. It can find relevant context from weeks ago even if I phrase things differently. No external API calls, fully local. This is the thing that makes it feel like it actually remembers. • YouTube transcript extraction + local Whisper transcription — Full audio/video-to-text pipeline, no external API needed. • Security scanning — Caught a malicious ClawHub skill (base64-encoded payload hidden in SKILL.md) during routine installation. Now has enhanced detection for curl-to-bash pipes, obfuscated IPs, fake provider references. • Twitter integration — Timeline reading, mentions, posting. What actually made the difference: Don't use free models for tool-heavy work. They can't reliably follow multi-step instructions. This is probably why your digests fail. A $20/mo ChatGPT Plus sub running Codex outperforms any free OR model for structured tasks. Memory is the killer feature, but it compounds over time. Week 1 it knew nothing. Week 6 it pulls context from project history, contacts, preferences, and past mistakes to inform current work. Pair it with QMD for semantic search and it stops feeling like a stateless chatbot. Cron > asking in chat. Don't ask it to "send daily summaries." Set up a cron job with an explicit prompt, a specific model, and a delivery channel. That's what works reliably. Build incrementally. Get one skill working well, then layer on the next. Don't try to boil the ocean on day one. You're not missing the point — you're at the painful part of the curve where setup cost hasn't been amortized by daily value yet. It gets there.
2 of 68
81
Try using a paid flagship model and asking it why it is screwing up? Good AI isn't free.
🌐
Medium
medium.com › @aryanmishra98.08 › why-openclaws-crisis-is-everyone-s-problem-a5a47c6e677d
Why OpenClaw’s Crisis Is Everyone’s Problem | by Aryan | Medium
April 3, 2026 - Why OpenClaw’s Crisis Is Everyone’s Problem OpenClaw didn’t fail because it was not secure enough. It failed because a tool built in an hour for one person ended up running on 135,000 machines …
🌐
Solutions Review
solutionsreview.com › home › how openclaw’s flawed design philosophy left organizations exposed to active attacks
How OpenClaw's Flawed Design Philosophy Left Organizations Exposed to Active Attacks
March 13, 2026 - OpenClaw instances connected to platforms such as email accounts, WhatsApp, Signal, and X are exposing private information when external users compose specific prompts in replies. OpenClaw’s developers deliberately decided to bypass guardrails by default (as part of its “easy AI” framework), creating a massive attack surface when users integrate their social media accounts.
🌐
Reddit
reddit.com › r/claude › i have proof the "openclaw" explosion was a staged scam. they used the tool to automate its own hype
r/claude on Reddit: I have proof the "OpenClaw" explosion was a staged scam. They used the tool to automate its own hype
March 3, 2026 -

Remember a few weeks ago when Clawdbot/OpenClaw suddenly appeared everywhere all at once? One day it was a cool Mac Mini project, and 24 hours later it was "AGI" with 140k GitHub stars?

If you felt like the hype was fake, you were right

I spent hours digging into the data. They were using the tool to write its own hype posts. It was an automated loop designed to trick SM algorithms, the community and the whole world.

Here is the full timeline of how a legitimate open-source tool got hijacked by a recursive astroturfing campaign.

1. The Organic Spark (The Real Part)
First off, the tool itself is legit. Peter Steinberger built a great local-first agent framework.

  • Jan 20-22: Federico Viticci (MacStories) and the Apple dev community find it. It spreads naturally because the "Mac Mini as a headless agent" idea is actually cool.

  • Jan 23: Matthew Berman tweets he's installing it.

  • Jan 24: Berman posts a video controlling LMStudio via Telegram.

Up to this point, it was real. (but small - around 10k github stars)

2. The "Recursive" Astroturfing (The Fake Part)
On January 24, the curve goes vertical. This wasn't natural.
I tracked down a now-deleted post where one of the operators openly bragged about running a "Clawdbot farm."

  • They claimed to be running ~400 instances of the bot.

  • They noted a 0.5% ban rate on Reddit, meaning the spam filters weren't catching them.

  • The Irony: They were using the OpenClaw agent to astroturf OpenClaw's own popularity on Reddit and X.

Those posts you saw saying "I just set this up and it's literally printing money" or "This is AGI"? Those were largely the bots themselves, creating a feedback loop of hype.

3. The "Moltbook" Hallucination
Remember "Moltbook"? The "social network for AI agents" that Andrej Karpathy tweeted was a "sci-fi takeoff" moment?

  • The Reality: MIT Tech Review later confirmed these were human-generated fakes.

  • It was theater designed to pump the narrative. Even the smartest people in the room (Karpathy) got fooled by the sheer volume of the noise.

4. The Grift ($CLAWD)
Why go to all this trouble? Follow the money.
During the panic rebrand (when Anthropic sent the trademark notice on Jan 27), scammers launched the $CLAWD token.

  • It hit a $16M market cap in hours.

  • The "bot farm" hype was essential to pump this token.

  • It crashed 90% shortly after.

5. The Aftermath

  • The Creator: Peter Steinberger joined OpenAI on Feb 14. (Talk about a successful portfolio project).

  • The Scammers: Walked away with the liquidity from the pump-and-dump.

  • The Community: We got left with a repo that has inflated stars and a lot of confusion about what is real and what isn't.

TL;DR: OpenClaw is a solid tool, but the "viral explosion" of Jan 24 was a recursive psy-op where the tool was used to promote itself to sell a memecoin.

🌐
Reddit
reddit.com › r/openclaw › openclaw is massively overrated.
r/openclaw on Reddit: OpenClaw is MASSIVELY overrated.
April 2, 2026 -

I've long wanted to say this, but:

OpenClaw is good, but it's severely overrated.

Most things you can actually do faster yourself. People sometimes even (implicitly) make it out to be as if it's one of the greatest breakthroughs ever or proof that AGI is here (in many extreme fan-boy cases).

We have certainly still not reached the era of agentic assistance. We're still very much in the co-pilot phase, especially when it comes to complex tasks. When it tries to produce solutions to complex tasks, it mostly produces SLOP (especially when not expertly guided); because of the Dunning-Kruger effect, beginners and novices often can't differentiate SLOP from genuinely good content. And the same is true in design and software engineering. There is a big difference between the ability to do something and doing something competently. And because the overuse of AI tends to lobotomise you and makes you overestimate the quality of the work you do, this further amplifies this phenomenon.

For example (not OpenClaw), within the context of design. Can an AI produce a frontend product design that gives beginners the impression they now have Leonardo da Vinci-level artistic thinking? Yes. Is the design actually good? Absolutely not—SoTA AI tends to have terrible design intuition. Doing something ≠ doing it well.

Note*: I mentioned that you can do most things faster yourself, not to completely invalidate the use case for some people of avoiding the work, but rather to invalidate the point of the "doing things significantly faster", which often isn't the case.

The reality is that an AI agent will not transform an undisciplined, lazy person. To make the most out of these kinds of tools, you still need to be conscientious and competent. 

I'd even take it a step further:

The use case of an AI that sends an email is actually a very poor use case. Same as an AI that checks you in for a flight. It's the same for something that is able to handle your inbox, which can often be very ambiguous and unclear, unless you have somewhat of a model of what's inside the person's head and what they want to do with the emails. To get the most out of these models, it often takes a level of hand-holding that is actually inferior and significantly slower than just doing it yourself. 

The kind of personal agentic assistant we are making are not simply plastered-together problems; they are fundamental model problems. As long as we rely on current state-of-the-art systems to be the agentic AI assistants we imagine in movies like Her, we will continue to be producing slop and misleading people into thinking the quality of their work is good. Many AI systems excel (exceptionally, in fact) at explicit knowledge, but they are terrible when it comes to implicit knowledge, and it's the implicit (often complex) knowledge that often makes someone good at their job.

Fundamentally, the hype-to-reality gap is massive.

One thing I would briefly mention is the significance of what OpenClaw represents, and I think it will indeed mark a point in technological history. What it represents, I think, is far greater than the tool itself (a glimpse).

🌐
Forbes
forbes.com › sites › johnwerner › 2026 › 04 › 22 › problems-with-openclaw-youre-not-alone
Problems With OpenClaw? You’re Not Alone
April 23, 2026 - OpenClaw shows promise but remains controversial, with errors, security risks, complexity, and unclear use cases.
🌐
WIRED
wired.com › business › artificial intelligence › meta and other tech firms put restrictions on use of openclaw over security fears
Meta and Other Tech Firms Put Restrictions on Use of OpenClaw Over Security Fears | WIRED
February 17, 2026 - Grad says it tested the AI tool ... Massive’s systems without protections in place, the allure of the new technology and its moneymaking potential was too great to ignore....
🌐
Reddit
reddit.com › r/betteroffline › this guy just got one shotted by openclaw
r/BetterOffline on Reddit: This Guy Just Got One Shotted By OpenClaw
February 18, 2026 -

I’m very aware of confirmation bias - the act of seeking out sources of information that just reinforce your own opinion. Im also a user of some AI tools at work and find them moderately helpful in places, so I do believe LLMs have use cases. My bones to pick are with the hype and the billionaires and grifters responsible.

Came across this guy’s videos maybe 3 weeks ago - he seemed informed and was serving up daily critiques of the AI tech stocks and other things. Very similar thoughts and messaging you find in this sub.

And then just today, he basically pivots on every single criticism of AI hype, all because he seems to have used OpenClaw to update his website? From there he extrapolates a future of no office jobs and even MENTIONS GODDAMN UBI.

Anyone else familiar with this dude? Did he one shot himself, is he getting paid, or did he realize there’s more money in being a booster than a skeptic?

🌐
Reddit
reddit.com › r/openclaw › is openclaw too complex and crashing? the founder just exposed the most dangerous problem.
r/openclaw on Reddit: Is OpenClaw too complex and crashing? The founder just exposed the most dangerous problem.
April 16, 2026 -

So everyone lost their minds when the OpenClaw v2026.3 update completely nuked the UI. People were screaming on X, hastily rolling back to v2026.3.11, and claiming the whole project was falling apart. The devs fixed it in 33 minutes. Someone literally just forgot to pack the UI files in the build release.

Classic open-source chaos. But the mass panic over a missing interface exposed something way deeper about the current state of local AI right now. OpenClaw isn't 'crashing' because of a bad pull request. It's crashing because 90% of the user base is fundamentally misusing the framework, and the broader AI ecosystem is getting violently competitive. The founder basically spelled out the actual danger recently, and it has nothing to do with bugs.

Let's get one thing straight immediately. If you are using OpenClaw like it's just a spicier version of ChatGPT, you are doing it wrong. I am seeing this everywhere. People set up a single agent, dump a massive master prompt into it, hand it 15 different tools—web search, code interpreter, file reader—and then act completely shocked when the agent spirals into an infinite logic loop or hallucinates a broken script.

OpenClaw is not a magical business strategy you can just toggle on. Jumping on the tool because some hustle-bro on TikTok said it will replace your whole marketing team is a guaranteed way to burn your time. The real power here is strictly the multi-agent architecture. You need a system. One agent gets one distinct role. Another agent gets specific tools. You have to route the workflow deliberately.

Look at how the independent devs who are actually surviving the token-burn are setting this up. They aren't running single monolithic models anymore. They are running heavily structured, 3-layer military hierarchies. You put Claude Opus 4.6 at the very top as the brain doing the strategic breakdown. Then you pipe the fragmented tasks down to a local execution layer—usually quantized models like Qwen, Gemma, or MiMo—to do the brute force text parsing and daily grunt work. Finally, you maintain a specialist layer running GPT-5.4 just to crack the weird coding roadblocks. That is what OpenClaw was built to orchestrate. If you don't do this, you are leaving 90% of the value on the table and complaining about a tool that you don't understand.

Even with a solid setup, people are getting frustrated by the manual memory management. That is exactly why we are seeing what the Chinese community is literally calling the 'lobster migration' (OpenClaw's mascot is the lobster). Everyone is suddenly looking at Hermes Agent.

Hermes fixes the 'cyber amnesia' that plagues complex agent runs. OpenClaw is incredible at routing, but its native memory management historically required constant hand-holding. Hermes brings a self-evolving loop and dynamic memory natively. It automatically accumulates custom skills without you having to write manual JSON configs every time. Now, the real power users are stacking them: Hermes to tame the local models and handle the memory evolution, and OpenClaw to orchestrate the broader multi-model army.

To be fair, OpenClaw pushed a massive counter-move in the March update to fight back. Hot-swappable memory is officially here. The AI finally doesn't forget who you are midway through a deep coding session. They also rolled out native support for the GPT-5.4 and Gemini 3.1 dual engines, and launched a dedicated plugin store. You can now install skills like apps. It is basically becoming a fully-fledged AI operating system. With over 280,000 stars on GitHub, it is literally outpacing Linux.

But all of this technical progression brings us to the actual, existential danger. Jason Calacanis dropped a bomb on the All-In podcast recently. I usually take his takes with a grain of salt, but I don't think he's acting like a conspiracy theorist here. He stated bluntly that the number one goal of companies like Anthropic and OpenAI right now is to kill OpenClaw.

Think about the mechanics of that for a second. An open-source agent platform is an existential threat to frontier model companies. OpenAI desperately wants you locked into their walled garden, paying for API calls, and using their proprietary agent architectures. Anthropic wants you living entirely inside Claude's artifact system.

If OpenClaw becomes the default Android-like OS for agents, the underlying model becomes totally commoditized. You can swap out GPT-5.4 for a fine-tuned local Llama or Qwen whenever you want. You can run the entire 'lobster' on a flash drive to save on token costs and protect your local hard drive data. One guy recently hooked OpenClaw directly into WhatsApp to negotiate car prices and saved $4,200 without speaking to a human. Another guy bypassed API keys entirely using open-source tools to run it locally without burning a single token.

The big labs lose their moat the second the orchestration layer becomes open and dominant. That is why you are seeing this silent war. The labs are aggressively pushing their own proprietary agent frameworks, trying to starve the open-source alternatives of mindshare, and quietly making it harder to use their APIs for agentic looping. Some creators are even claiming OpenClaw is being 'shadowbanned' or throttled behind the scenes as a coordinated industry harvest.

So no, OpenClaw isn't too complex. It just requires actual engineering discipline instead of mindless tool-jumping. And the reason it feels like you're fighting an uphill battle sometimes isn't just because of bugs—it's because the biggest tech companies on earth have a vested financial interest in making sure open orchestration fails.

The UI bug last week was a minor hiccup. The real test is whether the open-source community can keep the infrastructure resilient enough to survive the API throttling and the corporate walled gardens.

What are you guys currently running for your agent orchestrator? Are you sticking strictly with pure OpenClaw, migrating some workflows over to Hermes, or doing some weird hybrid stack?

Top answer
1 of 5
23
Been running OpenClaw daily for about two months now on a production workload (AI news site with automated pipelines, newsletters, social posting). Some thoughts from actual use: The tiered model hierarchy you described is close to what works. We run Opus for editorial decisions, GLM-5-Turbo for the bulk of automated tasks (ingestion, processing, monitoring), and quantized local models on a Mac Mini M4 for benchmarking and experimentation. One thing we've learned: match task complexity to the model running it. Opus and Sonnet can handle broad, multi-step prompts. But the moment you hand a less capable model a numbered list with eight steps, it executes three and times out. Simpler models need focused, single-purpose tasks — run them in parallel when they're independent. Memory is the real unsolved problem and it's not unique to OpenClaw. Every agent harness hits this wall. Your session drops, your context is gone, and the next session doesn't know what the last one did. We've tried multiple approaches — daily note files, long-term curated memory, FTS search, even Gemini embeddings for semantic search. None of it fully solves the continuity problem. The best we've found is just writing everything to files obsessively. Text on disk beats context in memory every time because it survives session crashes. The thing I'd push back on is framing this as an OpenClaw-specific issue. The hard problems — memory management, agent coordination, preventing hallucination in autonomous pipelines — are universal to agentic AI right now. We've had automated crons publish fabricated quotes and stale news because the pipeline trusted prompts where it should have enforced code. The fix wasn't switching harnesses, it was building validation scripts that gate each pipeline stage programmatically. Code > prompts for anything that matters. The actual value of an orchestration layer isn't making AI "do everything." It's letting you build systems where each piece is simple enough to be reliable, and the orchestrator handles the routing. That's boring compared to "AI operating system" narratives, but it's what actually works in production.
2 of 5
7
I’m mostly using openastroturf now. Give it a try.
🌐
Reddit
reddit.com › r/cybersecurity › openclaw is terrifying and the clawhub ecosystem is already full of malware
r/cybersecurity on Reddit: OpenClaw is terrifying and the ClawHub ecosystem is already full of malware
February 5, 2026 -

OpenClaw is already scary from a security perspective..... but watching the ecosystem around it get infected this fast is honestly insane.

I recently interviewed Paul McCarty (maintainer of OpenSourceMalware) after he found hundreds of malicious skills on ClawHub.

But the thing that really made my stomach drop was Jamieson O’Reilly detailed post on how he gamed the system and built malware that became the number 1 downloaded skill on ClawHub -> https://x.com/theonejvo/status/2015892980851474595 (Well worth the read)

He built a backdoored (but harmless) skill, then used bots to inflate the download count to 4,000+, making it the #1 most downloaded skill on ClawHub… and real developers from 7 different countries executed it thinking it was legit.

This matters because Peter Steinberger (the creator of OpenClaw) has basically taken the stance of:

use your brain and don't download malware

(Peter has since deleted his responses to this, see screen shots here https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto

…but Jamieson’s point is that “use your brain” collapses instantly when the trust signals are fakeable.

What Jamieson provedClawHub’s download counter could be manipulated with unauthenticated requests

  • There was no rate limiting

  • The server trusted X-Forwarded-For, meaning you can spoof IPs trivially

  • So an attacker can go:

    1. publish malicious skill

    2. bot downloads

    3. become “#1 skill”

    4. profit

And the skill itself was extra nasty in a subtle way:

  • the ClawHub UI mostly shows SKILL .md

  • but the real payload lived in a referenced file (ex: rules/logic.md)

  • meaning users see “clean marketing,” while Claude sees “run these commands”

Why ClawHub is a supply chain disaster waiting to happen

  • Skills aren’t libraries, they’re executable instructions

  • The agent already has permissions, and the skill runs inside that trust

  • Popularity is a lie (downloads are a fakeable metric)

  • Peter’s response is basically “don’t be dumb”

  • Most malware so far is low-effort (“curl this auth tool” / ClickFix style)

  • Which means the serious actors haven’t even arrived yet

If ClawHub is already full of “dumb malware,” I’d bet anything there’s a room of APTs right now working out how to publish a “top skill” that quietly steals, credentials, crypto... all the things North Korean APTs are trying to steal.

I sat down with paul to disucss his research, thoughts and ongoing fights with Peter about making the ecosystem some what secure. https://youtu.be/1NrCeMiEHJM

I understand that things are moving quickly but in the words of Paul "You don't get to leave a loaded ghost gun in a playground and walk away form all responsibility of what comes next"

🌐
Reddit
reddit.com › r/machinelearning › [d] we scanned 18,000 exposed openclaw instances and found 15% of community skills contain malicious instructions
r/MachineLearning on Reddit: [D] We scanned 18,000 exposed OpenClaw instances and found 15% of community skills contain malicious instructions
February 12, 2026 - Community skills are just markdown and YAML that anyone can publish to ClawHub. Installing one is basically running third party code with your agent’s permissions. Not an OpenClaw flaw, same supply chain risk as npm packages or VS Code extensions.